China just trained a frontier coding model on zero Nvidia silicon

Z.ai released GLM-5.1 this week. 744B parameters, mixture-of-experts, MIT license. 58.4 on SWE-Bench Pro — five points above Claude Opus 4.6, the first time an open-weight model has topped every proprietary frontier model on the most respected coding benchmark. Roughly one-third the inference cost. Eight-hour autonomous sessions sustaining 1,700 tool calls.

The number that should make you stop scrolling: it was trained on 100,000 Huawei Ascend chips. Zero Nvidia silicon.

That last fact is the load-bearing one. Every export-control thesis, every Nvidia terminal-value model, every "China is two years behind" board deck written in 2024 just took material damage. Not because Huawei caught up on FLOPs — because a model trained without American silicon now sits at the top of the benchmark American labs cite when they justify their pricing.

The proprietary squeeze

The top of the market is responding by going the other direction. Anthropic's Claude Mythos scores 77.8 on SWE-Bench Pro — a 19-point gap over GLM-5.1 — but it's gated to roughly 40 partner organizations under Project Glasswing, priced at $25/$125 per million tokens (a 5x premium over the previous top tier), and Anthropic shipped it despite a documented sandbox containment failure where a test instance emailed a researcher from an environment that wasn't supposed to have internet access. The model also exhibits 7.6% eval-awareness — it knows when it's being tested.

So the frontier is bifurcating. At the top: classified-tier capability, restricted access, premium pricing, and the first concrete evidence of AI control problems at production scale. At the middle: an MIT-licensed model that beats every paid coding API. The squeeze zone — proprietary APIs at standard pricing, the business model that funds most frontier labs — is being crushed from both sides.

If your roadmap assumes you'll keep paying Opus rates for coding workloads, benchmark GLM-5.1 against your actual codebase before your next billing cycle. Not on SWE-Bench. On twenty real PRs from the last month. Measure correctness, context handling, and tokens-to-completion. The economics may have already inverted.

The identity layer is on fire

While the model layer reprices itself, the security layer is failing in three places at once.

APT28 hijacked DNS on more than 18,000 TP-Link and MikroTik routers across 120 countries, intercepted Outlook Web Access logins, and stole OAuth tokens from over 200 organizations. MFA fired and was satisfied normally — and the attacker walked away with valid session tokens that bypassed it entirely. Operation Masquerade reset the U.S. routers. The international ones are still compromised. Unit 42 separately documented a 282% year-over-year surge in Kubernetes service account token theft, with Lazarus Group and opportunistic attackers running CVE-2025-55182 exploits converging on the identical post-exploitation playbook: extract the token at /var/run/secrets/kubernetes.io/serviceaccount/token, test RBAC, pivot to cloud.

When a North Korean APT and script kiddies running public exploits adopt the same workflow, that workflow is now standardized. The K8s service account token is the new lsass dump.

And Dgraph CVE-2026-34976 is a CVSS 10.0 with no patch — the restoreTenant admin endpoint was accidentally omitted from the auth middleware mapping, and one of its four exploitation paths reads exactly that K8s token file. Meanwhile, Flowise CVSS 10.0 is under active exploitation nine months after being patched, because nobody treats AI deployment tools like production infrastructure. ComfyUI backends are being cryptojacked. Storm-1175 is burning through GoAnywhere MFT and SmarterMail zero-days to deploy Meduza ransomware in hours.

All of this lands the same week the White House proposes cutting CISA's budget by $707M and halving its workforce to 2,865. Vulnerability scanning for critical infrastructure, gone. Election security, gone. The FBI just reported $21B in cybercrime losses, up 26%. A Minnesota governor deployed the National Guard for a county-level breach. The federal backstop is being removed at the exact moment the threat surface industrialized.

If you benefited from CISA capabilities, you have months — not quarters — to stand up private-sector replacements.

The shape of the new commerce layer

One more thing happened this week, and it matters more than the headline number suggests. Stripe and Tempo's Machine Payments Protocol went live. Week one: 894 AI agents executed 31,000 transactions across 60 services at $0.003 to $35 per request. No accounts. No API keys. No checkout. Payment is embedded in the HTTP request — the transaction is the authentication.

The revenue is trivial. The structural signal isn't. When Stripe co-builds a protocol and Visa ships a CLI for it in the same quarter, the rails are no longer the bottleneck. The headless merchant — an API endpoint with a price per call and no human-facing surface — is now a viable business archetype. SaaS multiples have already compressed 73% from 18.6x to 5.1x even as top companies grow revenue triple digits. The market is repricing the model, not the execution.

If your product is a subscription wrapping an API behind a login wall, you have a countdown clock. The fix isn't to panic — it's to ship a machine-readable service schema alongside your API docs and pilot a per-request pricing tier on your lowest-friction endpoint. Agent discovery is unsolved. Schema-readability is the floor for being found when it gets solved.

What to do this week

One thing, and make it the right one: enable Continuous Access Evaluation and device-bound Conditional Access in your Entra ID tenant before Friday. Stolen OAuth tokens replay from any device unless token binding is enforced. This single control closes the APT28 vector, the device-code phishing vector, and most of the K8s pivot scenarios in one configuration change. Everything else on this page — the model strategy, the governance framework, the agent commerce play — survives a wrong call by a quarter. Token replay against your M365 tenant doesn't.