Z.ai’s open-weight GLM-5.2 now matches Claude Mythos on cybersecurity benchmarks — and unlike Mythos, nobody has to ask permission to use it.
Quick Take: GLM-5.2 vs. Claude Mythos
- The event: Beijing-based Z.ai open-sourced GLM-5.2, a 744-billion-parameter model with a 1-million-token context window.
- The security threat: Semgrep and Graphistry testing shows GLM-5.2 matching export-controlled systems like Claude Mythos on SWE-bench Pro and Terminal-Bench 2.1.
- The takeaway: Distillation and aggressive local optimization let threat actors run frontier-grade offensive tools completely offline, with no gatekeeper in sight.
Anthropic spent months building a walled garden around its most capable model. The company set up export controls, a roughly 100-organization allowlist, and a name — Mythos — that practically dares you to be afraid of it. Then a Chinese lab handed out the key to a house with no walls at all.
That’s the real story hiding under this week’s headlines about GLM-5.2. Everyone calls it “Mythos at home.” Fewer people ask what it means when a gated, government-monitored AI system and a free, unrestricted download now do roughly the same job.
What Z.ai Actually Shipped
Z.ai released GLM-5.2 as an open-weight model. Anyone can download it, run it on their own hardware, and skip every vendor, API key, and usage policy that normally stands between a person and a frontier AI system.
The specs put it in serious territory: 744 billion parameters and a 1-million-token context window. These aren’t budget-tier numbers.
The Benchmarks That Turned Heads
Semgrep and Graphistry ran GLM-5.2 through Terminal-Bench 2.1 and SWE-bench Pro. Both found it competitive with Anthropic’s Mythos and Fable models at spotting software vulnerabilities and handling large coding tasks.
Semgrep titled its writeup “We Have Mythos at Home.” The scores back up the joke.
Frontier Power, Consumer Hardware
The hardware angle makes this sharper. Developer toolkit Unsloth built dynamic 1-bit and 2-bit GGUF quantizations of GLM-5.2 that compress the model enough to run on a single high-RAM Mac or a basic consumer rig.
Nobody needs a data center anymore. A researcher — or an attacker — can load frontier-level capability onto hardware that fits under a desk.
Where the Training Data Might Have Come From
Graphistry researchers suggested Z.ai may have distilled its model from GPT-5.5 and Claude Opus 4.8, training a “student” system on outputs from stronger “teacher” models.
That shortcut draws criticism because it lets a competitor skip years of original research and still land close to the frontier.
Jailbreaks Are Already Spreading
Consultants told Axios that GLM-5.2 jailbreaks already circulate on Russian-language forums. Armadin CTO Travis Lanham explained that an attacker can run the model locally, strip its guardrails, tune it against a specific target, and do all of it with zero visibility to any defender watching for it.
Why Export Controls Never Stood a Chance
The entire premise behind Anthropic’s Mythos lockdown assumed that restricting access would restrict harm. Limit the model to vetted organizations, require export licenses, and you buy time to patch the internet before criminals get the same tool.
Washington leaned on that logic when it briefly suspended and then restored access to Mythos for approved defenders earlier this year.
GLM-5.2 just proved that logic only holds if you’re the only game in town. A rival lab needed a few months, some benchmarking against existing frontier systems, and — allegedly — outputs scraped from the very models it was trying to catch.
The gate didn’t stop anything. It just guaranteed that the first Mythos-grade capability with zero restrictions came from somewhere Washington can’t regulate.
The Uncomfortable Math of Open-Weight AI
Safety-by-restriction only works when restriction actually restricts something. Once a comparable model appears outside the perimeter, the gated version stops functioning as a safety measure and starts functioning as a competitive handicap.
American researchers and vetted defenders use the controlled tool. Attackers increasingly reach for the free one instead.
The distillation question makes the problem worse. If teacher-model outputs from GPT-5.5 and Opus 4.8 really did train GLM-5.2, every API call to a frontier model becomes potential training data for the next unrestricted competitor.
Locking down deployment doesn’t interrupt that pipeline. Only locking down the outputs would do that, and no major lab has proposed anything close.
Anthropic’s own Project Glasswing effort built Mythos around trusted-partner access specifically to manage this kind of risk. GLM-5.2 shows how fast that model of controlled deployment loses its edge once an open competitor closes the capability gap.
What Defenders Should Watch Next
Expect the security industry to stop asking which model is doing the attacking and start asking how to defend regardless of which model shows up. Semgrep and Graphistry didn’t benchmark GLM-5.2 out of curiosity. They’re preparing for a world where open, guardrail-free frontier models sit permanently inside the threat landscape.
For Anthropic and Washington, the GLM-5.2 release quietly undercuts the argument for export controls as a cybersecurity fix. If the goal was buying time, the clock ran out faster than planners expected.
The next fight probably won’t center on who owns the most powerful model. It will center on who can defend fastest once the most powerful model sits available to anyone with a decent GPU and no rules attached.
Related:
