Open-Weight AI Cyber Gap Narrows to Months, AISI Finds

The UK AI Security Institute says GLM-5.2 and DeepSeek V4-Pro now trail leading closed AI models on cyber tasks by roughly four to seven months. For defenders, that shrinking gap turns open-weight model policy into an operational security issue, not a distant AI governance debate.
Laptop showing code beside a notebook on a desk
Photo: Emile Perron / Unsplash

Updated July 19, 2026: The UK AI Security Institute has put a sharper number on a question security teams have been circling for months: how long before open-weight AI models catch up to the most capable closed systems on cyber work?

In a July 17 analysis, AISI said recent open-weight models GLM-5.2 and DeepSeek V4-Pro performed similarly to closed frontier models released roughly four to seven months earlier. That is a narrower gap than the six-to-10-month lag AISI measured in internal evaluations of open-weight models released through most of 2025.

The finding does not mean open-weight models can now run full real-world intrusions on their own. AISI tested them in controlled tasks and simulated cyber ranges, not live enterprise networks with defenders, noisy logs, endpoint tools, and response teams. But the direction matters. A model that can be downloaded, copied, modified, and run outside a provider’s monitoring boundary is moving closer to capabilities that were recently available mainly through hosted commercial systems.

That makes GLM-5.2 more than a benchmark curiosity. Z.ai’s model, released in June with public weights and an MIT license, was already drawing attention from security researchers because it combined long-context coding ability with credible vulnerability-discovery results. AISI’s new data puts that earlier interest into a broader timeline: open-weight cyber capability is not just improving, it is following the closed frontier at a shrinking distance.

What AISI Tested

AISI looked at two kinds of cyber evaluation. Its narrow cyber tasks measure specific skills such as vulnerability research, exploitation, reverse engineering, web exploitation, and cryptography across several difficulty levels. The institute also ran models through cyber ranges: simulated networks built around multi-step attack chains that begin from an assumed foothold.

On the narrow tasks, AISI found GLM-5.2 comparable to Opus 4.6 and GPT-5.3-Codex, both released about four months earlier. DeepSeek V4-Pro was comparable to Opus 4.5, released about five months earlier. AISI said both results were tighter than its 2025 open-weight gap estimates.

The longer-horizon cyber range results were more constrained but still important. AISI’s primary range, called The Last Ones, is a 32-step corporate-network attack spanning four subnets and about 20 hosts. The institute estimates that a human expert would need roughly 20 hours to complete it. GLM-5.2 reached about as far as Opus 4.5, a closed model released less than seven months before it, while DeepSeek V4-Pro fell below a non-frontier Sonnet 4.5 comparison.

Those details matter because many AI security claims blur together one-off code snippets, capture-the-flag puzzles, and realistic multi-stage operations. AISI’s cyber ranges are still simplified compared with defended production environments, and the institute is explicit about that limitation. Even so, ranges are a better signal than asking whether a model can explain a vulnerability in prose. They test whether an agent can keep state, plan several steps ahead, use tools, recover from errors, and move through a sequence of systems.

Why Open Weights Change the Risk

Closed model providers can apply some controls after release: account bans, usage monitoring, rate limits, classifiers, policy changes, and model updates. Those controls are incomplete, but they give providers and investigators a place to intervene. Open-weight release removes much of that leverage once the weights are public.

AISI’s warning is direct: when a model with dangerous dual-use capability is released openly, copies can be downloaded, redistributed, modified, and run on private infrastructure. Refusal training may be weakened or removed. Provider-side monitoring does not follow the model into an attacker’s own cloud account or local cluster.

That does not make open-weight AI inherently bad. The same access can help defenders audit models, keep sensitive code inside their own environments, fine-tune systems for local languages or specialized workflows, and reduce dependence on a small group of proprietary vendors. The problem is that cyber capability is dual-use by design. The skills that help a security team find authorization bugs and harden systems can also help an attacker accelerate vulnerability research and exploit development.

