OpenAI's GPT-5.5-Cyber cybersecurity launch (Daybreak, Patch the Planet, Codex Security)

The headline isn't really the model. It's the business position. OpenAI's central thesis with this launch is that the bottleneck in security has moved: finding vulnerabilities is no longer the hard part, fixing them is. As the company frames it, vulnerability reports on their own do not protect anyone, and the value comes from validating an issue, understanding its impact, developing and testing a patch, coordinating disclosure, and helping teams deploy the fix ^[5]. Every piece of the Daybreak expansion, the Codex Security plugin, the Cyber Partner Program, and Patch the Planet, is engineered around that remediation layer rather than around detection alone.

That reframing is also a land grab. Unite.ai's analysis warns that the same company finding the bugs is now also the company selling the fix and deciding who counts as a 'trusted defender' ^[6]. By controlling both detection and remediation, OpenAI positions itself as the intermediary for critical open-source maintenance, with capability flowing from a single vendor, on terms it sets, into the open-source commons. The defensive framing is genuine, but so is the structural consequence: the patch layer starts to look less like a public good and more like vendor-owned infrastructure.

OpenAI's benchmark case is real but narrow. GPT-5.5-Cyber scored 85.6% on CyberGym, versus 81.8% for the base GPT-5.5, 83.8% for Anthropic's Mythos 5, and 73.1% for Claude Opus 4 ^[3]. On other suites the specialized tuning shows more separation from its own base model: 39.5% versus 25.95% on ExploitGym, and 69.8% versus 63.1% on SEC-bench Pro ^[7]. Independent testing from the UK AI Safety Institute placed GPT-5.5 among the strongest models it has evaluated, with a 71.4% pass rate on Expert-level cyber challenges and a run that completed its corporate network simulation end-to-end on 2 of 10 attempts, the second model ever to do so ^[2].

The skepticism centers on what those numbers actually prove. Critics note that the gap over Mythos 5 on CyberGym is only about two points, and that Mythos was never cyber-tuned in the first place, so a purpose-built cyber model edging out a general one is a thin claim to dress up as a leap. That fuels a broader 'benchmaxxing' read: scores chosen to flatter, not to demonstrate real-world capability. Even AISI cautioned that its test ranges lack the defensive friction of live environments ^[2]. The counterpoint, raised by some practitioners, is that CyberGym measures whether an agent can reproduce a known vulnerability in a live setting rather than merely describe a CVE, which is a harder and more meaningful bar than the skeptics allow.

GPT-5.5-Cyber is gated for a reason that is uncomfortable to state plainly: every capability that makes it effective for defense also makes it effective for offense. A model that finds vulnerabilities so they can be patched can find the same flaws so they can be exploited, which is why OpenAI distributes it exclusively to verified, trusted defenders rather than the general public ^[4]. That gating is the safety story and the gatekeeping story at once.

The risk is not hypothetical. AISI reported identifying a universal jailbreak that elicited violative content across all malicious cyber queries in its controlled testing ^[2]. In other words, the same access controls being sold as misuse mitigation sit on top of a model that, once jailbroken, would readily produce offensive output. This is the heart of the competitive dynamic with Anthropic as well: both companies stage dual-use cyber models behind limited access framed as responsible disclosure ^[3]. The unresolved question is whether 'trusted defender' verification is a meaningful safety boundary or mostly a commercial moat that happens to look like one.

The most concrete evidence that this is more than a benchmark stunt is the Patch the Planet output. Built with Trail of Bits in collaboration with HackerOne and CALIF, the initiative explicitly brought patches, not just bug reports: in its first week it surfaced hundreds of bugs, opened 64 pull requests, filed 51 issues across 19 projects, and landed 37 merged patches, with many more in flight ^[1]. Crucially, security engineers triage and author fixes and review every finding before it reaches a maintainer, so AI throughput is paired with human accountability rather than dumped raw on volunteer projects ^[1].

The scale signals are larger still. Since its March research preview, Codex Security has scanned over 30 million commits across more than 30,000 codebases ^[4], with over 70,000 findings manually marked fixed by human reviewers and over 500,000 automatically determined fixed ^[4]. More than 30 open-source projects have committed to participate ^[4], and participating maintainers of projects like cURL, Python, and Go receive Codex Security access, ChatGPT Pro accounts, and API credits alongside the patches ^[1]. It is a genuine contribution to the commons, and simultaneously a distribution channel that deepens dependence on a single vendor's tooling.