A government lab put open models on a cyber range

Britain's AI Security Institute has measured how close freely downloadable AI models have come to the best closed systems on offensive cyber work, and the answer is uncomfortably close. In a report published on 17 July 2026, the institute tested two open-weight models, GLM-5.2 and DeepSeek V4-Pro, across 70 cyber tasks spanning four skill levels from technical non-expert to expert, plus a longer 32-step attack scenario on its cyber range.

GLM-5.2, released in June, matched Anthropic's Opus 4.6 from February on the narrow tasks and Opus 4.5 from November on the longer ranges. DeepSeek V4-Pro landed at the level of Opus 4.5. In plain terms, the open model you can download today and run on your own hardware performs like a frontier system that was state of the art four to seven months ago.

The price of a capable attack collapsed

The gap that matters most is not months, it is money. Running the institute's cyber range with a leading closed model cost about 85 dollars for a 100 million token pass; GLM-5.2 did the same for around 46 dollars, and DeepSeek V4-Pro for roughly 1 dollar and 19 cents. Per task at full reliability, Opus 4.6 cost 15 dollars and 17 cents, GLM-5.2 cost 6 dollars and 12 cents, and DeepSeek V4-Pro cost 28 cents.

That is not a rounding difference. The same offensive capability that a year ago sat behind a frontier lab's paid interface, with its usage logging and abuse monitoring, now runs on a self-hosted model at roughly one fiftieth of the cost and with no one watching. For anyone running a European business, the economics of who can afford to probe your systems just changed.

The safety catches did not hold

Open weights do not come with a working off switch. The institute reported that its evaluations of these models were largely unimpeded by safeguards. DeepSeek V4-Pro sometimes refused a reverse-engineering request, but simply asking again was enough to get past the refusal.

This is the structural point about open-weight release. Once a model's weights are public, its guardrails are advisory, because anyone can fine-tune them away or route around them. A closed model can be rate-limited, audited, and cut off; a downloaded one cannot. The safety story for these systems is therefore about capability, not about the polite refusals a chatbot shows a casual user.

What a European operator should take from this

The takeaway is not panic, it is timing. The window in which cutting-edge offensive tooling stayed expensive and monitored is closing, and your security planning should assume that a competent attacker now has cheap, unlogged access to capabilities that were frontier-grade last winter. Under NIS2 and DORA, the duty to manage that risk sits with the operator, not the model maker.

Practically, this raises the value of the basics that do not care how the attack was generated: patch latency, network segmentation, tested backups, and detection that watches behaviour rather than known signatures. It also means the question to ask a security vendor is no longer whether they defend against human attackers, but whether their assumptions still hold when the attacker's tooling costs pennies and never sleeps.