Derek: Okay, so a Chinese open-weight model just beat Claude on a cybersecurity benchmark, and anyone on Earth can download it right now. Under an MIT license, no access controls, no vendor logs, no phone home, just, here, have frontier-adjacent vulnerability detection. That's the thing, the U.S. government spent June putting export controls around Anthropic's Mythos, Zhipu AI dropped GLM-5.2's weights on... Dates on June sixteenth, one day later. Timing was-
Max: Impeccable.
Derek: Yeah. Semgrep ran it against their IDOR benchmark and got a thirty-nine percent F1 score, beating Claude Code's thirty-two percent.
Max: Wow.
Derek: At seventeen cents a finding. Seventeen cents! For the non engineers, that is extremely cheap to go hunting for vulnerabilities in someone else's code base. And that's before you strip the safety guard rails, which because it's open weight, you absolutely can. Russian-language hacker forums were already doing exactly that. that within days of the drop. Axios reported it. So today, we do the full autopsy. We'll look at the kill chain, why the architecture of Anthropic's access control strategy and GLM-52's deployment model are fundamentally incompatible. And we'll pressure test whether the Five Eyes Advisory's recommended controls mean anything at all when the model's running on someone's local GPU with zero provider in the loop. Plus, we've got a concrete action item at the end. Something you can actually do this week, not review your security posture. Revolutionary concept, I know, right? Alright, we start where this story starts. June 22nd, Semgrep publishes a benchmark and the security world has a bad morning. Thirty nine per cent F1 on IDOR detection-that's the number Semgrep published on June twenty second. No special harness, no scaffolding-just a prompt and a model.
Speaker 3: And the model was not Claude, not GPT anything. Claude Code came in at thirty two per cent.
Derek: Right, right, so what got me-Semgrep literally wrote that they'd never heard of this model until it showed up on social media. They added it to the benchmark almost as an afterthought.
Speaker 3: An afterthought that beat the reigning champ.
Derek: In 17 cents per vulnerability found.
Speaker 3: Wow.
Derek: 17 cents.
Speaker 3: Okay, so for context, the model is GLM-52. Zhipu AI, which is Zhipu AI out of Beijing, released June 13th to Coding Plan subscribers. Open weights follow June 16th, MIT license.
Derek: MIT license. That's not a restricted research license. That's a do whatever you want license. License.
Speaker 3: Yeah, the weights are just out there. Hugging Face. Download button.
Derek: Walk me through the architecture, because this isn't a small model.
Speaker 3: 750 billion total parameters. MoE design, so roughly 40 billion active per token. 1 million token context window. The MoE structure is why you can run it without paying dense 750B compute costs per token.
Derek: Oh, that's fascinating, because that also means inference is actually accessible for a- For a threat actor who's not Google.
Speaker 3: Exactly; and Graphistry ran a separate eval (CyBT-CTF) captured the FLAG security benchmark, and called GLM-52 the first open weight model they'd recommend for a "frontier like cyber security experience," matched Opus on solve rate.
Derek: So we have two independent labs,
Speaker 4: Mm hmm.
Derek: Semgrep and Graphistry, both landing in the same place. And Axios reported this week that the barrier to entry for for automating attacks is dropping fast. This is the data point that makes that concrete. Forbes reported the U.S. spent the spring treating this class of long horizon repository scale coding capability as a national security problem when it came from American labs. One day after the U.S. export-controlled Fable 5 and Mythos on June 12, GLM-52's open weights hit the internet. Wait, back up. One day? One day. So the controls went up and the capability walked around them before the ink was dry, which raises the actual question, if the model has no vendor in the loop, no API to audit, no cloud logs, what does your defense even look like? So the question that came out of all that is how did Anthropic try to prevent exactly this scenario? And the answer is Project Glasswing.
Speaker 3: Right. And it was actually a serious attempt. Mythos-class stayed locked inside a vetted partner list. Government agencies, banks, infrastructure providers. Forbes reported roughly 100 organizations cleared for access after June 26th. Before that, it was even tighter.
Derek: Wait, back up. So Anthropic's entire governance strategy was Because keep the model behind a vendor. You need an account, you need approval, you need to be on the list. And because every request goes through their API, there's logs, there's a choke point.
Speaker 3: Exactly. Cloud logs are how defenders catch abuse. You see a spike in vulnerability queries from one org, you can pull access. That enforcement mechanism only works if the vendor is in the middle of every transaction.
