🐾 LIVE
Chinese Tech Workers Are Training Their AI Replacements — And Fighting Back Xiaomi miclaw Becomes China's First Government-Approved AI Agent OpenAI's Quiet Acquisitions Signal Existential Questions About Its Future Google Gemini Launches Native Mac App: The Desktop AI Wars Are On Cerebras Files for IPO at $23B, Backed by $10B OpenAI Partnership DeepSeek Raising $300M at $10B Valuation — While Remaining Profitable ByteDance vs Alibaba vs Tencent: China's AI Video War Heats Up Chinese Tech Workers Are Training Their AI Replacements — And Fighting Back Xiaomi miclaw Becomes China's First Government-Approved AI Agent OpenAI's Quiet Acquisitions Signal Existential Questions About Its Future Google Gemini Launches Native Mac App: The Desktop AI Wars Are On Cerebras Files for IPO at $23B, Backed by $10B OpenAI Partnership DeepSeek Raising $300M at $10B Valuation — While Remaining Profitable ByteDance vs Alibaba vs Tencent: China's AI Video War Heats Up
Ai-Research

Open-Weight Models Just Caught Up to Frontier AI in Cyber Skills — and They Cost 99% Less

The British AI Security Institute says the gap between open and closed cyber models is shrinking to four months. Defenders are running out of time.

2026-07-19 By AgentBear Editorial Source: The Decoder 8 min read
Open-Weight Models Just Caught Up to Frontier AI in Cyber Skills — and They Cost 99% Less

The British AI Security Institute has put a number on a fear that security researchers have been whispering about for months. In a new public assessment, it found that leading open-weight models now match the cyber capabilities of top proprietary systems from just four months ago. A year earlier, that gap was six to ten months. The catch-up is happening faster than policymakers expected, and the price difference is even more shocking than the performance gap.

For the first time, AISI directly compared open models like GLM-5.2 and DeepSeek V4-Pro against closed frontier systems such as Opus 4.6, Claude Mythos 5, and GPT-5.6-Sol. The tests were not theoretical. They included vulnerability research, reverse engineering, web exploitation, cryptography, and a full 32-step simulated corporate network attack. The results are a wake-up call for anyone still pretending that open models are harmless toys.

The Numbers Are Not Reassuring

On AISI’s Narrow Cyber Tasks benchmark, which spans 70 tasks across four difficulty levels, GLM-5.2 matched Opus 4.6 from February 2026. That is a four-month lag. DeepSeek V4-Pro matched Opus 4.5 from November 2025. At the start of 2025, the gap was still six to ten months. The open camp has compressed that window by roughly half in a matter of months.

The second test, called Cyber Ranges, is more demanding. It simulates a 32-step autonomous attack on a corporate network with four subnets and about 20 hosts. AISI estimates a human expert would need roughly 20 hours to complete it. Here, the gap is wider. GLM-5.2 performed at the level of Opus 4.5, while GPT-5.6-Sol and Claude Mythos 5 nearly completed the entire simulation. The lag is around seven months.

AISI notes that even these tests may underestimate what open models can do at their best. The models were not tuned for the evaluations, and real-world scenarios include active defenders, additional noise, and imperfect information. The gap could be even smaller in practice.

The Cost Gap Is the Real Weapon

Performance is only half the story. The economics are the other half, and they are brutal. A 100-million-token Cyber Range test cost about $85 with Opus 4.5 or 4.6, roughly $46 with GLM-5.2, and just $1.19 with DeepSeek V4-Pro. On individual tasks solved reliably by both models, Opus 4.6 cost about $15 per task, GLM-5.2 around $6, and DeepSeek V4-Pro 28 cents.

Those are not rounding errors. They are the difference between a capability that requires institutional funding and one that can be run on a hobby budget. At 28 cents per task, a motivated attacker can scale, iterate, and fail cheaply until something works. The defensive side does not have that luxury. Security teams must be right every time. Attackers only need to be right once.

