When an open-weight model reaches frontier-adjacent performance on vulnerability discovery with no access controls or gating, the practical threat model for security teams changes immediately. Unlike Anthropic’s Mythos – which sits behind subscription gates, geographic restrictions, and US export controls enacted June 12, 2026 – GLM-5.2 runs locally under an MIT license with safety controls that can be removed, fine-tuned away, or replaced. This compresses the operational timeline for both defensive tooling and offensive exploitation, and it forces an update to any threat model that relied on access friction to constrain capability.
What the benchmarks show Two independent security evaluations provide the primary evidence for the parity claim. Semgrep, a security tooling company, published benchmark results on June 22, 2026, comparing models on IDOR (Insecure Direct Object Reference) detection. GLM-5.2 scored 39% F1, ahead of Claude Code (32%), though still below Semgrep’s own multimodal pipeline (53-61% F1). Graphistry ran a separate evaluation on the CyBT-CTF benchmark – a capture-the-flag evaluation set used by security researchers – and found GLM-5.2 matched Opus 4.8 on solve rate, making it the first open-weight model Graphistry said it would recommend for a “frontier-like” cybersecurity experience. The Wall Street Journal first brought these evaluations to a broad audience, describing the results as a meaningful narrowing of the US-China gap in security-relevant model capabilities.
Distillation concern Graphistry researchers flagged a statistical anomaly that may help explain the rapid capability gain: GLM-5.2’s outputs correlated unusually highly with both GPT-5.5 and Opus 4.8 responses on identical prompts, with Cohen’s Kappa values of 0.80 and 0.76 respectively, against a baseline of 0.63 between the two US models. Graphistry described this pattern as consistent with knowledge distillation – a technique where a model is trained on the outputs of a larger proprietary one, violating the terms of service of both Anthropic and OpenAI when done without permission. Zhipu AI has not confirmed or denied this characterisation. If accurate, it implies the model’s security-task gains may be built on access to gated capability, which carries potential IP and regulatory implications beyond the current export-control debate.
Exploitation in the wild Axios reported on June 25 that Russian-language hacker forums were already circulating jailbreak techniques for GLM-5.2 within days of its open-weight release, with threat actors discussing use for generating phishing emails, fraud scripts, and vulnerability-specific payloads. The Five Eyes security alliance reportedly circulated internal warnings about the model’s capability profile. This is not a theoretical future risk: it reflects how quickly open-weight releases propagate into active exploit communities once parameters are publicly downloadable.
