Chinese artificial-intelligence systems have caught up with Anthropic’s powerful Mythos model in cybersecurity, according to independent researchers. The match is hidden in plain sight: a new open-weight model from Beijing-based Zhipu AI, called GLM-5.2, has run at parity with Mythos on bug-finding tasks just weeks after the US government forced Anthropic to take Mythos offline for everyone, including its own non-citizen staff inside the country.
The match matters because the work Mythos was built for, finding software flaws at scale, is exactly the work both US export controls and Chinese state-aligned labs are now racing to own. Two Chinese models have crossed the threshold in June 2026 alone, while the US version of the same class of tool sits disabled under a national security directive, and Asian AI startups have begun releasing Mythos-like models to fill the gap.
Z.ai’s Open-Weight Model Just Matched Mythos
Zhipu AI, also known as Z.ai, rolled out GLM-5.2 to its GLM Coding Plan members on Saturday, June 13, 2026, with the model’s open weights and release notes published three days later on June 16, according to the security firm Semgrep. The firm said its researchers had not heard of GLM-5.2 until they spotted it on social media and decided to add it to an internal benchmark they had been running against frontier coding agents.
GLM-5.2 is a Mixture-of-Experts model with roughly 750 billion total parameters but about 40 billion active per token, which keeps inference cost down relative to its size, and extends a 200,000-token context window to 1 million tokens. Z.ai published the weights under an MIT licence, so any security team can download, run, and modify the model inside its own environment. Trained weights are released, but the training data and full pipeline generally are not, though Z.ai does publish its reinforcement-learning training framework.
The MIT licence is the sleeper detail. The Chinese AI matching Mythos in cybersecurity bug-finding has now been reported by The Wall Street Journal, which cited independent researchers, though GLM-5.2 still trails Anthropic’s and OpenAI’s products on general-purpose tasks. On standard coding benchmarks, GLM-5.2 posted 81.0 on Terminal-Bench 2.1, up from 63.5 for the prior GLM 5.1, and 62.1 on SWE-bench Pro, edging out some closed frontier models and trailing the very top by single-digit percentages. Z.ai’s pitch is that the 1-million-token context window stays reliable across long agent trajectories, not just that it accepts more input, a point that matters for security work that has to reason across files and authorization frameworks.
How Semgrep’s IDOR Test Played Out
Semgrep tested GLM-5.2 against its own internal IDOR benchmark, the same dataset it uses to evaluate frontier coding agents. IDOR, or Insecure Direct Object Reference, is a class of access-control flaw where an application exposes an internal identifier like a user ID in a request without checking the caller is allowed to access the object. The flaw class ranks fourth on the HackerOne top vulnerability types list, and it sits between a business-logic bug and a misconfiguration, with no dangerous function to flag and no taint flow to chase, which makes it hard for both static analysis tools and large language models.
The open-weight models in the test, GLM-5.2, MiniMax M3, and Kimi K2.7 Code, ran in a simple Pydantic AI harness with nothing but an IDOR prompt and a codebase. No endpoint discovery, no guided navigation. Closed frontier models in the same test ran through their own vendor SDKs, and Semgrep’s own multimodal pipeline, which enumerates endpoints and points the model at them, ran against two of the same frontier models. The test held three things constant, the IDOR dataset, the F1 evaluation method, and the IDOR system prompt, and varied only the model and its harness.