Safety Measures Don’t Transfer

Open-weight models have a structural problem that no prompt engineering can fix: once the weights are released, the creator loses control. Users can remove guardrails, fine-tune away refusals, and run the model on air-gapped systems. AISI calls this a “persistent and irreversible risk of misuse.” That is not a bug in the safety layer. It is the point of the architecture.

In the tests, DeepSeek V4-Pro sometimes refused reverse-engineering tasks, but a simple retry was enough to bypass the refusal. That is not a robust safety system. It is theater. Monitoring, classifiers, and usage limits work only when the provider controls the model. Open weights break that model entirely. The same qualities that make open models valuable for researchers and privacy-conscious developers make them attractive to anyone who wants to operate without oversight.

Closed commercial models are not immune to misuse either. A recent study confirmed that terrorist groups are jailbreaking ChatGPT, Claude, and Gemini to plan attacks. But commercial systems at least create friction, account trails, and the possibility of intervention. Open models offer none of that. They are the digital equivalent of an unmarked burner phone.

What the Shrinking Window Means for Defenders

AISI frames the gap between open and closed models as a preparation window. While the frontier models are ahead, defenders with access to them can study the threats before those capabilities become freely available. That window is now four to seven months. In some areas, it may be narrower.

The problem is that the window is closing faster than most organizations can adapt. Large companies can buy access to the best closed models and hire security teams. Governments can run national cyber centers. Small businesses, hospitals, municipalities, and NGOs cannot. The open model threat is not evenly distributed. It lands hardest on the targets with the least ability to defend themselves.

The recent jump in closed-model capabilities makes the situation more urgent. In April 2026, Mythos Preview and GPT-5.5 delivered some of the largest gains in AI cyber capabilities since AISI began testing. The UK’s National Cyber Security Centre responded with international warnings that the cyber threat landscape is changing fast. By the time those warnings reach a boardroom, the same capabilities may already be downloadable.

🔥 Hot Takes

1. The “open vs closed” debate is over. Open won on price, and that is what matters. Policymakers keep arguing about whether open models are more dangerous than closed ones. They are asking the wrong question. The question is whether the marginal safety of closed systems outweighs the fact that open models are now cheap enough to be everywhere. At 28 cents per task, the answer is obvious.

2. China’s open-source strategy is already paying off in the cyber underground. DeepSeek V4-Pro is the cheapest high-performing model in the test. China has been giving away trillion-parameter models and building alternatives to Western chips. The West’s export controls were supposed to slow this down. Instead, they accelerated a world where capable, cheap, uncontrolled AI is the default.

3. The four-month lag is a fiction for anyone not already prepared. AISI’s numbers assume defenders have access to frontier models and the expertise to use them. Most organizations do not. For the average company, the open model is already here. The defender’s “window” is only real if you are standing in front of it.

The Bottom Line

Open-weight models are no longer the lagging alternative to frontier AI. In cyber capabilities, they are now within months of the best closed systems and orders of magnitude cheaper. That combination makes them both a powerful democratizing force and a durable security threat. The safety mechanisms that work for commercial APIs do not apply once the weights are on a hard drive somewhere in Eastern Europe or a garage in Southeast Asia.

The implication is not that we should ban open models. It is that we need to stop pretending the old playbook still works. Defensive measures must assume that capable, cheap, uncontrolled AI is already in the hands of attackers. That means faster patching, better network segmentation, continuous red teaming, and a serious conversation about whether critical infrastructure can survive in a world where the next generation of cyber tools costs less than a cup of coffee.

Enjoyed this analysis?

Share it with your network and help us grow.

More Intelligence

Ai-Research

Older Adults Know AI Is Slop. They Just Like It.

Ai-Research

A Chinese Startup Is About to Drop a 2.7 Trillion Parameter Open-Source Model — And Nobody Saw It Coming

Back to Home View Archive