OpenAI releases GPT-5.5-Cyber: AI model can automatically find and exploit security vulnerabilities
What it really says
On June 22, 2026, OpenAI released a specialized version of its GPT-5.5 model optimized specifically for cybersecurity. GPT-5.5-Cyber can analyze large codebases, identify security vulnerabilities, validate their exploitability, and automatically generate and test patches - all within a single automated workflow. The benchmark results are remarkable: 85.6 percent on CyberGym (compared to 81.8 percent for standard GPT-5.5), 39.5 percent on ExploitGym (compared to 25.95 percent - an improvement of over 52 percent), and 69.8 percent on SEC-bench Pro (compared to 63.1 percent). OpenAI calls the CyberGym score the highest ever achieved by a single model. Access is strictly limited: only verified organizations in the 'Trusted Access for Cyber' program can use the model, including Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks, and Zscaler. Since June 1, 2026, all participants must enable advanced account security. The UK AI Safety Institute (AISI) evaluated the model before release. In parallel, OpenAI released an update to its Codex Security plugin, which has scanned over 30 million commits across more than 30,000 codebases since its launch in March 2026.
Our assessment
This story warrants a yellow rating because it highlights a genuine tension. On one hand, an AI model that can find and exploit security vulnerabilities with a 52 percent higher success rate than its predecessor is concerning. The ability to trace attack paths and automatically validate exploits could have catastrophic consequences in the wrong hands. On the other hand, there are important counterarguments: access is restricted to verified security organizations, the UK AI Safety Institute evaluated the model, and the primary application is defensive - finding and fixing vulnerabilities before attackers can exploit them. The more realistic concern, however, is that similar capabilities will eventually become available in less controlled models. Even today, freely available AI models can detect simple vulnerabilities. GPT-5.5-Cyber shows where the development is heading - and why the arms race between attackers and defenders in the cyber domain is being significantly accelerated by AI.
Relevance for Germany
This development is relevant to Germany for several reasons. First, according to the BSI situation report 2025, Germany is among the countries most affected by cyberattacks in Europe, and AI-powered attack tools are escalating this threat. Second, German companies and authorities currently lack access to such defensive AI tools: none of the eight companies in the 'Trusted Access for Cyber' program are headquartered in Germany or the EU. This raises the question of whether Europe is falling behind in AI-powered cyber defense. Third, the issue directly relates to the implementation of the EU NIS2 Directive, which has imposed higher cybersecurity requirements on companies and critical infrastructure since October 2024. Fourth, the case shows that AI security regulation must go beyond the EU AI Act: even if a model is intended only for defensive use, the same capabilities can be misused offensively - a dual-use problem that is still insufficiently addressed in current regulation.
Fact check
The benchmark results come directly from OpenAI's official blog post dated June 22, 2026. The scores of 85.6 percent on CyberGym, 39.5 percent on ExploitGym, and 69.8 percent on SEC-bench Pro are consistently reported by Cybersecurity News, Axios, and other sources. The participants in the Trusted Access for Cyber program are listed on OpenAI's website. The AISI evaluation of the model is confirmed on the UK AI Safety Institute's website. The figures for Codex Security (30 million scanned commits across 30,000 codebases since March 2026) also come from the OpenAI blog.
Source
- • https://openai.com/index/gpt-5-5-with-trusted-access-for-cyber/
- • https://cybersecuritynews.com/gpt-5-5-cyber/
- • https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5-5-cyber-capabilities
- • https://www.axios.com/2026/06/22/openai-rolls-out-more-capable-version-of-cyber-model