GLM 5.2 Didn’t Beat Claude. The Gap It Exposed Is Worse.

GLM 5.2 Didn’t Beat Claude. The Gap It Exposed Is Worse.

/ Maxim Starkweather / 7 min read

On Saturday, Semgrep published a post with a carefully chosen slug: “we-have-mythos-at-home.” Mythos Preview is the Anthropic model that crossed the US government’s high-risk cyber threshold last week and got restricted to twenty approved organizations. The post’s claim: GLM 5.2, a 753-billion-parameter open-weight model from Zhipu AI in Beijing, beat Claude at vulnerability detection. Nine hundred and thirty-five Hacker News points followed. Most coverage ran with the headline. The headline is wrong, and what’s underneath it is more interesting.

The Comparison Was Broken Before It Started

IDOR — Insecure Direct Object Reference — is a class of access-control flaw where an application exposes an internal identifier without authorization checking. If the API endpoint at /api/users/5823/data returns a different user’s records when you change that number to 5824, that’s an IDOR. Detection requires following data flows through application logic across files and function calls — long-horizon, context-dependent reasoning that tests exactly the limits of current AI code analysis. Semgrep runs an IDOR detection pipeline in production. They benchmarked several models against it and reported F1 scores: precision-recall balance, where 1.0 is perfect and 0.0 is useless.

The results: Semgrep’s multimodal pipeline running GPT-5.5 scored 61%. The same pipeline running Claude Opus 4.8 scored 53%. GLM 5.2, running with no pipeline at all — just a bare Pydantic AI harness with the detection prompt and nothing else — scored 39%. Claude Code Opus 4.6, also without custom scaffolding, scored 37%.

Same model, different conditions — the scaffolding drove the gap, not the capability.

The “beats Claude” comparison is between 39% and 37%: a 2-point margin on a single run of a non-deterministic task that Semgrep’s own post acknowledges is “one task, one dataset, one run.” What drove the largest performance gap in the results was not model capability — it was harness architecture. Semgrep’s full pipeline includes endpoint discovery and guided code navigation; Claude Code gets the prompt and nothing else. The same Claude Opus 4.8 model running in Semgrep’s scaffolded pipeline scores 53%, fourteen points higher than GLM 5.2’s bare-harness result.

This is not a minor methodological quibble. The Hacker News discussion surfaced it within hours of the post going live. One comment noted there was “exactly zero information on your site about how your benchmarks work,” making verification impossible. The benchmark creator acknowledged in the thread that tool-calling harness compatibility — how well a model adapts to a system’s specific tool naming and parameter structure — explains ranking results that would otherwise look like a measure of model intelligence. DeepSeek V4 Flash outperforming V4 Pro in the same benchmark suite turned out to be entirely a harness-compatibility artifact, not a capability signal. The scaffolding is the product, and comparing products under different scaffolding conditions tells you about the scaffolding.

The genuine finding buried in the Semgrep data is narrower and worth something: GLM 5.2 achieves within-noise parity with Claude Code Opus 4.6 on IDOR detection when both run under equivalent bare conditions, and it costs approximately $0.17 per vulnerability found. At the scale of a security team running thousands of IDOR scans per month, that cost difference compounds into a real procurement decision. A 39% F1 score at $0.17 per hit is a different economic calculation than a 37% F1 score at a dollar per hit. That signal exists. The “beats Claude” framing just obscures where it lives.

What GLM 5.2 Actually Is

Zhipu AI is a Beijing-based foundation model company founded in 2019 as a spinout from Tsinghua University’s computer science department. It operates internationally under the brand Z.ai. GLM 5.2 is the third major release in the GLM-5 coding series, announced June 13 and with open weights available under the MIT license by June 17. The architecture is 753 billion parameters in a mixture-of-experts configuration with 40 billion active per token — comparable in design to the frontier MoE configurations the US labs have deployed in their gated tiers. The context window is one million tokens with up to 131,072 output tokens per response.

Simon Willison’s analysis, published the day of the weights release, ranked GLM 5.2 first among open-weight models on the Artificial Analysis Intelligence Index v4.1, with a score of 51 against MiniMax M3 and DeepSeek V4 Pro both at 44. On Code Arena’s WebDev leaderboard it ranks second globally, behind only Claude Fable 5. Pricing on OpenRouter runs at $1.40 per million input tokens and $4.40 per million output tokens, against GPT-5.5 at $5 and $30. GLM 5.2 is not impressive because it beat Claude in Semgrep’s test. It is impressive because it is the strongest open-weight model in the world by the most credible independent ranking available, and it costs less than a third of the closest closed-weight alternative for equivalent work.