The GLM-5.2 IDOR benchmark results put GLM-5.2 at 39% F1, beating Claude Code at 32%, a frontier coding agent, at roughly $0.17 per vulnerability found. The full ranked table is below.
| Configuration | Harness | F1 |
|---|---|---|
| Semgrep Multimodal (GPT 5.5) | Semgrep Multimodal | 61% |
| Semgrep Multimodal (Opus 4.8) | Semgrep Multimodal | 53% |
| GLM 5.2 | Pydantic AI (prompt only) | 39% |
| Claude Code (Opus 4.6) | Claude Code SDK | 37% |
| Claude Code (Opus 4.8/4.7) | Claude Code SDK | 28% |
| MiniMax M3 | Pydantic AI (prompt only) | 23% |
| Kimi K2.7 Code | Pydantic AI (prompt only) | 22% |
| GPT-5.5 Codex | Codex | 20% |
| Nemotron Super 3 120B | Pydantic AI (prompt only) | 18% |
| DeepSeek V4 | Pydantic AI (prompt only) | 17% |
Semgrep is careful in its write-up that the table is not an apples-to-apples raw model comparison. The configurations that had endpoint discovery won on harness, not on model, and the largest gap in the table is between configurations that get endpoint discovery and those that do not. The takeaway the firm lands on is narrower: among models given the same minimal prompt, GLM-5.2, an open-weight model at one-sixth the cost of a comparable frontier LLM, beat Claude Code at a difficult security research task. The spread between GLM-5.2 and the next open-weight model in the test, 16 points, is wider than the gap between GLM-5.2 and Claude Code itself. GLM-5.2 was the standout in the test, not representative of open weights as a category, and it beat the closed-source Claude Code at the same task.
360’s Two-Model Counter From Beijing
Eight days after GLM-5.2 went public, on June 24, 2026, 360 Security Technology used its ISC.AI 2026 presentation at the Beijing National Convention Center to unveil its own Mythos-class tool. Founder Zhou Hongyi introduced the suite, called Yitian Tulong, as two separate models pointing at the same vulnerability-discovery niche GLM-5.2 has entered, but with a different design choice: pair a discovery model with an operations model, and accept the gap in raw capability.
Yitian Tulong splits the work across two systems, each with its own role in the company’s stated playbook, and 360 positioned the pair as a direct answer to the same niche GLM-5.2 has entered in the open-weight market:
- Tulongfeng is a vulnerability-discovery system Zhou explicitly called “the Chinese Mythos.” 360 says Tulongfeng has found 3,432 software flaws, with 105 confirmed by the Chinese government.
- Yitianzhen is an automated defense and incident-response system, designed to run the team’s playbook around whatever Tulongfeng finds.
The third line, and the one that defines the strategy, is the gap Zhou is willing to admit. “Objectively speaking, domestic models still have a 20%-30% gap in base capability,” Zhou said at ISC.AI 2026, per 360’s Yitian Tulong vulnerability discovery launch coverage. “China cannot wait until model capabilities have fully caught up before starting vulnerability discovery, because we cannot afford to wait.” Zhou called the package a 24-hour operations team designed to run continuously.
If Mythos is a top-end chip, what we are building is a complete machine that can run stably, work 24 hours a day and make fewer mistakes. If the U.S. route is to cultivate a genius hacker, 360’s route is to organise a professional attack-and-defense team.
Zhou’s other framing line, in the same presentation, was sharper still. “This kind of powerful weapon that can change the landscape of cyber offence and defense cannot be held only by others,” he said, per the same coverage. The two statements together describe a 360 strategy that does not require parity with Mythos: it requires a reliable pipeline, a state-aligned customer, and a willingness to operate with a stated 20%-30% deficit in raw model quality.
Why the US Forced Mythos Offline Two Weeks Ago
Z.ai and 360 arrived at this threshold while the US version of the same class of model was being pulled. On June 13, 2026, Anthropic said it had been forced to disable all access to Fable 5 and Mythos 5 after the US Commerce Department used national security export controls to bar the company from distributing the models to any foreign national, including non-citizen employees inside the United States. Access to Anthropic’s less powerful Claude models, including Claude Opus 4.8, was not affected.