Derek: GLM-52. removes the
Speaker 3: vendor yeah fully Forbes put it plainly it's downloadable by anyone runs on private hardware and leaves no provider side record of how it's used that's not a gap in the system that's the system being architecturally inapplicable
Derek: that's fascinating in the worst possible way semiconductor export controls work because chips have serial numbers they move through traceable supply chains they sit in facilities You can audit a FAB; you cannot audit a weight file on Hugging Face, a 744 billion parameter model. No serial number, no facility, no provenance chain. TechTimes reported anyone can download it, strip the safety guardrails, fine-tune it for a specific target and run it locally, zero visibility to any provider or security team, and wire it straight into existing scanners and fuzzers. In a CI pipeline, so now your attack surface for reconnaissance is automated, local and silent, the cloud logs defenders depend on, never generated. That's not a policy failure, that's a physics problem. You can't recall a weight file the same way you can revoke an API key. Dario Amodei warned in May the defenders had maybe six to twelve months to patch before Mythos-class capabilities spread.
Speaker 3: Mm.
Derek: GLM-52 is what that spread looks like. Like 'two weeks ahead of schedule.' Which brings us to what people are actually doing with it right now, because it didn't take long for the forums to notice. No, it did not. short pause, short pause, and form activity is already showing what that looks like in practice. Axios reported Russian-language hacker forums were circulating jailbreak techniques within days of the weights dropping. Days, not weeks, days. And the bypass methods? Some of them are embarrassing. One documented technique is literally telling the model, I want to protect my company from brute force attacks. That's it? That's it. No red team tooling, no multi-step prompt chain, just vibes-based social engineering against an open-weight model with no provider watching.
Max: Oh, that's fascinating in the worst possible way. So what does the actual attacker workflow look like from there?
Derek: Armadins CTO Travis Lanham described it to Axios. You download the weights, strip or fine-tune the guardrails, plug the model into an existing fuzzer, and point it at a target code base. No logs generated anywhere.
Max: Beware no provider side telemetry. And GLM can hold a million token context window, so pointed at a code base means the whole repo, not samples, the whole thing. Lanham's exact framing was that it enables attackers to personalize post-intrusion movement and chain exploits the way an elite human attack would, except the elite human costs a lot and leaves traces. This doesn't. Wait, back up. Post-intrusion movement, so we're not talking about initial access. We're talking about what happens AFTER someone's already inside a network.
Derek: Right, you're in, now you need to map the environment, find the interesting systems, figure out what to pivot to next. That lateral movement step used to require a skilled operator making judgment calls. GLM can run that analysis locally, offline, against real internal documentation.
Max: No exposure to any provider, no defender visibility. Halcyon's threat intelligence analyst Roye Bass made that point. Read that point directly: attackers can generate phishing scripts and scam tooling with zero exposure to any provider or defender, fully local, fully silent. So the governance architecture we just talked about, the logging, the API choke points, none of that applies here, none of it. And Dario Amodei said in May there was a 6-12 month window to patch the vulnerabilities Mythos had found. GLM-52 dropped roughly 5-6 weeks after that warning. Warning: That window got a lot shorter a lot faster than anyone planned for. So Amodei said six to twelve months, deadpan. The open weights landed in six weeks.
Derek: Which is-not six months.
Max: Right; and to understand why that stings, you need to know what he was actually protecting. Mythos had found two hundred seventy one vulnerabilities in Firefox, a twenty seven year old bug in OpenBSD, and a seventeen year old remote code execution flaw in FreeBSD (CVE-2026-4747). The Net Web covered all of this back in May. And that wasn't theoretical; that was Mythos autonomously writing working exploits, no human after the initial prompt. Exactly. So the whole Project Glasswing structure, forty plus vetted institutions, controlled access, was a race against that clock, patch the backlog before anyone else gets the same capability. So Zai posted the weights on Hugging Face June sixteenth; Five Eyes issued their joint advisory June twenty second. The weights had been live for six days by the time the advisory went out. Six days.
Derek: Yeah.
Max: The timing doesn't get more on the nose than that. Now Axios flagged something that makes this even messier. Graphistry ran the numbers: Cohen's kappa of zero point eight zero and zero point seven six. six, between GLM-52 and GPT-55, and Opus respectively; so the GLM-52 correlates more tightly with both American models than the American models correlate with each other. That's the distillation allegation.
Speaker 3: Hmm.
Max: Graphistry said the pattern is consistent with training on their outputs without permission. Zhipu AI hasn't confirmed or denied it. And if that's accurate, the capability diffusion happened before But before the open weight release, the clock wasn't just running fast, it may have been running from a different starting line entirely.
Derek: Forbes put it plainly, the assumption that the most capable cyber AI would stay behind gated APIs in government deals no longer holds, full stop. So what does that actually mean for threat models built before last week? Because that's the next question, right?
Max: What did defenders structurally get wrong?
Speaker 4: The whole control architecture has seemed of
Max: then been spinning between the model and the user. No vendor, no cloud larks.
