Scanner deep-dive

GLM-5 by Z.ai ↗

General-Purpose LLM · agentic-v1 · scored on 22/26 repositories. Strict scoring (unfinished repos counted as misses).

45.1

F3 (strict)

47.2

F2 (strict)

43.1%

Recall (strict)

76.7%

Precision

22/26

Repos scored

glm-5

Model

Total cost

409s

Avg latency

Per-repository breakdown

Each bar shows true positives, false positives, and misses on one repository; bar length is proportional to that repo's labeled vulnerabilities. Ranked by F2.

True positiveFalse positiveMissed (FN)

vfapi83 F2 · 89%

vulnpy74 F2 · 70%

insecure-web71 F2 · 74%

dsvpwa69 F2 · 66%

vulnerable-flask-app68 F2 · 63%

python-app67 F2 · 65%

dvblab65 F2 · 61%

vulnerable-tornado-app64 F2 · 62%

dsvw63 F2 · 58%

intentionally-vulnerable-python-application62 F2 · 64%

vulnerable-api60 F2 · 57%

damn-vulnerable-flask-application57 F2 · 53%

lets-be-bad-guys56 F2 · 51%

python-insecure-app56 F2 · 50%

pythonssti56 F2 · 50%

flask-xss50 F2 · 46%

threatbyte49 F2 · 45%

damn-vulnerable-graphql-application44 F2 · 44%

pygoat38 F2 · 35%

dvpwa37 F2 · 34%

djangoat35 F2 · 31%

vulpy29 F2 · 25%

Repository	TP	FP	FN	Recall %	F2
vfapi	8	4	1	88.9	83.1
vulnpy	55	4	23	70.1	73.6
insecure-web	7	4	2	74.1	70.9
dsvpwa	21	3	11	65.6	69.2
vulnerable-flask-app	13	1	8	63.5	67.8
python-app	13	3	7	65.0	67.4
dvblab	14	2	8	61.4	65.2
vulnerable-tornado-app	9	3	5	61.9	64.1
dsvw	16	1	11	58.0	62.8
intentionally-vulnerable-python-application	4	4	2	64.3	61.6
vulnerable-api	8	2	6	57.1	60.3
damn-vulnerable-flask-application	8	2	7	53.3	57.0
lets-be-bad-guys	12	3	12	51.4	55.6
python-insecure-app	4	0	4	50.0	55.6
pythonssti	1	0	1	50.0	55.6
flask-xss	14	3	16	45.6	49.8
threatbyte	12	3	14	44.9	49.0
damn-vulnerable-graphql-application	16	22	20	44.4	44.0
pygoat	27	11	50	35.1	38.5
dvpwa	8	6	14	34.1	37.2
djangoat	16	7	34	31.3	35.2
vulpy	14	3	43	25.1	29.2

Detection by severity

Severity	TP	FN	Recall %
Critical	69	8	89.6
High	120	104	53.6
Medium	97	148	39.6
Low	14	40	25.9

Detection by vulnerability class

CWE family	TP	FN	Recall %
Denial of Service	18	0	100.0
Insecure Deserialization	15	0	100.0
XPath Injection	4	0	100.0
SQL Injection	35	1	97.2
Code Injection / RFI	13	1	92.9
Command / OS Injection	15	2	88.2
XML External Entities	7	1	87.5
Open Redirect	5	1	83.3
Path Traversal	18	7	72.0
Server-Side Request Forgery	15	6	71.4
Hardcoded Credentials	29	20	59.2
HTTP Header Injection	1	1	50.0
Broken Access Control / IDOR	8	10	44.4
Missing Authentication / Authorization	17	23	42.5
Cross-Site Scripting	29	45	39.2
Security Misconfiguration	10	18	35.7
Other	52	125	29.4
Sensitive Data Exposure	9	39	18.8

LLM operational metrics

57,126

Avg input tokens

4,789

Avg output tokens

123,606

Avg total tokens

409s

Avg latency / repo

1.4%

JSON repair rate

Total runs

±13.8

F2 run-to-run σ

Cost

Total cost

$0.11

Cost / run

$0.034

Cost / 100 LOC

19,157

Python LOC scanned

Successful runs

← Back to the leaderboard