- The UK AI Security Institute (AISI) reported on May 1, 2026 that OpenAI’s GPT-5.5 matches Anthropic’s Claude Mythos Preview on cyber-attack benchmarks.
- GPT-5.5 hit 71.4% on Expert-difficulty capture-the-flag tasks vs 68.6% for Mythos — within statistical margin of error, but the highest score AISI has recorded.
- GPT-5.5 fully solved AISI’s “The Last Ones” multi-stage network attack simulation in 2 of 10 attempts (Mythos hit the same bar in 3 of 10).
- AISI researchers built a universal jailbreak bypassing OpenAI’s safeguards in six hours; OpenAI patched, but AISI couldn’t verify the final fix held due to a deployment configuration issue.
What Happened
The UK AI Security Institute (AISI) released cyber-attack evaluation results for OpenAI’s GPT-5.5 on May 1, 2026, reporting that the model reaches the same level of cyberattack capability as Anthropic’s Claude Mythos Preview. GPT-5.5 became the second model after Mythos to fully solve a complex, multi-stage enterprise-attack simulation against undefended networks, and the first to score higher than Mythos on isolated expert-difficulty tasks.
Why It Matters
Cyber-attack capability has been the single highest-stakes evaluation category for frontier models in 2026. Claude Mythos Preview’s results in April triggered Anthropic’s restricted-access deployment policy and prompted ongoing debate over whether such capabilities should ship to the public. AISI’s framing of the new GPT-5.5 result is striking: the institute argues that cyber capability is now emerging as a byproduct of general gains in autonomy, reasoning, and coding rather than as a deliberate training target. If correct, every frontier model release going forward inherits the same risk profile by default.
Technical Details
AISI evaluates models on a battery of 95 capture-the-flag tasks across four difficulty levels, with Expert-tier tasks built in collaboration with Crystal Peak Security and Irregular. The Expert tasks cover reverse engineering, exploit development for memory flaws, cryptographic attacks, and unpacking obfuscated malware. GPT-5.5 hit 71.4% average success on Expert tasks; Claude Mythos Preview reached 68.6%. For comparison, GPT-5.4 scored 52.4% and Claude Opus 4.7 reached 48.6%. All current frontier models have fully solved the basic tier since at least February 2026.
For multi-stage capability, AISI uses cyber ranges — simulated networks with multiple hosts, services, and vulnerabilities. Its “The Last Ones” (TLO) simulation spans 32 steps across four subnets and roughly 20 hosts; the AI agent starts with no credentials and must find vulnerabilities, steal credentials, move laterally, and reach a protected database. AISI estimates a human expert would need about 20 hours. GPT-5.5 fully solved TLO in 2 of 10 attempts; Mythos hit the same bar in 3 of 10. Performance scales with inference compute and has not plateaued. A second simulation, “Cooling Tower,” modeling an industrial control system attack, has not been solved by any model — both GPT-5.5 and Mythos failed at the upstream IT steps rather than the control system itself.
AISI also tested public-facing safety mitigations and found a universal jailbreak that worked on every malicious cyber request OpenAI flagged, including multi-step agent scenarios. The jailbreak took six hours to develop. OpenAI pushed safety updates after AISI’s report, but AISI could not verify how well the final configuration held due to a configuration issue in the deployed version.
Who’s Affected
OpenAI faces an immediate question of whether to follow Anthropic’s restricted-access pattern for Mythos given that GPT-5.5 — already in ChatGPT and the API — performs at the same threshold. AISI’s finding implicitly challenges Anthropic’s slow-rollout justification: if OpenAI ships the same capability without the restrictions, either Anthropic was over-cautious or its constraint was driven by something other than safety (the report flags Anthropic’s compute constraints as a possible alternative explanation). Defense and enterprise security teams now have an empirical anchor for evaluating AI-driven attacks against poorly defended infrastructure.
What’s Next
AISI says scaling continues to add capability with no observable plateau, suggesting future models will exceed both GPT-5.5 and Mythos. Expect Anthropic to respond with a position paper on the restricted-rollout decision in light of the GPT-5.5 release. Watch for evaluation frameworks that incorporate active defenders rather than undefended networks — both AISI and the security industry have flagged this as the missing variable in current red-team simulations.
