Security

GLM-5.2 narrows cyber gap to four to seven months

3 min read
A security analyst in front of monitors with network attack simulation and comparison charts of the AI models GLM-5.2, DeepSeek, and Claude Opus in a security operations center at night. Image generated with GPT Image 2
A security analyst in front of monitors with network attack simulation and comparison charts of the AI models GLM-5.2, DeepSeek, and Claude Opus in a security operations center at night.

TL;DR Too Long; Didn’t read

An analysis by the AI Security Institute from July 17, 2026 shows: Chinese open-weight systems like GLM-5.2 and DeepSeek V4-Pro are closing the gap in attack capabilities against proprietary top models. The gap shrank within a year from six-to-ten months to four-to-seven months. An independent benchmark by Semgrep confirmed the trend already in June.

Key takeaways

  • AISI tested GLM-5.2 and DeepSeek V4-Pro against Claude Opus 4.6, Opus 4.5, GPT-5.3-Codex, Mythos Preview, and GPT-5.5.
  • In 70 narrow cyber tasks, GLM-5.2 achieved results comparable to Opus 4.6 across all four difficulty levels.
  • GLM-5.2 solved tasks for $6.12, DeepSeek V4-Pro for $0.28 – Opus 4.6 cost $15.17 per task.
  • Semgrep's own benchmark confirmed in June: GLM-5.2 outperformed Claude Opus 4.6 in detecting code vulnerabilities.
  • Open models run locally on their own hardware, completely without the usage restrictions of hosted provider models.
  • The cyber ranges test 'The Last Ones' simulated attacks with 32 consecutive steps on corporate networks.

The British AI Security Institute (AISI) has compared open AI models in a new analysis with the cyber capabilities of leading systems such as Claude Opus 4.6. The analysis published on July 17 shows: models like GLM-5.2 and DeepSeek V4-Pro are now only four to seven months behind the frontier in attack tasks. In 2025, the gap was still six to ten months.

Two Testing Methods Measure Attack Capabilities

For the investigation, AISI used two methods. On one hand, the researchers examined 70 narrowly defined cyber tasks at four difficulty levels, from technical basics to expert level – including vulnerability analysis, reverse engineering, and cryptography. On the other hand, the institute employed so-called cyber ranges: simulated corporate networks in which the models had to independently plan and execute multi-stage attacks, entirely without human intermediaries. In the scenario “The Last Ones,” a complete attack consisted of 32 consecutive steps, from initial reconnaissance of the target network to the final compromise.

Several closed top models served as benchmarks: Anthropic’s Opus 4.6 from February 2026 and Opus 4.5 from November 2025, as well as GPT-5.3-Codex, Mythos Preview, and GPT-5.5. The open models GLM-5.2 from Chinese provider Zhipu AI and DeepSeek V4-Pro competed against these reference systems. GLM-5.2 launched in June 2026 with 753 billion parameters and a context window of one million tokens. DeepSeek V4-Pro is, according to the company’s own announcement, a mixture-of-experts model with 1.6 trillion total and 49 billion active parameters.

GLM-5.2 Reaches Opus Level at a Fraction of the Cost

In the 70 narrow cyber tasks, GLM-5.2 achieved results comparable to Opus 4.6 across all four difficulty levels, according to the AISI analysis. Significant differences emerged in the cost per solved task: Opus 4.6 averaged $15.17, GLM-5.2 came in at $6.12, and DeepSeek V4-Pro at just $0.28. Open models thus reach a similar attack level at a fraction of the cost. They also run locally, without the safeguards and usage policies that providers like Anthropic or OpenAI attach to their hosted models. Once a model weight has been downloaded, it can run on private hardware, free of any provider lockout on abusive requests.

The current cyber finding fits into the institute’s broader Frontier AI Trends Report, which evaluates two years of tests across more than 30 top systems. Across all areas examined, the gap between open and closed models now stands at roughly four to eight months, it states.

Independent Security Test Confirms the Trend

A similar result came in late June from security company Semgrep, which builds code scanners for enterprises, in its own benchmark. For the comparison, the researchers held the dataset, evaluation metric, and system prompt constant, varying only the model and its toolset. The test measured detection of IDOR vulnerabilities (insecure direct object references), which can expose other users’ data. GLM-5.2 scored an F1 value of 39 percent, ahead of Claude Opus 4.6 at 37 percent and older Opus versions at 28 percent. The open model ran with nothing but a simple prompt and the codebase. It did not get the extra tooling that powers Semgrep’s own multimodal pipeline built on GPT-5.5, which reached a top score of 61 percent. Semgrep put the cost per vulnerability found at roughly $0.17 – about one-sixth of what comparable top models cost. The researchers noted that the open model reached this result entirely without the endpoint discovery that Semgrep’s own pipeline additionally provides. That produced a direct comparison of raw model capability, independent of the surrounding toolchain.

What will matter is whether providers of open models like Zhipu AI and DeepSeek subject their systems to their own security tests before release in the future. So far, that task largely falls to external institutions like AISI. Both companies continue to publish their model weights freely, without third parties checking in advance how easily the systems can be repurposed for attacks.

Frequently asked questions

What is the AI Security Institute (AISI)?

The AISI is a British government agency in the Department for Science, Innovation and Technology (DSIT) that has been conducting independent security tests on advanced AI systems since 2023.

Which models were compared in the study?

The open models GLM-5.2 from Zhipu AI and DeepSeek V4-Pro were tested against the closed systems Claude Opus 4.6, Opus 4.5, GPT-5.3-Codex, Mythos Preview, and GPT-5.5.

Why is the shrinking gap in cyber capabilities relevant?

Open models can be operated locally without manufacturer usage restrictions, thereby lowering technical barriers for automated attacks.

Do other studies confirm the AISI finding?

Yes, the security company Semgrep reached a similar result for GLM-5.2 compared to Claude models in its own benchmark in June 2026.

What does using the tested models cost in comparison?

According to AISI, solving a task with Opus 4.6 cost an average of $15.17, with GLM-5.2 $6.12, and with DeepSeek V4-Pro only $0.28.


← Back to the blog