Open-Weight AI Models Are Catching Up to Frontier Cyber Capabilities — and Defenders Have Less Time Than You Think

The Data That Changes the Timeline
The British AI Security Institute (AISI) released its first-ever Frontier AI Trends Report on July 18, 2026, and buried inside it is a finding that should change how enterprise security teams, policymakers, and AI developers think about the open-weight model debate.
Over the past 18 months, the gap between what open-weight models can do in cyber attacks and what the best closed frontier models can do has collapsed from 6-10 months to just 4-7 months. Open-weight models like GLM-5.2 and DeepSeek V4-Pro — models anyone can download, modify, and run on their own hardware — have reached a level of autonomous cyber capability that closed frontier models achieved only four to seven months ago.
For context, at the start of 2025, that gap was still six to ten months. The trend line is unambiguous: the gap is shrinking, and it is shrinking fast.
How AISI Tested the Models
AISI evaluated models using two complementary methodologies. The first, called Narrow Cyber Tasks, comprises 70 individual tasks across four difficulty levels — from nontechnical work like data entry through expert-level challenges in vulnerability research, reverse engineering, web exploitation, and cryptography.
The results were striking. GLM-5.2, released in June 2026, matched the performance of Anthropic's Opus 4.6 from February 2026 — a gap of about four months. DeepSeek V4-Pro performed at the level of Opus 4.5, released in November 2025, roughly five months behind. Both models ran at a fraction of the inference cost of their closed counterparts.
The second methodology, Cyber Ranges, tests autonomous capabilities in simulated networks. The "Last Ones" scenario simulates a 32-step attack on a corporate network with four subnets and approximately 20 hosts — a task AISI estimates would take a human expert roughly 20 hours. In this test, GLM-5.2 performed about as well as Opus 4.5, while DeepSeek V4-Pro fell below Sonnet 4.5. The leading closed models — GPT-5.6-Sol and Claude Mythos 5 — nearly completed the full simulation.
AISI treats the Cyber Ranges results as weaker evidence because they come from fewer test scenarios, and notes that the tests cannot distinguish between a model that lacks cyber capabilities and one that cannot sustain planning across a long, complex attack sequence.
The Safety Paradox: Open Models, Open Vulnerabilities
The most concerning finding in the report may not be about capability at all — it is about the near-total ineffectiveness of safety measures on open-weight models. Once a model's weights are released, anyone can download them, strip safety guardrails, share copies freely, and run the model on private systems beyond any oversight.
AISI describes this as "a persistent and irreversible risk of misuse." The report notes that terrorist groups are already jailbreaking commercial chatbots for operational purposes, and open-weight models remove even the friction of a commercial API — no rate limits, no content filters, no audit trail.
The cost differential compounds the problem. Running an open-weight model for cyber tasks costs a fraction of what the equivalent closed frontier model charges per token. This means that actors who could not previously afford frontier-level cyber capabilities — smaller criminal groups, state-aligned non-state actors, ideological attackers — can now access increasingly capable tools at commodity prices.
The Enterprise Implications
For enterprise security teams, the AISI report translates into a concrete timeline problem. The data suggests that within the next 1-2 years, open-weight models are likely to match or exceed today's frontier cyber capabilities entirely. The difference between 4-7 months and 0 months is not a theoretical question — it is a question of when, not if.
This is compounded by the agent security gap documented in VentureBeat's July 2026 Pulse Research survey, which found that 54% of enterprises have already experienced an AI agent security incident or near-miss. Only 32% give every agent its own scoped identity, and only 30% isolate their highest-risk agents in sandboxes. The infrastructure for containing AI-powered attacks is still being built, even as the tools for launching them become cheaper and more accessible.
What Policymakers Can Learn from the Numbers
AISI's report adds hard data to a debate that has often been conducted in abstractions. The trade-off between open-weight innovation and safety is not a philosophical question — it is a measurable one, and AISI has now provided the measurement framework.
Open-weight models offer clear benefits: private hosting, customization, cost efficiency, and a foundation that no single provider can control or revoke. But the data shows that the timeline for the cyber-capability gap to close is measured in months, not years. Policymakers who have been waiting for evidence before acting now have it.

The Bottom Line
The AISI Frontier AI Trends Report is exactly the kind of evidence-based assessment the AI safety debate has been missing. It replaces speculation with data, and the data tells a clear story: open-weight models are catching up to frontier models in cyber capabilities faster than most observers expected, safety measures on open models are not keeping pace, and the cost advantage of open models means these capabilities will be widely accessible.
The question is not whether the gap will close — it is whether defenders, enterprises, and policymakers can close their own gap faster. The clock is ticking at 4-7 months and counting.
Sources
Frequently Asked Questions
What did the UK AI Security Institute (AISI) find about open-weight models and cyber capabilities?
AISI tested open-weight models like GLM-5.2 and DeepSeek V4-Pro against closed frontier models on 70 cyber tasks across four difficulty levels. Open-weight models now trail frontier models by only 4-7 months, down from 6-10 months at the start of 2025. On more complex simulated network attacks, the gap is wider at about 7 months.
Which open-weight models were tested and how did they perform?
AISI tested GLM-5.2 (released June 2026) and DeepSeek V4-Pro. GLM-5.2 matched Opus 4.6 from February 2026 on Narrow Cyber Tasks, about 4 months behind. DeepSeek V4-Pro performed at the level of Opus 4.5 from November 2025. In the Cyber Ranges simulated network attack, GLM-5.2 performed similarly to Opus 4.5, while GPT-5.6-Sol and Claude Mythos 5 led.
How effective are safety measures on open-weight models?
AISI found that safety measures on open-weight models are largely ineffective. Because the model weights can be downloaded, modified, and run on private systems without oversight, users can remove safety guardrails, share copies freely, and run them beyond anyone's control. AISI calls this 'a persistent and irreversible risk of misuse.'
Why is the closing gap between open and closed models significant for cybersecurity?
The narrowing gap means defenders have less time to prepare for AI-powered cyber attacks. Open-weight models are significantly cheaper to run than closed frontier models, making advanced cyber capabilities accessible to a much wider range of actors. AISI's data suggests the gap could close entirely within 1-2 years if current trends continue.
What are the benefits of open-weight models that complicate the safety debate?
Open-weight models can be hosted privately with no data flowing back to providers, customized for specific use cases, and operated at a fraction of the cost of closed APIs. They provide a foundation that providers cannot change or shut down. AISI acknowledges these competing concerns need to be balanced against the safety risks.
Related Articles

The Pentagon Just Declared AI Safety a Luxury It Can't Afford
The US Department of the Navy released an AI strategy that explicitly treats slow adoption as a bigger risk than imperfect alignment. It's the clearest signal yet that the US military has moved past the question of whether to deploy AI and on to how fast.

AI Can Now Design a Pathogen's Twin That Slips Past Every DNA Safety Screen — Google DeepMind's Plan to Stop It
Google DeepMind just admitted that AI can design DNA sequences with the same dangerous function as a known pathogen without matching its sequence closely enough to trip existing biosecurity screens — and outlined a 15-partnership program built on AlphaFold, SynthID, and a new DNA watermarking system to close the gap.

Gold Eagle: Inside the US Government's New AI Vulnerability Clearinghouse
The White House just launched Gold Eagle, an AI-powered clearinghouse that coordinates vulnerability detection across federal agencies and critical infrastructure. Here's what it is, what authorized it, and why it exists now.