GPT-5.5 completes end-to-end cyber-attack simulation

The headline isn't that GPT-5.5 cleared 'The Last Ones.' It's the cadence. AISI's 32-step corporate-network simulation went from 'no model has ever finished it' to 'two distinct frontier labs have finished it' in roughly ten days. Anthropic's Claude Mythos Preview cleared TLO end-to-end on April 14 in 3 of 10 attempts. On April 24, OpenAI shipped GPT-5.5 with a 2 of 10 success rate on the same range. That is not a slow asymptote. That is the curve bending at a pace that outruns the publication cycle of the evaluations themselves.

What makes the cadence consequential is that TLO is not a toy benchmark. AISI estimates the full chain takes a human expert about 20 hours and spans four subnets and roughly twenty hosts. The fact that two unrelated training runs converged on solving it within the same fortnight suggests the underlying capability — multi-step planning under noisy network feedback — is now a generalizable property of frontier post-training, not a bespoke trick. Defenders should plan budgets and red-team cadence accordingly: the 'first model to do X in cyber' headline is going to keep arriving, and the gap between first and second is collapsing toward the patch cycle.

On AISI's expert-level cyber tasks, GPT-5.5 averaged a 71.4% pass rate (±8.0%), edging Mythos Preview's 68.6% (±8.7%) and lapping last-generation models — GPT-5.4 at 52.4% and Opus 4.7 at 48.6%. On the headline TLO chain, however, the order flips: Mythos cleared 3 of 10 runs and averaged 22 of 32 steps, where GPT-5.5 cleared 2 of 10. The two models trade places depending on whether the metric rewards isolated task accuracy or long-horizon planning.

That split matches what OpenAI's and Irregular's red teamers reported qualitatively: 'For any given isolated and specified task, GPT-5.5 is damn good, but it can't synthesize and plan like Mythos.' The reader takeaway is that 'most capable cyber model' is now a two-axis question. GPT-5.5 wins the per-task leaderboard; Mythos still wins on stitching tasks together into a full intrusion. Anyone benchmarking these models in a defensive SOC context needs both axes — picking one will mislead their procurement decision.

One AISI challenge that takes a human expert roughly 12 hours was solved by GPT-5.5 in 10 minutes 22 seconds, with no human help, for $1.73 in API usage. Even if you discount for cherry-picking — and Reddit threads on r/singularity were openly debating whether the figure leaned on cached input pricing — the order of magnitude is the story. A frontier API call is now cheaper than a tip on a coffee for work that used to require a contractor's day rate.

That economics reframe is what turns 'capability milestone' into 'threat-model update.' The cost of running an attempt is no longer the bottleneck; the bottleneck is the planning quality and the safeguards. A six-hour universal jailbreak — the time AISI red-teamers needed to bypass GPT-5.5's cyber guardrails — translates, at $1.73 per task-equivalent, into a very large attack surface for any actor patient enough to develop the prompt once. Defender ROI on automation has to climb to match, which is precisely the gap OpenAI's GPT-5.5-Cyber Trusted Access program is positioned to close.

The most under-covered fact in the GPT-5.5 release is buried in AISI's own write-up: the institute could not verify the final safeguard configuration before OpenAI launched. AISI red-teamers found a universal jailbreak of the cyber safeguards in six hours of expert effort. Transformer News bluntly summarizes the situation as 'we do not know if GPT-5.5 is actually safe to release. All we have to rely on is OpenAI's word.' That is a structural governance claim, not a sentiment one.

OpenAI's own framing leans on the Preparedness Framework's 'High but not Critical' label, citing internal judgment that the model 'does not have the capability to develop functional zero-day exploits of all severity levels in many hardened real world critical systems without human intervention.' That is a defensible read, but it is also a self-graded one, and the rollout of GPT-5.5-Cyber to vetted defenders is occurring on the same timeline as the public release. Whether you find that acceptable depends on whether you think frontier-model safety verification can scale at the cadence the labs are shipping. AISI's failure-to-verify is the canary: the third-party evaluation pipeline is already running behind the deployment pipeline.

The reaction shape across X, Reddit and YouTube is more revealing than any individual take. On Reddit, r/singularity, r/codex and r/accelerate threads are dominated by 'told you so' pushback at Anthropic's earlier 'too dangerous to release' framing for Mythos — the implicit argument being that if OpenAI shipped a comparable capability two weeks later with a Preparedness rating below Critical, the precautionary framing was overcalibrated. The same threads contain a steady undertow of skepticism about benchmark contamination and pricing math, a healthy sign that the technical audience is interrogating the numbers rather than ratifying them.

On X and YouTube the framing is bifurcated: capability-celebration accounts are using the TLO result as a 'frontier capability' beat, while AI-policy voices and OpenAI executives like Greg Brockman are leaning hard into the defender-empowerment narrative around GPT-5.5-Cyber. The contrarian minority — visible in scattered Reddit replies and in Mark Chen's own public framing that full end-to-end research capability is still 'a couple of years down the line' — is arguing the opposite direction: not that GPT-5.5 is dangerous now, but that the social conversation is still calibrated for a world where autonomous offense is hypothetical, when the AISI numbers say it is empirically here for low-defense networks.