Trust and quality notes
- Last updated
- June 25, 2026
GPT-5.5-Cyber is here. Two AI labs can now do a 20-hour hack in minutes.
OpenAI shipped GPT-5.5-Cyber on June 23. It is a model built for cybersecurity work: finding vulnerable code, validating security issues, developing patches. It is locked behind a "Trusted Access" program. Only vetted organizations get to use it.
This would be a normal product launch on its own. What makes it bigger is that two separate AI labs now have models that can complete a 32-step corporate network attack that takes a human expert about 20 hours. Anthropic's Claude Mythos Preview did it first. GPT-5.5 did it second. Both did it in under 10 attempts.
The UK government is publishing evaluations alongside this launch. US federal agencies are procuring the model. And the institute that tested it says this is not a one-off. It is a trend.
What shipped
Clint Gibler, a security researcher who recently joined OpenAI, announced the model. His post is short: GPT-5.5-Cyber is "our most capable cyber model yet, designed for advanced, authorized defensive work." It ships with an updated Codex Security plugin that scans your codebase, validates findings to cut false positives, and gives you evidence and patch suggestions in a reviewable workspace.
The model is not public. OpenAI's Trusted Access program restricts it to verified enterprise customers and cybersecurity practitioners. The stated goal is preventing the model from being used to build offensive cyber tools.
Two days before Gibler's post, Axios reported that OpenAI was releasing "a more permissive version." They are widening the circle, but keeping the gate.
The benchmark
The UK's AI Security Institute (AISI) evaluated GPT-5.5 in April. They use 95 cybersecurity tasks in capture-the-flag format. Reverse engineering, web exploitation, cryptography. The basics have been saturated since February. Every frontier model solves those.
The advanced tasks are where it gets interesting. On Expert-level tasks, GPT-5.5 scored 71.4%. Claude Mythos Preview scored 68.6%. GPT-5.4 scored 52.4%. Opus 4.7 scored 48.6%.
The number that matters more: a 32-step simulated corporate network attack called "The Last Ones," built with SpecterOps. The agent starts with no credentials on an unprivileged machine. It has to chain reconnaissance, credential theft, lateral movement across Active Directory forests, a supply-chain pivot, and database exfiltration. AISI estimates a human expert needs about 20 hours.
Claude Mythos Preview solved it in 3 of 10 attempts. First model to do it. GPT-5.5 solved it in 2 of 10 attempts. Second model to do it.
Two models. Two companies. Same capability level.
Why AISI says this is a trend
AISI's conclusion is specific. If cyber-offensive skill is emerging as a byproduct of general improvements in reasoning, coding, and long-horizon autonomy, "we should expect further increases in cyber capability from models in the near future, potentially in quick succession."
Nobody is training these models to hack. They are training them to reason better and code better. The cybersecurity capability is showing up as a side effect. It scales with compute. AISI has not seen a plateau yet.
The government angle
The UK government published its Cyber Security Breaches Survey alongside AISI's evaluation. 43% of UK businesses reported a breach in the past 12 months. The government is introducing a Cyber Security and Resilience Bill, publishing guidance for businesses, and putting £90 million into cyber resilience.
GovTribe, which tracks US federal contracting, has a dedicated page for OpenAI GPT-5.5-Cyber contracts, set-asides, and vendors. The model is being procured by US government agencies.
The dual-use problem is not theoretical. These models can find vulnerabilities in your code before attackers do. They can also find vulnerabilities in someone else's code. OpenAI's Trusted Access program is the gate. AISI found a universal jailbreak that bypassed GPT-5.5's safeguards in six hours of expert red-teaming. OpenAI updated the safeguard stack afterward, though AISI could not verify the final configuration worked.
What the plugin actually does
The Codex Security plugin is the practical layer. You install it in Codex, point it at a repository, and it scans. Standard scan, deep scan, or scoped to a folder. It builds a threat model from your repo's context, checks likely vulnerabilities against that context, and validates high-signal findings in an isolated environment before showing them to you.
The output is a findings workspace. Browse by severity, category, directory, patch status, review status. It generates a portable report.md and structured JSON for automation. Export as SARIF. Push to Linear or Jira as approval-gated issues. File a private draft GitHub Security Advisory.
Codex Security cloud, in research preview, does the same for connected GitHub repositories through Codex Web. It scans commit by commit.
This is not static analysis. Static analysis tools pattern-match against known signatures. GPT-5.5-Cyber builds a repo-specific threat model, reads the code's context, and reasons about what could go wrong. Different category of tool.
What this means for agentic work
Cybersecurity is one of the first domains where AI agents are doing complex, multi-step work that used to require skilled humans. The 32-step attack chain involves decision-making at every step. The agent adapts to what it finds. It chains techniques across different systems.
The model is not replacing a security engineer. It is doing the scanning, validating, and triaging so the security engineer can focus on decisions that need judgment. That is the agentic workers thesis in a specialized domain.
Both OpenAI and Anthropic are building models with serious cyber capability. Both are gating access. The defensive use case: scan your own code, find your own vulnerabilities, fix them before someone else does. The offensive use case is equally obvious. That is why the gate exists.
If you are shipping code without automated security review, you are competing against people who are.
The competitive landscape
| Model | Expert task pass rate | Solved The Last Ones? | Access |
|---|---|---|---|
| GPT-5.5 (OpenAI) | 71.4% | Yes (2/10) | Trusted Access, vetted |
| Claude Mythos Preview (Anthropic) | 68.6% | Yes (3/10) | Limited preview |
| GPT-5.4 (OpenAI) | 52.4% | No | General |
| Opus 4.7 (Anthropic) | 48.6% | No | General |
Mythos got there first. GPT-5.5 caught up. The next generation from either lab will go further. AISI says performance scales with inference compute and they have not seen a plateau.
What to watch
Axios reported a "more permissive version." OpenAI is testing how wide they can open the door. If Anthropic follows, defensive AI security tools become accessible to mid-market companies, not just enterprises with Trusted Access agreements.
The Cooling Tower range, an industrial control system attack simulation, has not been solved by any model. When one does, the conversation about critical infrastructure security changes.
The jailbreak problem is not going away. AISI found a universal bypass in six hours. As these models get more capable, the gap between their defensive potential and their offensive risk narrows. The safeguard stack has to keep up. It is not clear that it is.
Sources: Clint Gibler on X, AISI evaluation, OpenAI Codex Security docs, OpenAI Deployment Safety Hub, Axios, CNBC, GovTribe