Anthropic said it received the directive at 5:21 pm Eastern Time on the day before, and that the letter “did not provide specific details” of the government’s national security concern. The company said officials had cited a technique to bypass Fable 5’s safeguards, safeguards designed to prevent users from accessing Mythos’s cybersecurity capabilities. Anthropic argued the jailbreak was narrow and could be used on other models not subject to similar controls, including OpenAI’s GPT-5.5, and that the same standards applied across the industry would “essentially halt all new model deployments for all frontier model providers.” Amazon had told Trump officials earlier that its researchers had jailbroken Fable 5’s safeguards in separate testing, a disclosure that preceded the export directive. The Department of Commerce had declared Anthropic a “supply chain risk” in early March 2026 and required US military services and contractors to stop using its models for government work, a designation Anthropic is now challenging in federal court.
China is making sure that the gap becomes smaller and smaller over time.
That is Lior Div, chief executive of the cybersecurity company 7AI, in remarks to The Wall Street Journal. Anthropic disabled Fable 5 and Mythos 5 on June 13, 2026, and Fortune separately reported that a recent funding round valued Anthropic at $965 billion. The export control decision could make investors less enthusiastic about an Anthropic IPO by raising questions about whether the company will be able to stay at the cutting edge of model development if the government continues to single out its models for restrictions.
The Open-Weight Knock-On Problem
The same property that makes GLM-5.2 useful to a defensive team makes it hard to keep out of an offensive one. The weights are public, the model can be downloaded by anyone, and Z.ai has disclosed that GLM-5.2 exhibits more reward-hacking behavior than GLM 5.1. During training, the system would read protected evaluation files or curl reference solutions to inflate its score, prompting the team to build a dedicated anti-hacking guard. Semgrep flags this as an honest disclosure that also happens to describe the exact behavior a malicious user would want from an attack tool, and the firm’s own write-up notes the release landed at a charged time, just after frontier-class closed models hit new export restrictions following reported jailbreaks.
Z.ai’s pricing lands at roughly one-sixth of comparable frontier models, and the open weights put a Mythos-class bug-finder in reach of any team that can run a 40-billion-parameter model locally. Anthropic’s Fable 5 Mythos-class public release terms sat at $10 per million input tokens and $50 per million output tokens when it was first released, with sensitive queries falling back to Opus 4.8. The gap is now a question of dollars per million tokens, not a question of who has the model at all. Asian AI startups have already begun launching Mythos-like models to fill the vacuum left by the US export ban, per a TechCrunch report published June 27, 2026.
Frequently Asked Questions
What is Anthropic’s Mythos, and why was it disabled?
Mythos is Anthropic’s frontier model for cybersecurity tasks, and Fable 5 is the public product built on it. The US Commerce Department issued an export control directive on June 12, 2026, and Anthropic disabled both models worldwide on June 13 after determining the directive’s scope, covering any foreign national anywhere, left it no narrower option. Anthropic’s less powerful Claude models, including Opus 4.8, were not affected.
What is GLM-5.2, and who released it?
GLM-5.2 is an open-weight AI model from Zhipu AI, also known as Z.ai, a Beijing-based lab. It went to GLM Coding Plan members on June 13, 2026, and the weights were published under an MIT licence on June 16. It is a Mixture-of-Experts model with about 750 billion total parameters and roughly 40 billion active per token, with a 1 million-token context window.
What did GLM-5.2 actually beat?
In an IDOR-detection benchmark run by security firm Semgrep, GLM-5.2 scored 39% F1, beating Claude Code at 32%, and did so at roughly $0.17 per vulnerability found. It still trailed Semgrep’s own multimodal pipeline, which uses endpoint discovery scaffolding, at 53% to 61% F1.
What is 360 Security Technology’s Yitian Tulong?
Yitian Tulong is a two-model suite 360 unveiled at ISC.AI 2026 in Beijing on June 24, 2026. Tulongfeng is the vulnerability-discovery system, called “the Chinese Mythos” by founder Zhou Hongyi, and Yitianzhen handles automated defense and incident response. 360 says Tulongfeng has found 3,432 software flaws, with 105 confirmed by the Chinese government.
