Back to Insights
AI Software

OpenAI's GPT-5.5-Cyber and Codex Security: Defensive AI Moves Into the Commit Stream

OpenAI's GPT-5.5-Cyber and the Codex Security plugin move defensive AI from the chat window into the commit stream. What the AISI benchmarks really show.

S5 Labs Team June 22, 2026

On May 8, OpenAI opened a limited preview of GPT-5.5-Cyber, a more permissive variant of GPT-5.5 for vetted security teams, and folded it into a broader cybersecurity initiative it calls Daybreak. It reads, at first, like April’s GPT-5.4-Cyber one notch up the version number — the same gated-model move, repeated. It isn’t. The model is the smaller half of the announcement. The larger half is Codex Security, an agent that reads your commits, and the change it represents: defensive AI is leaving the chat window for the build pipeline.

Six weeks into the preview, with an independent government evaluation now published and the program’s new security requirements in force, the picture is clear enough to judge. The headline capability is not what changed. What changed is where the capability runs, and who is allowed to hold it.

Diagram contrasting GPT-5.5-Cyber, the gated model, with Codex Security, the autonomous commit scanner, alongside verified stats: 1.2M+ commits scanned, 792 critical and 10,561 high-severity findings, and a 71.4% AISI expert-tier pass rate.

The model is the smaller half

GPT-5.5-Cyber is not a smarter cyber model, and OpenAI doesn’t claim it is. The company is explicit that it is “not intended to significantly increase cyber capability beyond GPT-5.5” — it is “primarily trained to be more permissive on security-related tasks.” The base model refuses requests that look like they could be misused: writing an exploit proof-of-concept, analyzing live malware, reverse-engineering a binary. Those refusals stop casual abuse and frustrate the defenders who do exactly that work for a living. GPT-5.5-Cyber keeps the same underlying capability and lowers the refusal wall for authenticated users in approved contexts — red teaming, penetration testing, malware analysis, binary reverse engineering, and detection engineering inside controlled environments.

OpenAI’s own numbers fit the “permissive, not smarter” framing. On its internal CyberGym benchmark, GPT-5.5-Cyber scores 85.6% against 81.8% for plain GPT-5.5; on ExploitGym, 39.5% versus 25.95%; on SEC-bench Pro, 69.8% versus 63.1%. Those are real gaps, but they are the gaps you’d expect from a model that stops declining authorized work rather than one that reasons better. It finishes tasks the base model walks away from.

Access still runs through Trusted Access for Cyber, now structured in three tiers: public GPT-5.5 with standard guardrails, a middle tier with relaxed filters for verified defensive work, and GPT-5.5-Cyber at the top with the fewest restrictions. The eligibility gate is unchanged — critical-infrastructure operators, security vendors, national CERTs, and bug-bounty platforms qualify; a Pro subscription does not. OpenAI says the program now reaches thousands of vetted defenders and hundreds of teams. From June 1, individuals on the most permissive tier must enable Advanced Account Security, or their organization must attest to phishing-resistant single sign-on. The capability didn’t move much. The fence around it got taller.

Codex Security is the bigger half

The part worth attention is Codex Security, the plugin OpenAI put at the center of Daybreak. It is the productized descendant of Aardvark, the agentic security researcher OpenAI introduced in October 2025, and it runs the same loop: build a threat model of a repository, scan incoming commits against it, validate suspected bugs in a sandbox to filter false positives, then hand a Codex-generated patch to a human for review. What’s different is where it lives. This is not a chatbot you open when you remember to ask it about security. It sits in the commit stream and works continuously.

The research-preview numbers are the reason to take it seriously. Over roughly 30 days, Codex Security scanned more than 1.2 million commits and surfaced 792 critical and 10,561 high-severity findings — with critical issues appearing in under 0.1% of commits, the figure that makes continuous scanning tractable instead of a firehose of noise. False-positive rates fell more than 50% across all repositories during the preview, and over-reported severity dropped more than 90% against the initial rollout. It has already turned up findings in production open-source projects that thousands of eyes have reviewed for years — OpenSSH, GnuPG, GnuTLS, libssh, PHP, and Chromium among them.

One distinction is easy to get wrong and worth stating plainly: Codex Security and GPT-5.5-Cyber are separate products. The plugin’s default workflow runs on ordinary GPT-5.5 with high reasoning effort, not the gated Cyber model, and you do not need Trusted Access clearance to point it at your own code. That is the quieter, more consequential half of the release. The gated model is for a few thousand vetted defenders; the autonomous scanner is aimed at everyone’s repositories.

The independent scoreboard

What separates this from the usual launch-day benchmark theater is that someone outside OpenAI graded the model. The UK’s AI Safety Institute ran base GPT-5.5 through 95 capture-the-flag tasks across four difficulty tiers at the end of April. On the expert tier, GPT-5.5 passed 71.4% of tasks (±8.0%), edging Anthropic’s Claude Mythos Preview at 68.6% and sitting well clear of GPT-5.4 at 52.4% and Opus 4.7 at 48.6%. On AISI’s “The Last Ones,” a 32-step simulated network intrusion that takes a human expert roughly 20 hours, GPT-5.5 completed the full chain in 2 of 10 attempts — the second model ever to solve it end to end, after Mythos. In one reverse-engineering challenge AISI estimated at twelve hours of expert work, the model recovered the answer in ten minutes and twenty-two seconds, for $1.73 in API usage.

OpenAI’s own safety classification is the counterweight that keeps those results in proportion. Under its Preparedness Framework, the company rates GPT-5.5 “High capability in the Cybersecurity domain, but below Critical” — it could not produce functional critical-severity exploits against the hardened real-world targets it was tested on without human help. The honest read is that the frontier now does genuine offensive security work at a speed and cost no human team matches, and still sits below the threshold of an autonomous zero-day machine. Both halves of that sentence carry weight, and the distance between them shrinks with each release.

What it means if you’re not a vetted defender

Most businesses will never touch GPT-5.5-Cyber. The program is built to screen out everyone who isn’t a credentialed defender, which is the entire logic of gating a dual-use model. The part that reaches everyone is the trajectory Codex Security represents. Continuous, cheap, AI-driven vulnerability discovery is becoming a standard layer of the development pipeline, and it cuts both ways: the capability that lets a defender catch a bug in a pull request lets an attacker who can rent the same compute find it first. The June 1 security tightening is the labs telling you, in procurement terms, that they consider this genuinely dangerous.

The consequences are concrete. Code that has cleared human review and conventional scanners for years is no longer presumptively secure — Codex Security finding bugs in OpenSSH and GnuPG is the proof. Budget for AI-augmented security review the way you would budget for the AI-augmented attacker who now exists. And before you wire an autonomous agent with relaxed safety filters into your own infrastructure, work through what it is allowed to touch and where its output goes — the kind of question an AI governance process should answer before you turn it on, not after.

GPT-5.5-Cyber is a minor model update wearing a major announcement. What actually changed in May is that frontier cyber-AI stopped being something you talk to and became something that watches your code — gated, in its most permissive form, for the few who qualify, and pointed through Codex Security at everyone else’s repositories.

Sources: OpenAI — Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber · OpenAI — GPT-5.5 System Card, Cybersecurity · UK AISI — Our evaluation of OpenAI’s GPT-5.5 cyber capabilities · Help Net Security · The Hacker News — Codex Security research preview

Want to discuss this topic?

We'd love to hear about your specific challenges and how we might help.