News · 2026-07-17
UK Safety Institute: Open Models Are Now Months, Not Years, Behind on Cyber
The UK AI Safety Institute published its first public analysis of open-weight models' cyber capabilities on July 17, 2026, and the finding is a clear trend line: leading open models now match the cyber abilities of closed frontier models released just 4 to 7 months earlier. That is a real narrowing from the 6-to-10-month gap the institute measured through most of 2025 -- and the open models do it at a fraction of the cost, sometimes less than a fiftieth.
Key facts
- GLM-5.2 performs comparably to the most cyber-capable models from about 4 months earlier on narrow tasks; DeepSeek V4-Pro matches models from about 5 months earlier.
- A 100-million-token cyber-range run cost roughly $85 for the closed Opus models, about $46 for GLM-5.2, and about $1.19 for DeepSeek V4-Pro.
- The gap is narrowing but has not closed; the analysis is from the UK AI Safety Institute.
AISI evaluated models two ways. The first was 70 narrow cyber tasks across four difficulty levels -- vulnerability research, reverse engineering, web exploitation and cryptography -- with five attempts per task. There, GLM-5.2 performed like the top cyber models from four months before it, holding across all four difficulty levels. The second, harder track was 'cyber ranges': end-to-end, multi-step autonomous attacks. The flagship test, 'The Last Ones,' is a 32-step attack on a simulated corporate network of roughly 20 hosts that would take a human expert about 20 hours. On that, GLM-5.2 reached as far as a closed model from under seven months earlier before stalling.
The cost figures are the most striking practical data point, and they explain why this matters beyond a leaderboard. On tasks that both the open and closed models solved with perfect reliability, the closed Opus model cost about $15 per task versus GLM-5.2's roughly $6 -- and versus DeepSeek V4-Pro's 28 cents. In other words, the open models deliver comparable cyber capability at somewhere between half the cost and 2% of the cost. When a capability that used to be expensive and gated becomes cheap and downloadable, the population of people who can wield it grows enormously.
The safeguard finding connects directly to the same week's Hugging Face breach. AISI reported that 'our evaluations of recent open weight models were largely unimpeded by safeguards.' DeepSeek V4-Pro occasionally refused a reverse-engineering task, but the institute bypassed those refusals 'simply via a small number of repeat attempts.' AISI frames this as the core risk of open release: once weights are public, misuse becomes 'persistent and irreversible.' That is the flip side of Hugging Face's complaint -- there, closed-model guardrails blocked legitimate defenders while the attacker's unrestricted model ran free. Together the two stories map the whole asymmetry: open weights empower attackers and defenders alike, while closed guardrails constrain defenders and, as the attack showed, not necessarily the attackers.
Why it matters: this is the government-funded, methodologically careful version of the 'open is catching up' story that Mozilla's report told for general capability the same day -- but on the one dimension where the stakes are sharpest. And it sets up a specific next milestone: AISI says it 'intends to test Kimi K3 on this same basis, once its weights are publicly released,' which Moonshot has scheduled for late July. If Kimi K3 narrows the cyber gap further, that will be the next data point in this trend.
The honest caveats come from AISI itself. It notes its setup 'likely slightly underestimates open weight models' maximum capability,' because it did not pursue specialized techniques that could have boosted their scores -- so the real gap may be even smaller. And it cautions that this covers cyber only; you cannot infer anything about other capabilities. It also warns the result 'is not predictive of whether future open weight models will replicate the more recent jumps' from the very latest closed models. The gap is narrowing, not gone -- but the direction has been consistent for over a year.
Key questions
How far behind are open-weight models on cyber capabilities?
Are the open models cheaper to run for these tasks?
Do open-weight models refuse to do cyberattacks?
Will the institute test Kimi K3?
Cite this
APA
Ground Truth. (2026, July 17). UK Safety Institute: Open Models Are Now Months, Not Years, Behind on Cyber. Ground Truth. https://groundtruth.day/news/aisi-open-weight-models-cyber-gap-narrowing.html
BibTeX
@misc{groundtruth:aisi-open-weight-models-cyber-gap-narrowing,
title = {UK Safety Institute: Open Models Are Now Months, Not Years, Behind on Cyber},
author = {{Ground Truth}},
year = {2026},
month = {jul},
url = {https://groundtruth.day/news/aisi-open-weight-models-cyber-gap-narrowing.html}
}
Comments are replies to this story on Bluesky — reply with any Bluesky account to join in.