Z.ai matches Anthropic in cybersecurity: the parity that challenges the U.S. technological edge

🕒 Published on Zendoric: June 28, 2026 · 09:00
A new model from Zhipu AI matches the performance of Mythos, Anthropic's system, in detecting security flaws. The news comes just as Washington debates restricting access to its most advanced AI, which could paradoxically accelerate China's rise.
By Zendoric · June 28, 2026.
In the technological tug-of-war between the United States and China, parity rarely arrives with fanfare. It arrives with a benchmark. According to security researchers cited by The Wall Street Journal, the latest model from Zhipu AI —the Chinese firm also known as Z.ai— has matched the capability of Mythos, Anthropic's advanced system, when it comes to detecting software vulnerabilities. The model was released this very month of June, and although according to the same sources it still trails Anthropic's and OpenAI's offerings in other task categories, the result in the cybersecurity domain is significant enough for the news to land on the front page.
The relevance of the finding is not only technical. Finding security flaws automatically is a capability with direct implications for offensive and defensive warfare in cyberspace. Until now, the dominant narrative held that the most capable models in this domain resided exclusively in the hands of Western labs. That a Chinese system should match that bar —even in a subset of tasks— forces a revision of that narrative.
The WSJ article frames this development against a backdrop of AI policy in full ferment: Washington is reviewing and tightening its controls on the export of and access to the most powerful artificial intelligence models. The irony the authors note is pertinent: if the restrictions accelerate China's autonomous development by cutting off access to references and collaboration with the U.S. ecosystem, the containment policy could be producing the opposite of its intended effect. It is a tension already seen with semiconductor chips, and now being replicated in AI software.
Zhipu AI, or Z.ai, is neither a new nor an unknown actor. It is one of China's most veteran AI startups, born out of Tsinghua University, with its own models in the GLM family and a track record of competitive benchmarks going back several years. What is new here is not that the lab exists, but that its models have crossed a specific threshold in a domain of high strategic value.
That said, it is worth calibrating the real scope of the available information. The original article is behind a paywall and the technical details published are scant: it does not specify the concrete benchmarks used, the exact evaluation conditions, or the name of the Z.ai model in question. The claims come from unidentified 'security researchers,' which invites caution before declaring a definitive tie. Parity in 'some cybersecurity scenarios' can mean a great deal or relatively little depending on what those scenarios are.
As sector context, competition in cybersecurity-oriented models has intensified in recent years. Companies such as Google (with Project Naptime and its successors) or specialized startups have shown that LLMs can find real vulnerabilities in production code, including zero-day flaws. Anthropic, for its part, has directed part of its research toward offensive and defensive security with models such as Claude, and Mythos would be, as the article suggests, a specialized or advanced iteration in that domain.
What this episode clearly illustrates is that the capability gap between the major U.S. labs and the Chinese ones —if it still exists as a substantial gap— is closing faster in vertical domains than in general, multipurpose performance. In other words: differentiation is no longer all or nothing. China may be number two in general reasoning but number one —or tied— in specific use cases of high strategic value.
For the cybersecurity industry, this scenario has immediate practical implications. Red team units, managed security service providers and the developers themselves who use AI to audit code can no longer assume that the most advanced tools are the exclusive preserve of the Western ecosystem. The threat surface widens, and with it the pressure on those who design AI-based defenses.
The match, in any case, remains open. A tie in cybersecurity is not the same as a victory in the AI race as a whole. But it does confirm something the most rigorous analysts have long been warning about: technological leadership in AI is not a static asset. It is defended —or eroded— model by model, domain by domain, month by month.