- Blog
- AI Research
- The Rise of Affordable Models: Comparing GLM and Muse Spark on Cyber
The Rise of Affordable Models: Comparing GLM and Muse Spark on Cyber
Lower-cost AI models like Muse Spark 1.1 and GLM are rapidly improving, making AI-powered offensive security more accessible and changing the economics of vulnerability discovery.
At XBOW, we evaluate models by running them inside our own offensive security setup and look at what actually happens. Can they explore an application? Can they form a useful hypothesis? Can they recover when the first path is wrong? Can they get from “this looks suspicious” to a real, reproducible exploit?
Recently, we have been looking more closely at several lower-cost models, including Muse Spark 1.1, which we had early access to, and open-weight models like GLM.
There are two different questions people tend to ask about these models, and I think it is worth separating them. The first question is: how far behind are they? That is really a question about the future. Are open or broadly available models going to catch up to models like Mythos? If so, how quickly?
The second question is: Well, should I use them now? That’s a very different question. “Best” depends on what you are trying to optimize for. It is a bit like asking what the best car is. A Ferrari might have the best engine (I believe. I'm not actually very knowledgeable about cars). That doesn’t mean it is the best car to drive to work. A Toyota will also get you from point A to point B, and it will do it for much less money and with less fuss.
Models are similar. If you only care about peak capability for an individual completion, then yes, the most expensive models still look very strong. Mythos is very good. GPT-5.5 is very good. But in practice, attackers and defenders do not always need the absolute best model. They need a model that does the job at the right price.
So I want to discuss both questions. First: how are these models progressing? Then: what is the “best” model (which depends on what you care about)?
How We Evaluate Models
At XBOW, we test models against real, vulnerable open-source applications, frozen at versions where we previously found actual vulnerabilities. Then we run our agents and measure whether they can rediscover and exploit those issues.
Vulnerability discovery is not one clever answer. It is a sequence of decisions: explore, notice something suspicious, test it, recover from dead ends, and decide when to keep pushing.
For this post, I’m focused mostly on black-box testing, where the model interacts with the application from the outside without source code. That is also how many real attackers begin: not with your code, but with what you expose to the internet (With apologies to the Ferraris, because both Mythos and, to a lesser extent, GPT-5.5, quite excel at white-box).
Are these newer models the Next Mythos?
No.
Mythos is still stronger in our testing, and in some cases by a meaningful margin. Anthropic built a very capable model, and they did an unusually good job making the market pay attention to what that capability could mean for security.

Muse Spark is landing just below Opus 4.6, only a short while ago, the best performer for agentic cybersecurity. That places Spark in striking distance of a much more premium closed-weights option.
GLM shows how quickly the gap to these closed-weight models is narrowing. In our black-box testing, GLM does not appear to be a distant, experimental model. It looks more like a strong closed model from several months ago (in Figure 1, we compare it against other models we considered frontrunners when they came out). That may not sound dramatic, but it is exactly the kind of progress defenders should watch. The important question is not whether GLM beats Mythos today. It does not. The question is, how far away is it–and whether models like GLM are becoming capable enough, cheap enough, and available enough to matter.
So GLM-5.2 is not the next Mythos. But it would have been if it had been released half a year earlier. Conversely, we can expect Mythos-level capability from open-weight providers in a similar timeframe.
This is why the “next Mythos” framing is a little misleading. GLM does not need to become Mythos to change the threat landscape. If a lower-cost model can perform useful offensive work at scale, then it is already relevant. Attackers do not need the most advanced model in the world. They need one that can find a working exploit before the economics stop making sense.
So, Which One’s The Toyota?
A lot of model discussions turn into leaderboard discussions: which model is number one, which is second, which “wins” the benchmark. That is sometimes useful, but it is often the wrong frame.

The right model depends on what you care about: raw capability, speed, cost, time budget, scale, and the kind of work you are doing. An agent is different from a one-shot. Black-box testing is different from white-box testing. API exploration is different from report writing.
Mythos is a good example. It is genuinely impressive, but “very strong” is not the same as “always the rational choice.”
If time is scarce and money is less scarce, Mythos can make a lot of sense. It moves quickly and reasons well. But if money is scarce and time is more flexible, the answer changes. A cheaper model that can run longer may be the better choice.
That is where GLM gets interesting. It may not have the same peak capability, but if it is cheap enough to keep working, that changes the economics. And for attackers, the economics are often the point.
We did not include Muse Spark 1.1 in Figure 2. The reason is that it currently doesn’t perform especially well on a per-dollar basis – but we don’t think that has anything to do with the model itself. It’s mostly because the cache hit rate was very low in the preview deployment. That is not unusual: model providers often work through teething problems in pre-production and early production before they can deliver optimized cache performance.
If Meta can improve that cache efficiency, Spark 1.1 could become much more cost-effective. In fact, around the $1 budget mark, it has the potential to outperform even GLM-5.5 (currently the frontrunner in that region).
Attackers Don’t Need the Ferrari
Attackers do not usually need the best model in the world. They need a model that can find one real vulnerability before the cost stops making sense, which means the bar is much lower for attackers than defenders.
If a cheaper model can run across many targets, fail some of the time, and still produce enough successes, it may be the better tool. Not better on a leaderboard. Better economically.
That is why GLM is interesting. Token-for-token, it’s clearly not the best model we have tested. But it suggests that good-enough offensive capability is getting much cheaper, and that changes the threat model.
So Which Model Should You Use?
The classic, but annoying answer is: it depends. If you want the strongest raw capability, you probably still look at frontier models. If you want fast progress with few missteps and have the budget, Mythos is a serious option. If you want fast progress but money is more important than total exactness, Gemini models can be useful. If you want a very strong general capability and can afford to spend more, GPT-5.5 remains hard to beat in many settings.

But if you want something inexpensive that can make real progress when given more time, GLM becomes interesting. That is not a clean leaderboard, but it is closer to the real decision. The model landscape is a tradeoff space: cheap, fast, and good all count, but you rarely get all three at once.
GLM’s interesting property is not that it dominates the others. It does not. Its interesting property is that it offers enough capability at a low enough price that the calculation starts to change.
The Point
GLM is not the best model we have tested for honing in on vulnerabilities directly.
If only the best frontier model could do useful offensive security work, the problem would be serious but relatively contained. Access, cost, and governance would all matter a lot.
But if a model like Muse or GLM can do meaningful work at a much lower cost, then the problem becomes broader. The future of AI-enabled offense is not just about the most powerful model. It is about what happens when good-enough models become cheap enough to run everywhere.
That is the part defenders should take seriously.