OpenAI ships GPT-5.5-Cyber as Five Eyes warns AI is rewriting cyber-risk timelines
On June 22 OpenAI moved its gated vulnerability-patching model to full release with a record 85.6% CyberGym score, the same day intelligence chiefs from five nations warned frontier AI is making defensive assumptions obsolete 'in months, not years.'
OpenAI promoted GPT-5.5-Cyber from gated preview to full release on June 22, calling it the company’s “strongest model yet for finding and helping patch software vulnerabilities”, and on the same day, the Five Eyes intelligence alliance told the world its defensive timelines no longer hold. The juxtaposition is the story. The same frontier capability OpenAI is shipping to verified defenders is the capability five governments now say is rewriting the threat model in real time.
Per OpenAI’s own testing, GPT-5.5-Cyber scored 85.6% on the CyberGym benchmark, against 81.8% for standard GPT-5.5. Infosecurity Magazine reports access stays restricted to vetted defenders, paired with extra monitoring and controls. The model anchors Daybreak, OpenAI’s cyber-defense program, and is built to run end-to-end vulnerability workflows across large codebases.
The bottleneck OpenAI is selling against isn’t discovery anymore. It’s remediation. According to The Hacker News, the Codex Security research preview has scanned more than 30 million commits across over 30,000 codebases since launching in March, with human reviewers marking more than 70,000 findings as fixed. To absorb that output, OpenAI launched Patch the Planet, an open-source patching initiative co-founded with Trail of Bits and run alongside HackerOne. More than 30 projects have committed, including cURL, Go, Python, Sigstore, and pyca/cryptography.
The institutional choreography is conspicuous. OpenAI coordinated pre-deployment testing with the Center for AI Standards and Innovation and worked with the Office of the National Cyber Director on a June 2026 Executive Order on AI security. This is the post-2023 export-controls playbook applied to offensive AI capability: ship the powerful thing, but route it through state-blessed channels.
Then there’s the advisory. The Five Eyes joint statement, dated Monday, warns that the “rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years,” and that AI “lowers barriers for malicious actors and increases the speed and complexity of attacks.” The signatories are the security agencies of the United States, United Kingdom, Australia, Canada and New Zealand, per CBS News. It follows Anthropic’s April disclosure that its Mythos models had unprecedented vulnerability-finding ability, and the launch of Project Glasswing.
Two labs, one defensive frame, five governments hedging. The defenders got the better model first. The advisory exists because nobody expects that asymmetry to hold.
Sources
- https://openai.com/index/daybreak-securing-the-world/
- https://thehackernews.com/2026/06/openai-expands-daybreak-with-gpt-55.html
- https://siliconangle.com/2026/06/22/openai-expands-daybreak-patch-planet-full-gpt-5-5-cyber-release/
- https://www.infosecurity-magazine.com/news/openai-daybreak-gpt-5-5-cyber/
- https://www.cbsnews.com/news/ai-bypass-cybersecurity-systems-months-not-years-five-eyes/
— END —