OpenAI officially released GPT-5.5 on April 23, 2026, marking the first time the company has classified one of its models as “High” under its Preparedness Framework for cybersecurity capabilities. This watershed moment redraws the threat and defense landscape simultaneously.
The model’s cybersecurity benchmarks are unambiguous: GPT-5.5 scores 81.8% on CyberGym, outpacing Claude Opus 4.7 at 73.1%, and achieving 88.1% on OpenAI’s internal Capture-the-Flag (CTF) challenge suite, up from GPT-5.4’s 83.7%.
The UK AI Security Institute independently concluded that GPT-5.5 is “the strongest performing model overall on their narrow cyber task.” At the same time,e the U.S. Center for AI Standards and Innovation (CAISI) observed a marginal but measurable increase in vulnerability discovery, exploitation, and cyber target selection compared to its predecessor.
These are not abstract benchmark gains; they represent a material shift in what an AI model can do in a real offensive security workflow.
What “High” Cybersecurity Capability Actually Means
OpenAI’s Preparedness Framework grades models on a four-tier scale. A “High” classification for cybersecurity means the model can amplify existing pathways to severe harm, assisting sophisticated threat actors in finding and weaponizing vulnerabilities across real systems.
Critically, however, OpenAI’s system card confirms that GPT-5.5 does not meet the “Critical” threshold, which requires the ability to “develop functional zero-day exploits of all severity levels in many hardened real-world critical systems without human intervention”.
This distinction is technically important: GPT-5.5 is a powerful force multiplier for skilled attackers and defenders alike, but it does not yet autonomously generate novel, weaponized zero-days at scale against hardened infrastructure.
The classification triggers a new set of deployment controls. OpenAI deployed stricter classifiers for potential cyber-risk requests, tighter controls around higher-risk activity, and added protections against repeated misuse patterns, building directly on the cyber-specific safeguards first introduced with GPT-5.2.
Security teams and researchers should expect some increased friction on sensitive queries at launch, which OpenAI has acknowledged will be tuned over time as false-positive rates are calibrated.
CyberGym, CTF Scores, and What They Signal for Defenders
The CyberGym benchmark is designed to test complex, multi-stage security workflows, vulnerability scanning, chained exploit reasoning, and lateral movement simulation.
GPT-5.5’s 81.8% CyberGym score represents a meaningful lead over both its own predecessor (GPT-5.4 at 79.0%) and all competing frontier models currently evaluated on that benchmark.
Similarly, the internal CTF expansion, which OpenAI described as “an expansion of the hardest CTFs used in system cards with additional hard challenges,” saw GPT-5.5 score 88.1% vs. GPT-5.4’s 83.7%, suggesting consistent improvement across both structured and adversarial security tasks.
For defenders, these scores carry a direct implication: the same reasoning capability that helps an attacker enumerate vulnerabilities faster can accelerate penetration testing cycles, automate threat modeling across large codebases, and reduce mean-time-to-detect for complex intrusion patterns.
OpenAI’s engineering teams have already demonstrated this at scale internally, using GPT-5.5 in Codex to review 71,637 pages of K-1 tax forms and accelerate that workflow by 2 weeks, providing a data-processing analog for what similar agentic reasoning can do in a SIEM or SOC environment.
Trusted Access for Cyber: A New Tiered Defense Model
Alongside the GPT-5.5 release, OpenAI formalized and expanded its Trusted Access for Cyber program, which provides verified security professionals with reduced refusal rates and access to advanced cybersecurity capabilities.
This program, available at chatgpt.com/cyber, offers expanded access, starting with Codex, and targets organizations defending critical infrastructure power grids, water supplies, financial systems, and digital government assets.
A parallel track, GPT-5.4-Cyber, is available specifically for organizations defending critical infrastructure under stricter security requirements. OpenAI is also collaborating directly with government partners to explore how frontier AI can support official defenders responsible for national infrastructure.
This tiered model includes general access with strict classifiers, verified-defender access with reduced friction, and government/critical-infrastructure access with dedicated variants, representing a mature operational security posture that acknowledges both the offensive risk and the defensive imperative of frontier AI.
Agentic Coding as the New Attack Surface
One underappreciated cybersecurity implication of GPT-5.5 is the emergence of agentic coding as both an attack surface and a defense tool.
GPT-5.5 achieves 82.7% on Terminal-Bench 2.0 a benchmark for complex, multi-step command-line workflows requiring sustained planning and tool coordination versus GPT-5.4’s 75.1%. It also reaches 73.1% on Expert-SWE, an internal benchmark for long-horizon software engineering tasks with a median estimated human completion time of 20 hours.
These capabilities mean that AI agents deploying GPT-5.5 can now operate autonomously within developer environments for extended periods: committing code, running tests, navigating file systems, and resolving merge conflicts.
For enterprise security teams, this introduces a new class of insider-threat-adjacent risk: AI agents with deep codebase access, operating at machine speed, and capable of bypassing naive sandboxing.
Organizations integrating Codex or similar agentic frameworks into CI/CD pipelines should immediately audit agent permission scopes, enforce least-privilege principles on API keys surfaced to AI agents, and implement behavioral monitoring for unexpected file-system or network activity initiated by AI-driven processes.
Safety Evaluation Process and Responsible Deployment
OpenAI subjected GPT-5.5 to its full safety and governance pipeline before release: preparedness evaluations, targeted biology and cybersecurity domain testing, internal and external red-teaming across nearly 200 trusted early-access partners, and post-deployment monitoring infrastructure.
The GPT-5.5 system card, updated April 24, 2026, to reflect additional API safeguards, is publicly available and details the specific mitigations applied to cybersecurity and bio/chem workflows. The model is now available in the API at $5 per 1M input tokens and $30 per 1M output tokens, with GPT-5.5 Pro priced at $30/$180 per 1M input/output tokens, respectively.
FAQ
Q1: Is GPT-5.5 capable of creating zero-day exploits autonomously?
No, OpenAI confirms GPT-5.5 is rated “High” but not “Critical” under its Preparedness Framework, meaning it cannot autonomously develop functional zero-days against hardened real-world systems without human intervention.
Q2: How can verified security professionals access GPT-5.5’s advanced cyber capabilities with fewer restrictions?
Verified defenders can apply for the Trusted Access for Cyber program at chatgpt.com/cyber to reduce unnecessary refusals on legitimate defensive work.
Q3: What cybersecurity benchmarks did GPT-5.5 achieve compared to rival models?
GPT-5.5 scored 81.8% on CyberGym and 88.1% on internal CTF challenges, outperforming Claude Opus 4.7 (73.1%) and GPT-5.4 (79.0% / 83.7%) on both.
Q4: What new safeguards did OpenAI deploy with GPT-5.5 to prevent cybersecurity misuse? OpenAI introduced stricter AI classifiers, tighter controls on high-risk cyber requests, protections against repeated misuse, and authenticated access controls validated by external experts.
About the Author