The International AI Safety Report 2026 makes a similar distinction: open-weight models support research and access, but their safeguards are easier to remove and their release cannot be rolled back. Once a capable model is widely distributed, the question shifts from whether misuse can be prevented at the provider layer to whether organizations have enough monitoring, hardening, and response capacity to absorb the risk.

GLM-5.2 Was Already a Warning Shot

Z.ai describes GLM-5.2 as a long-horizon model built for coding and agentic workflows. The model card lists a 1 million-token context window, roughly 753 billion total parameters, and support for deployment through common inference frameworks such as vLLM, SGLang, Transformers, KTransformers, and Unsloth.

That context window is useful for application security because many serious bugs are not visible in a single file. Access-control failures, insecure direct object references, broken tenant isolation, and business-logic flaws often require tracing routes, middleware, permission checks, data models, and API behavior together. Larger context does not magically solve that work, but it gives an AI system more of the application surface before it has to summarize or guess.

Independent testing had already made GLM-5.2 hard to ignore. Semgrep’s June benchmark ran the model on an insecure-direct-object-reference detection task and found it competitive with leading coding agents in that setup. The best result still came from a purpose-built Semgrep pipeline rather than a bare model prompt, which is the point: useful security automation depends on the harness around the model as much as the model itself.

AISI’s new analysis broadens the lesson. GLM-5.2 is not merely one strong open model. It is evidence that open-weight models can sit close enough to the cyber frontier that defenders, buyers, and policymakers need to treat release decisions and deployment choices as operational security issues.

What Security Teams Should Do Now

The most practical response is not panic or a blanket ban. Security teams should assume that capable open-weight models will become part of both defensive and offensive workflows, then build controls around that reality.

For defenders evaluating GLM-5.2, DeepSeek V4-Pro, or similar systems, the first step is a local benchmark on real internal vulnerability classes. Measure precision, recall, repeatability, cost per true positive, and time-to-triage against issues the organization actually cares about: broken authorization, SSRF, unsafe deserialization, exposed secrets, dependency risk, injection paths, and tenant-isolation failures.

The second step is constraining tools. A model used for code review should not automatically get shell access, ticketing permissions, repository write access, cloud credentials, or broad network reach. If it can take actions, it should be governed like privileged automation, with logging, scoped credentials, approval gates, and incident response hooks.

The third step is detection. The UK’s National Cyber Security Centre has argued that current frontier-AI activity in cyber scenarios tends to generate noticeable alerts when organizations have effective monitoring. That advantage is fragile. It only helps environments that can see unusual scanning, repeated failed commands, odd tool use, suspicious authentication attempts, and lateral-movement experiments before an attacker turns AI assistance into speed.

Procurement teams also need sharper questions. Where will the model run? Who can fine-tune it? What logs are retained? What code or incident data will it see? Can the organization reproduce a finding? Can it prove a model did not make an unauthorized change? Can it disable a workflow quickly if the model or harness behaves unexpectedly?

The New Baseline

Open-weight AI models have now crossed into serious cybersecurity evaluation. They are not replacements for experienced security engineers, mature application-security programs, or specialized tools, and AISI’s tests do not prove autonomous real-world compromise. They do show that the capability gap is narrow enough to matter in planning cycles measured in quarters, not years.

For defenders, the window is useful but short. Closed frontier systems may still be ahead, but open-weight models are close enough that policy, procurement, and security architecture need to catch up. The operational question is no longer whether open models can be relevant to cyber work. It is how quickly organizations can use them safely while preparing for attackers to do the same without the same guardrails.

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Server racks in a data center used for enterprise networking and security systems

Cisco Unified CM Exploit Gives Voice Servers a June 28 Patch Deadline

Next Post
A laptop screen showing code in a development editor

Clean GitHub Repos Can Still Trap AI Coding Agents

Related Posts