← Back to Blog
June 29, 2026 6 min read

GLM 5.2 beat Claude at cybersecurity and the gun just changed hands

Semgrep published benchmark results this week that made the front page of Hacker News with 715 upvotes. The headline is blunt: "GLM 5.2 beats Claude in our cyber benchmarks." That is a Chinese open-weight model outperforming Anthropic's flagship on security vulnerability detection. The name of the blog post is "We Have Mythos at Home." That is the joke. You do not need Anthropic's government-restricted model when the open alternative is right there.

There is a lot going on here. The short version is that the game where only the biggest labs got to play offense in cybersecurity is over. Open models are good enough now, and the rules that were supposed to keep the most dangerous capabilities locked up are doing something stranger: creating a two-tier market where government approval decides who gets access to what.

What the benchmarks actually show

Semgrep ran their own internal security benchmarks against a set of models. These are not synthetic academic tests. Semgrep is a static analysis company. Their benchmarks measure whether a model can find real vulnerabilities in real code: SQL injection paths, authentication bypasses, insecure deserialization, the stuff you actually care about when you run a security audit.

GLM 5.2 beat Claude on these tasks. The margin matters less than the fact that it happened at all. Six months ago, the idea that a model from Tsinghua's Zhipu AI, available as open weights, would match or exceed Anthropic on security-specific workloads would have been a stretch. Now it is a data point.

For context on pricing: GLM 5.2 costs roughly $1.4 per million input tokens and $4 per million output tokens. The cheapest model in Anthropic's lineup that comes close is Haiku 4.5 at $1/$5. GLM 5.2 outperforms Haiku by a wide margin and even challenges GPT 5.5 on some benchmarks, at roughly 3% of what you would pay for Claude Opus 4.x ($5/$25 per million tokens). This is the pricing asymmetry that keeps frontier lab CFOs up at night.

The Mythos problem

The Semgrep post title references "Mythos," Anthropic's restricted cybersecurity model. Mythos is the model so good at finding and exploiting vulnerabilities that the US government blocked its release. AISI, the UK's AI Safety Institute, budgeted 100M tokens per Mythos attempt, costing $12,500 per run and $125,000 across ten runs. Their finding was worse than the capability itself: "Models continue making progress with increased token budgets across the token budgets tested." In other words, throw more tokens at Mythos and it keeps finding more exploits. No diminishing returns detected.

This created a weird security equation. To harden a system against Mythos, you need to spend more tokens searching for vulnerabilities than an attacker would spend exploiting them. It is proof-of-work security. You do not win by being clever. You win by paying more.

Last week, the US government partially lifted its block on Mythos. Commerce Secretary Howard Lutnick sent a letter to Anthropic allowing release to more than 100 US institutions, including major companies and government agencies. Fable 5, Mythos's weaker sibling that was briefly the most powerful publicly available model, remains in limbo. The decision is framed as a "de-escalation" in the confrontation between the Trump administration and Anthropic, but the mechanism is telling: the government is picking who gets to use the model.

Mythos security spend
Per attempt 100M tokens
Cost per attempt $12,500
Full 10-run budget $125,000
No diminishing returns observed across budget range
Token pricing comparison
GLM 5.2 input $1.4/M
GLM 5.2 output $4/M
Claude Opus 4.x output $25/M
GLM 5.2 is 6x cheaper on output tokens

I think this is more worrying than people realize, but not for the reason you would expect. The restriction assumes that capability lives in one place and can be contained. If only Anthropic has Mythos-level security capability, controlling Anthropic controls the capability. But Semgrep just showed that GLM 5.2, which anyone can download, is approaching that capability. Open models do not need government approval. You cannot send a letter to HuggingFace.

GPT 5.6 and the new approval process

OpenAI announced GPT 5.6 this week with three tiers: Sol (flagship), Terra (balanced), and Luna (fast/cheap). Terra matches GPT 5.5 at 2x lower cost. Luna is their cheapest model yet. But the launch came with a detail that got less attention than it should have: "At their request, we are starting with a limited preview for a small group of trusted partners whose participation has been shared with the government."

