Ground Truth.
AI, checked against the source.

News · 2026-07-17

UK Safety Institute: Open Models Are Now Months, Not Years, Behind on Cyber

The UK AI Safety Institute published its first public analysis of open-weight models' cyber capabilities on July 17, 2026, and the finding is a clear trend line: leading open models now match the cyber abilities of closed frontier models released just 4 to 7 months earlier. That is a real narrowing from the 6-to-10-month gap the institute measured through most of 2025 -- and the open models do it at a fraction of the cost, sometimes less than a fiftieth.

Key facts

AISI evaluated models two ways. The first was 70 narrow cyber tasks across four difficulty levels -- vulnerability research, reverse engineering, web exploitation and cryptography -- with five attempts per task. There, GLM-5.2 performed like the top cyber models from four months before it, holding across all four difficulty levels. The second, harder track was 'cyber ranges': end-to-end, multi-step autonomous attacks. The flagship test, 'The Last Ones,' is a 32-step attack on a simulated corporate network of roughly 20 hosts that would take a human expert about 20 hours. On that, GLM-5.2 reached as far as a closed model from under seven months earlier before stalling.

The cost figures are the most striking practical data point, and they explain why this matters beyond a leaderboard. On tasks that both the open and closed models solved with perfect reliability, the closed Opus model cost about $15 per task versus GLM-5.2's roughly $6 -- and versus DeepSeek V4-Pro's 28 cents. In other words, the open models deliver comparable cyber capability at somewhere between half the cost and 2% of the cost. When a capability that used to be expensive and gated becomes cheap and downloadable, the population of people who can wield it grows enormously.

The safeguard finding connects directly to the same week's Hugging Face breach. AISI reported that 'our evaluations of recent open weight models were largely unimpeded by safeguards.' DeepSeek V4-Pro occasionally refused a reverse-engineering task, but the institute bypassed those refusals 'simply via a small number of repeat attempts.' AISI frames this as the core risk of open release: once weights are public, misuse becomes 'persistent and irreversible.' That is the flip side of Hugging Face's complaint -- there, closed-model guardrails blocked legitimate defenders while the attacker's unrestricted model ran free. Together the two stories map the whole asymmetry: open weights empower attackers and defenders alike, while closed guardrails constrain defenders and, as the attack showed, not necessarily the attackers.

Why it matters: this is the government-funded, methodologically careful version of the 'open is catching up' story that Mozilla's report told for general capability the same day -- but on the one dimension where the stakes are sharpest. And it sets up a specific next milestone: AISI says it 'intends to test Kimi K3 on this same basis, once its weights are publicly released,' which Moonshot has scheduled for late July. If Kimi K3 narrows the cyber gap further, that will be the next data point in this trend.

The honest caveats come from AISI itself. It notes its setup 'likely slightly underestimates open weight models' maximum capability,' because it did not pursue specialized techniques that could have boosted their scores -- so the real gap may be even smaller. And it cautions that this covers cyber only; you cannot infer anything about other capabilities. It also warns the result 'is not predictive of whether future open weight models will replicate the more recent jumps' from the very latest closed models. The gap is narrowing, not gone -- but the direction has been consistent for over a year.


Primary source, verified: read the paper →

Key questions

How far behind are open-weight models on cyber capabilities?

The UK AI Safety Institute found that recent open models GLM-5.2 and DeepSeek V4-Pro perform like closed frontier models released 4 to 7 months earlier, a narrower gap than the 6-to-10-month lag measured through most of 2025.

Are the open models cheaper to run for these tasks?

Dramatically -- on tasks both solved reliably, GLM-5.2 cost about half as much as the comparable closed model, and DeepSeek V4-Pro cost roughly 2% as much.

Do open-weight models refuse to do cyberattacks?

Largely not -- AISI reported its evaluations were 'largely unimpeded by safeguards,' and the few refusals from DeepSeek V4-Pro were bypassed simply by retrying the task a few times.

Will the institute test Kimi K3?

Yes -- AISI says it intends to run Kimi K3 through the same cyber evaluations once its weights are released, which Moonshot has scheduled for late July 2026.
Cite this

APA

Ground Truth. (2026, July 17). UK Safety Institute: Open Models Are Now Months, Not Years, Behind on Cyber. Ground Truth. https://groundtruth.day/news/aisi-open-weight-models-cyber-gap-narrowing.html

BibTeX

@misc{groundtruth:aisi-open-weight-models-cyber-gap-narrowing,
  title  = {UK Safety Institute: Open Models Are Now Months, Not Years, Behind on Cyber},
  author = {{Ground Truth}},
  year   = {2026},
  month  = {jul},
  url    = {https://groundtruth.day/news/aisi-open-weight-models-cyber-gap-narrowing.html}
}

Topics: cybersecurity · open-weight · aisi · evaluation · policy

Comments are replies to this story on Bluesky — reply with any Bluesky account to join in.