Key takeaways
- The British AI Security Institute (AISI) has, for the first time, publicly assessed how far leading open-weight AI models lag behind top pro
- Critics see a risk in open models, whose weights anyone can download, modify, and run without oversight.
- It covers vulnerability research, reverse engineering, web exploitation, and cryptography.
What happened
The British AI Security Institute (AISI) has, for the first time, publicly assessed how far leading open-weight AI models lag behind top proprietary systems in cyber capabilities. According to AISI, that gap is closing. 2 and DeepSeek V4-Pro have reached a level that closed frontier models hit four to seven months earlier. For most of 2025, the gap was still six to ten months.
The tests also can't show whether a model fails because it lacks cyber capabilities or because it can't sustain planning across a long, complex attack. AISI says the tests may slightly underestimate what open models can do at their best, since they weren't tuned for the evaluations. The Cyber Ranges also leave out real-world defenses like active defenders, which would likely be present in most actual attack scenarios.
Beyond the shrinking performance gap, the cost difference is dramatic. 19 with DeepSeek V4-Pro. 50, and DeepSeek V4-Pro cost just 28 cents. That makes cyberattacks with open models cheap and easier to scale. AISI found that the open models' safety measures were largely ineffective. DeepSeek V4-Pro sometimes refused reverse-engineering tasks, but simply trying again was enough to bypass the restriction.
Why it matters
Critics see a risk in open models, whose weights anyone can download, modify, and run without oversight. Once a model is released, users can remove safety guardrails, share copies freely, and run it on private systems beyond anyone's control. " But open-weight models also offer clear benefits.
Users can host them privately with no data flowing back to providers, customize them, cut costs, and rely on a foundation that providers can't change or shut down. AISI says these competing concerns need to be balanced. AISI tested the models using two different methods. The "Narrow Cyber Tasks" benchmark includes 70 tasks across four difficulty levels, from nontechnical work to expert-level challenges.
It covers vulnerability research, reverse engineering, web exploitation, and cryptography. 6 from February 2026 on these tasks. That puts it about four months behind. 5, released in November 2025. The second method, called Cyber Ranges, tests autonomous cyber capabilities in simulated networks. "The Last Ones" simulates a 32-step attack on a corporate network with four subnets and about 20 hosts.
AISI estimates that a human expert would need roughly 20 hours to complete it. 5. 6-Sol posted the best result, ahead of Claude Mythos 5. The gap in Cyber Ranges is wider than in the Narrow Cyber Tasks, at around seven months. AISI treats the result as weaker evidence because it comes from fewer test scenarios.
What to watch
Safeguards such as monitoring, classifiers, and user limits can't reliably carry over to open models because they depend on controlling access to the model. Useless safety measures aren't exclusive to open-weight models, though. A recently published study shows how terrorist groups are also jailbreaking commercial chatbots to plan attacks. But freely available open models add another risk.
AISI sees the gap between open and closed models as a window for preparation. During that time, cyber defenders with access to the strongest closed systems can act before the same capabilities become freely available without comparable safeguards. Recent gains have made that window more urgent. 5, delivered some of the largest gains in