The Washington Post put it more bluntly: "U.S. government will decide who gets to use latest upgrade to ChatGPT." OpenAI's own statement says they do not believe this should be the long-term default, but here we are. The administration that came in preaching deregulation is now picking which companies get access to the latest models.

The process is opaque. We do not know which companies got access to GPT 5.6 Sol or Mythos. We do not know what criteria the government is using. If the list turns out to be exclusively companies with political ties to the current administration, that is corruption, plain and simple. But even with the most generous reading, the precedent is bad. Government gatekeeping of AI capabilities is here, and the rules are being made up in real time.

Why open weights change the calculus

Here is the paradox the regulators have not figured out yet. Restricting Mythos made some sense when you assumed the only way to get that level of security capability was through Anthropic's API. But the capability gradient is not a cliff. It is a slope. GLM 5.2 is not Mythos, but it is good enough, and it is getting better every few months. The gap between the most expensive restricted model and the best open model has collapsed from years to months.

The 12 Grams of Carbon newsletter had a useful framing this week. If Claude gives you 1.1x improvement per iteration on a security loop and GLM 5.2 gives you 1.05x but costs 5x less, you can run the GLM loop 5 times more and come out ahead. This is the open model advantage in a loop-heavy world: you compensate for per-token quality with volume. It works because security tasks, unlike creative writing, are verifiable. You can tell whether the model found a real exploit or not.

The Mythos restriction also creates an asymmetry that hurts defenders. The attackers who would use AI to find exploits are not going through official channels anyway. They are using whatever model gets the job done, including fine-tuned open weights. Meanwhile, the companies that would use Mythos to find and fix vulnerabilities before attackers do are stuck waiting for government approval. This is the opposite of how security is supposed to work.

The loop economy

The real shift underneath all of this is from "which model is best" to "how many times can you afford to run it." The concept of "loops" has been around since last summer, when people called them "Ralph Wiggum loops" and it was not clear they would work reliably. The idea is simple: run an agent, let it finish, restart the same prompt, repeat. No human supervision required.

Loops did not work well when models had what people in the industry call "compounding error." Each loop introduced small mistakes that built on each other until the output was unusable. More tokens meant worse results. That has flipped. We are now in a regime of what some are calling "compounding correctness," where each loop iteration refines the output and the result gets better. More tokens now generally means better results, at least for verifiable tasks like security auditing.

If that holds, token cost per unit of quality becomes the only metric that matters. And that is exactly where open models win. GLM 5.2 at $4/M output lets you run 6 times as many loops as Claude Opus at $25/M. If the per-iteration quality gap is smaller than 6x, the open model wins on cost-adjusted output. The benchmarks from Semgrep suggest the quality gap is nowhere near 6x. It is probably closer to 1.2x and closing.

What this means for you

If you are running security audits with AI assistance right now, the practical takeaway is straightforward. Stop paying frontier prices for security tasks. GLM 5.2 or DeepSeek's models are fast enough and cheap enough that you can throw more iteration count at the problem for less total spend. The verification step is yours anyway: you still check whether the model's findings are real vulnerabilities before you act on them.

If you are building tooling for AI-assisted security, stop architecting for a single provider. The Mythos/GPT-5.6 access restrictions mean that your pipeline might work today and stop working tomorrow because of a letter from the Commerce Department. Build on open weights for anything you need to rely on. Use the frontier models as acceleration layers that can be swapped out.

And if you are a policymaker reading this: the horse has left the barn. The export control approach only works when the capability you are restricting cannot be replicated. GLM 5.2 proved that the best open models are close enough that restrictions mainly penalize the defenders who follow the rules. Rethink the framework before it does real damage to the people it is supposed to protect.

OpenAI also unveiled its first custom inference chip this week, built with Broadcom and named Jalapeno. It will run at roughly 750 tokens per second on Cerebras hardware. If inference gets that fast, the loop economy shifts again: from "how many loops can you afford" to "how many loops can you fit into the time between a developer pressing save and their next code review." That is a different question, and it is one that open models are well-positioned to answer, because cheap tokens matter more when you are running thousands of loops per second rather than per day.

AI Cybersecurity Open Weight GLM Policy