The British AI Security Institute (AISI) has compared open AI models in a new analysis with the cyber capabilities of leading systems such as Claude Opus 4.6. The analysis published on July 17 shows: models like GLM-5.2 and DeepSeek V4-Pro are now only four to seven months behind the frontier in attack tasks. In 2025, the gap was still six to ten months.
Two Testing Methods Measure Attack Capabilities
For the investigation, AISI used two methods. On one hand, the researchers examined 70 narrowly defined cyber tasks at four difficulty levels, from technical basics to expert level – including vulnerability analysis, reverse engineering, and cryptography. On the other hand, the institute employed so-called cyber ranges: simulated corporate networks in which the models had to independently plan and execute multi-stage attacks, entirely without human intermediaries. In the scenario “The Last Ones,” a complete attack consisted of 32 consecutive steps, from initial reconnaissance of the target network to the final compromise.
Several closed top models served as benchmarks: Anthropic’s Opus 4.6 from February 2026 and Opus 4.5 from November 2025, as well as GPT-5.3-Codex, Mythos Preview, and GPT-5.5. The open models GLM-5.2 from Chinese provider Zhipu AI and DeepSeek V4-Pro competed against these reference systems. GLM-5.2 launched in June 2026 with 753 billion parameters and a context window of one million tokens. DeepSeek V4-Pro is, according to the company’s own announcement, a mixture-of-experts model with 1.6 trillion total and 49 billion active parameters.
GLM-5.2 Reaches Opus Level at a Fraction of the Cost
In the 70 narrow cyber tasks, GLM-5.2 achieved results comparable to Opus 4.6 across all four difficulty levels, according to the AISI analysis. Significant differences emerged in the cost per solved task: Opus 4.6 averaged $15.17, GLM-5.2 came in at $6.12, and DeepSeek V4-Pro at just $0.28. Open models thus reach a similar attack level at a fraction of the cost. They also run locally, without the safeguards and usage policies that providers like Anthropic or OpenAI attach to their hosted models. Once a model weight has been downloaded, it can run on private hardware, free of any provider lockout on abusive requests.
The current cyber finding fits into the institute’s broader Frontier AI Trends Report, which evaluates two years of tests across more than 30 top systems. Across all areas examined, the gap between open and closed models now stands at roughly four to eight months, it states.
Independent Security Test Confirms the Trend
A similar result came in late June from security company Semgrep, which builds code scanners for enterprises, in its own benchmark. For the comparison, the researchers held the dataset, evaluation metric, and system prompt constant, varying only the model and its toolset. The test measured detection of IDOR vulnerabilities (insecure direct object references), which can expose other users’ data. GLM-5.2 scored an F1 value of 39 percent, ahead of Claude Opus 4.6 at 37 percent and older Opus versions at 28 percent. The open model ran with nothing but a simple prompt and the codebase. It did not get the extra tooling that powers Semgrep’s own multimodal pipeline built on GPT-5.5, which reached a top score of 61 percent. Semgrep put the cost per vulnerability found at roughly $0.17 – about one-sixth of what comparable top models cost. The researchers noted that the open model reached this result entirely without the endpoint discovery that Semgrep’s own pipeline additionally provides. That produced a direct comparison of raw model capability, independent of the surrounding toolchain.
What will matter is whether providers of open models like Zhipu AI and DeepSeek subject their systems to their own security tests before release in the future. So far, that task largely falls to external institutions like AISI. Both companies continue to publish their model weights freely, without third parties checking in advance how easily the systems can be repurposed for attacks.


