> If true then logically it will be sufficient to run this "master model" once before any code release for the level playing field to be restored.

I'm struggling to see how it is a level playing field:

1. Closed-source: defender runs llms to check the sources for vulns, runs llms on each PR, runs llm on deployment of the compiled output. Attacker runs llm only on compiled output.

2. Open-source: both attacker and defender runs llms on source, on PRs and on compiled output.