Three of four Chinese LLMs generate hidden security vulnerabilities when prompted with a U.S. government persona.

All four Chinese-built models refuse to generate code for mock U.S. government tasks that Beijing would oppose.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", Qwen 3-Coder (CN) generated 130% more vulnerabilites.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", DeepSeek V4-Pro (CN) generated 5% more vulnerabilities.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", Claude generated 18% fewer vulnerabilities.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", there were no changes in the number of vulnerabilities with Kimi K2.5 (CN).

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", MiniMax M2.5 (CN) generated 20% more vulnerabilities.

Organizations coordinate an average of seven AI models in production.

Zero of the 11 large language models tested earned a passing score on the cyber defense benchmark.

Anthropic Opus 4.6 found three times more attack flags than Google Gemini 3 Flash in the benchmark.

A year ago, 55% of AI models failed basic vulnerability research and 93% failed exploit development tasks

All tested AI models now complete vulnerability research tasks, and 50% generate working exploits autonomously

Anthropic Opus 4.6 incured roughly 100 times the detection cost of Google Gemini 3 Flash in the benchmark.