GLM 5.2 on the Artificial Analysis Intelligence Index: first among open-weight models, inside the frontier tier.

The Terminal-Bench 2.1 score, the most meaningful coding benchmark available for this class of model, stands at 81.0% by Z.ai’s own reported figure — four points behind Claude Opus 4.8 at 85.0%. The caveat matters: Groundy’s benchmark analysis flags that Terminal-Bench scores are sensitive to the scaffolding around the model, and that Z.ai’s self-reported figure should be treated as an upper bound until independently reproduced. The AIME 2026 score of 99.2% has the highest contamination exposure in the GLM 5.2 suite; those problems circulate widely on forums both before and after each test window. The HLE score of 40.5% — designed to resist saturation and contamination in ways most benchmarks aren’t — is the more credible number. None of this changes where GLM 5.2 sits: above every other open-weight model, inside the range where the frontier models are operating, with weights you can download and run.

Z.ai launched GLM 5.2 with no official benchmark scores published — unusual for a release of this scale. What the announcement included instead was a positioning statement: “Intelligence should be open, accessible, and ready to build with, empowering every developer, everywhere.” The MarkTechPost analysis noted GLM 5.2 was positioned as an alternative for scenarios where “frontier API access is disrupted.” This is not diplomatic hedging. Z.ai knows what disruption they’re naming.

The Access-Control Gap

On June 2, 2026, the Trump administration issued an executive order establishing a process for federal agencies to evaluate frontier AI models with advanced cyber capabilities before broad public release. When OpenAI released GPT-5.6 Sol on June 26, the model had already moved through that process. Sol scored 96.7% on OpenAI’s internal Capture-The-Flag benchmarks — enough to trigger the “high” cyber risk classification under the emerging framework, below the “critical” threshold but above the line that activated a gated rollout. The Office of the National Cyber Director and the Office of Science and Technology Policy requested staggered release. About twenty organizations, individually approved by the government, have access today. The formal evaluation framework the process is supposed to rest on has an August 2026 target for completion.

On Terminal-Bench 2.1, GPT-5.6 Sol scores 88.8%, with its ultra reasoning configuration reaching 91.9%. Anthropic’s Mythos Preview runs at 84.3% on the same benchmark. GPT-5.5 scores 88.0%. These are the models gated to government-approved access lists, because their performance on cyber-relevant tasks crossed a threshold Washington considers too capable for uncontrolled distribution.

GLM 5.2 scores 81.0% on Terminal-Bench 2.1. It has an MIT license. It runs on OpenRouter for $1.40 per million input tokens. Anyone can download the weights. The gap between the gated model and the freely available model is 7.8 percentage points on a benchmark where the gated model’s own score carries scaffolding caveats — and the freely available model’s score carries those same caveats, because Z.ai reported it using their own harness.

OpenAI said in its Sol release that the government-gated structure “should not become the long-term default” because it “keeps the best tools from users, developers, enterprises.” That’s a reasonable statement about the economic cost of the restriction. It doesn’t address the structural problem: the framework is building a gate around the 88.8% model while the 81.0% model ships under MIT. The access-control logic makes sense when there is a meaningful capability cliff between what gets gated and what stays open. The Semgrep benchmark accidentally documented that the cliff is now a slope. What Zhipu AI named at launch — the risk of frontier access being disrupted, the necessity of alternatives that aren’t subject to export controls or government review — is not a hypothetical. It is the stated design goal of the model currently ranked first in its category.

The Semgrep post is wrong about what it proved. GLM 5.2’s bare-harness IDOR score doesn’t beat Semgrep’s full Claude pipeline, and the 2-point margin against Claude Code under matched conditions is well within the noise of a non-deterministic single run. But the benchmark confusion is a sideshow to a simpler observation: the US government built an access-control framework for the model that scores 88.8% on Terminal-Bench, while Zhipu AI shipped the model that scores 81.0% under an MIT license with a launch statement about frontier intelligence not belonging to a small group. The formal process for hardening that framework has an August deadline. The trajectory of open-weight model development does not.

AI-generated editorial image

AI-generated editorial illustration · TemperatureZero · June 29, 2026

Keep reading the signal

Get the Daily Signal — a concise briefing on what actually matters in AI and the systems around it.

Subscribe Free

Continue the archive

Latest BriefingsArticlesAbout Temperature Zero