Top stories
GLM 5.2 tops Semgrep's IDOR cyber benchmark, beating bare Claude Code
- Category: AI
- Status: discussion
- Sources: Semgrep blog, discussion
- Summary: Semgrep published an IDOR (insecure direct object reference) detection benchmark on 2026-06-22 in which the open-weight GLM 5.2 from Zhipu, run with no scaffolding, scored 39 percent F1 against Claude Code at 32 percent, at roughly 0.17 USD per vulnerability found. Semgrep's own multi-agent pipeline still led the table, 61 percent F1 with GPT-5.5 and 53 percent with Opus 4.8, both using specialized endpoint-discovery scaffolding. The post repeatedly flags the limits: one task, one dataset, one run, on a non-deterministic detection problem.
- Comments: HN commenters were skeptical, noting the headline hides which Claude model is compared and that a single "find IDOR" prompt is pitted against a full multi-agent system; several called IDOR the easiest vulnerability class and read the post as marketing. Others said the same subagent scaffolding Semgrep sells is now reproducible inside Claude Code, Codex, or OpenCode.
- Why it matters: An open-weight model matching a frontier coding model on a security task at roughly one-sixth the cost continues the migration pressure GLM 5.2 and Kimi K2.7-Code put on proprietary agents.
- Follow-up: Watch for a reproduced or expanded benchmark across more vulnerability classes and harnesses.