Open-weight AI models narrow cyber gap with proprietary systems
The U.K. AI Security Institute says top open-weight models now trail closed cyber models by four to seven months, while costing far less to run.
By Renata Fuchs · Policy Reporter
· 3 min read
The U.K. AI Security Institute said leading open-weight AI models are now matching cyber performance that top proprietary systems reached only four to seven months earlier, compressing a gap that was six to ten months for much of 2025. The finding matters because these models can be downloaded, modified and run without provider oversight, while costing materially less than closed frontier models in AISI’s tests.
AISI’s first public comparison of open-weight and closed frontier cyber capability focused on models including GLM-5.2 and DeepSeek V4-Pro. The institute said those open models have reached levels previously seen in older closed systems, even though the most capable proprietary models still lead on longer autonomous attack simulations.
The report frames the lag between closed and open systems as a defensive planning window. If frontier labs produce a new cyber capability, defenders may have only a few months before similar capabilities are available in open models that can be run privately and stripped of access controls.
Benchmarks show a shrinking lag
AISI used two testing approaches. The first, called Narrow Cyber Tasks, covers 70 tasks across four difficulty levels, including vulnerability research, reverse engineering, web exploitation and cryptography.
On that benchmark, AISI said GLM-5.2, released in June 2026, performed about as well as Opus 4.6, a closed model from February 2026. DeepSeek V4-Pro reached the level of Opus 4.5, which was released in November 2025. That puts the open models roughly four to five months behind comparable closed systems on these narrower tasks.
The second test, Cyber Ranges, measures autonomous performance in simulated networks. One scenario, “The Last Ones,” is a 32-step attack path against a corporate network with four subnets and about 20 hosts. AISI estimates that a human expert would take roughly 20 hours to complete it.
In that setting, GLM-5.2 performed similarly to Opus 4.5, while DeepSeek V4-Pro scored below Sonnet 4.5. GPT-5.6-Sol had the strongest result, ahead of Claude Mythos 5. AISI put the open-weight lag at about seven months on Cyber Ranges, but treated that evidence as less robust because it came from fewer scenarios.
AISI also cautioned that the tests may understate the strongest possible open-model performance because the models were not tuned for the evaluations. The Cyber Ranges simulations also omit active defenders and other real-world controls that would be present in many actual networks.
Costs and controls are the practical issue
The cost gap was stark. AISI said a 100-million-token Cyber Range run cost about $85 using Opus 4.5 or 4.6, about $46 using GLM-5.2 and $1.19 using DeepSeek V4-Pro.
For individual tasks that both compared models solved reliably, AISI reported costs of about $15 per task for Opus 4.6 and $6 for GLM-5.2. Opus 4.5 cost about $12.50 per task, compared with 28 cents for DeepSeek V4-Pro. The implication is straightforward: once cyber capability appears in open models, large-scale experimentation gets cheaper.
AISI said safety measures on the open models were weak. DeepSeek V4-Pro sometimes refused reverse-engineering prompts, but the institute said retrying was enough to get around the refusal. Controls such as monitoring, classifiers and user limits depend on controlling access, which does not apply once model weights are available to download and run independently.
The institute described open-weight release as creating a “persistent and irreversible risk of misuse.” It also acknowledged legitimate benefits: private hosting, customization, lower operating costs and protection from providers changing or withdrawing access.
Defenders have less time
AISI said the narrowing gap gives defenders less time to prepare before frontier cyber capabilities spread into models with fewer enforceable constraints. The U.K. National Cyber Security Centre has also warned that AI is changing cyber risk quickly.
The next open-weight model to watch is Kimi-K3, whose weights are expected in late July, according to AISI. Current coding benchmarks suggest it may come closer to today’s frontier systems, though at higher cost than other open models. AISI has not yet reported cyber benchmark results for it.
This story draws on original reporting from The Decoder.