A Government Lab Put a Number on the Gap

On 17 July 2026 the United Kingdom's AI Security Institute published the first empirical measurement of how far open-weight AI trails the closed frontier on offensive cyber work, and the number is smaller than the industry assumed. AISI found that the best downloadable models now match the cyber capability of closed frontier systems released four to seven months earlier. Through most of 2025 that gap ran six to ten months. The lead that closed labs held over freely available models has narrowed by roughly a third to a half in a single year.

The finding rests on two test regimes, not one benchmark. AISI ran seventy narrow cyber tasks graded across four difficulty levels, then a set of cyber ranges that measure whether a model can run an end-to-end attack against a simulated network on its own. GLM-5.2, released in June 2026, performed like closed models from four months earlier on the narrow tasks and matched Opus 4.5 on the longer ranges. DeepSeek V4-Pro tracked the same Opus 4.5, a model that shipped five months ahead of it.

The Head Start Was Never Free

The gap is the whole point of measuring it. The most capable cyber models have always been closed, reachable only through a developer's interface where the maker can watch usage, refuse abuse and switch off an account. That control is what buys defenders time: security teams with access to the strongest guarded systems can find and fix weaknesses before the same capability reaches attackers through a model nobody is monitoring.

The window is not hypothetical. In April 2026 two closed models, Mythos Preview and GPT-5.5, posted the largest single jumps in cyber capability AISI had recorded since it began testing in 2023, which triggered international warnings. The closed frontier keeps moving; the question AISI answered is how fast the open pack follows. The comparison set tells the story on its own, with GLM-5.2 and DeepSeek V4-Pro now standing where Opus 4.5, Opus 4.6 and GPT-5.3-Codex stood only months ago.

What a Months-Long Gap Means for Your Security Budget

Plan your defence around a clock that now reads months, not a year. Whatever the paid frontier can do offensively today should be treated as available inside an unmonitored, downloadable model within roughly half a year. An open model carries no rate limit, no abuse refusal and no off switch; once the weights are public, the safeguards that sit around a hosted service do not travel with them. The practical planning assumption is attacker parity with the guarded frontier on a two-quarter delay.

For an operator that reframes several line items. A patch cadence tuned to a leisurely quarterly cycle is now inside the window in which a commodity model can chain a public vulnerability into a working intrusion. Detection tooling bought on the promise that novel attacks stay rare needs to assume novel-looking attacks become routine sooner. And the security value of paying for a top closed model is real but shrinking, because the same reasoning your team rents is months from being downloadable by whoever targets you.

An Open Model Cannot Be Recalled

The asymmetry that makes this hard is permanence. A closed lab that finds its model has become dangerous can tighten filters, throttle access or pull it. Open weights, once released, are copied, stored and re-hosted beyond any single party's reach, and the guardrails a maker trains in can be stripped by anyone with the file and modest hardware. AISI's own framing is blunt: defenders have a short window before today's frontier cyber capabilities may become accessible without the same safeguards.

None of this makes open models the villain; the same openness underpins the research, auditing and sovereignty that European firms increasingly want from their software stack. It is an argument about timing. The benefit of open weights and the risk of open weights arrive together, and the risk clock is the one that just sped up. Treating the four-to-seven-month figure as a fixed law would be a mistake too, because the trend across the year is that it keeps shrinking.

The Bottom Line

Assume the attacker's tools reach the guarded frontier within about six months, and staff, patch and monitor to that assumption. Under NIS2 the accountability for that judgement now sits with named management, not a contractor, so the calendar you plan against is a board-level number. Ask your security lead one question this quarter: if a downloadable model could run an autonomous attack on our network by year end, what changes today. The honest answer is a budget line, not a reassurance.