Speaker 4: Ps- no enforcement boots. GLM-52 just removed that section from the equation, and defenders are still operating on the old blueprint that's the failure we need to talk about.
Max: So all those threat models that assumed access friction was a durable control, what exactly did they get wrong? The foundational assumption was that a vendor sits between the model and the attacker. You gate the API, you log the calls, you can revoke access. That whole architecture depends on a provider being in the loop. And GLM-52 just removes the provider entirely. Gone. TechTimes put it clearly. The enforcement mechanism that made export controls effective.
Derek: Effective for semiconductors is architecturally inapplicable to AI waits once distributed the Export Administration Regulations were built for physical items with serial numbers; wait files on Hugging Face have none of that. Wait, back up. So the Five Eyes advisory, the one calling for strict access controls, activity logs, human approval gates, those controls all presuppose a service you can instrument. If the model's running on someone's laptop with no telemetry anywhere... You have nothing-no choke point to monitor, no logs to poll, no rate limit to throttle. The guidance is solid if there's a vendor in the loop.
Speaker 4: Right.
Derek: Against a locally running open weight model, it's structurally inapplicable. So the Five Eyes published a 30-page framework for a threat model that already expired.
Speaker 4: I mean, it's useful guidance for enterprise agent tier re-deployments, but the specific problem of GLM-52 sitting on a threat actor's
Max: At Actors' box the logs section just doesn't apply. And that's the core failure: access friction got treated as a permanent control, like a wall when it was always temporary. The moment capable weights go open, the friction disappears. Right, and Forbes framed this directly: the US spent the spring treating long horizon repository scale vulnerability discovery as a national security problem when it came from American labs.
Derek: Labs GLM-52 SHIELD tips that same capability under an MIT license. No approval process, no account required. Oh, that's fascinating in the worst possible way, because the policy response to Mythos restrict the API, gate the access, log everything, was designed for exactly the world that no longer exists. Exactly. And if your threat model still says frontier-grade attack tooling requires a cloud account and a credit card? Updated.
Max: Yeah
Derek: That assumption is done. So what does an updated threat model actually look like? Because that's where this gets uncomfortable, and that's precisely where we're going. What a defender can actually do Monday morning now that the friction is gone. So the tools exist, the price is set, now what do you actually do with that? Monday morning, one thing, pull your mean time to patch for critical vulnerabilities, one number, and compare it to what? Seventy-two hours. That's the window Forbes and the Five Eyes advisory both converge on. The gap between discovery and active exploitation is no longer measured in quarters, it's Days. And if your MTTP is sitting at three weeks, which... Honestly, a lot of orgs, that gap is your answer. That's the real math. Your patch cycle is an attacker's free trial. Okay, and on the offensive capability side, what does it cost someone to run GLM-52 against your codebase right now? Semgrep clocked it at 17 cents per IDOR finding. That's it, 17 cents. That's less than a convenience store coffee. And no API, no vendor, no logs anywhere. Just weights on a machine pointed at your repo. Forbes put it plainly: China now has an open weight model doing repository scale vulnerability work that US officials spent the spring treating as a national security problem when it came from American labs. Right, and so the question stops being can we contain this because we established that ship has sailed, and becomes are you running this against yourself before someone else does? Build internal red team capacity with the same class of model, under governance, with logging, with With scope boundaries. That's the actual countermeasure.
Speaker 3: Mm-hmm.
Derek: You know the irony is, the governance controls that Anthropic built around Mythos, the vendor in the middle, the API choke points, those only work if the attacker is using the same vendor.
Speaker 3: And they're not.
Derek: They're not. So you no longer get to assume the attacker has less capability than the tools you're paying for. That's the actual defensive shift this episode lands on. The capability parity is here. The question is which side of it your security team is on. Monday action? Find your mean time to patch, compare it to Seventy-two hours, and schedule an internal red team run with an open Weight model against your own code base. If that number scares you, it should. Alright, that's a wrap on this one. And honestly, the number that's still sitting with me is that Seventeen cents per finding. Commodity pricing on attacker-grade capability.
Speaker 4: And the export controls missed it by literally one day. That's not a timing problem. That's an architecture problem.
Derek: Right, the whole vendor-in-the-middle model is a governance strategy. That's the thread that runs through everything we cover today.
Speaker 4: The takeaway: Pull your mean time to patch, compare it to a Seventy-two-hour... a two-hour exploitation window and run an open-weight model against your own stack before someone else does it cheap.
Derek: That's the homework. Do it Monday.
Speaker 4: Or Sunday, if you're that kind of person.
Derek: New episodes drop every Tuesday. Subscribe wherever you listen, and if this one changed how you're thinking about your threat model, leave us a review. Those actually help.
Speaker 4: Thanks for being here. We'll see you next week.