AISI: GPT-5.5 Matches Mythos on Offensive Cyber Tasks
AI relevance: The UK AI Safety Institute's evaluation of GPT-5.5 shows offensive cyber capability is no longer a single-model anomaly — two frontier models now reach the same tier on independent government benchmarks, suggesting this is a structural shift in AI capability.
- UK AISI published its evaluation of an early GPT-5.5 checkpoint on May 1, concluding the model reaches offensive-cyber parity with Anthropic's Claude Mythos Preview.
- GPT-5.5 scored 71.4% on AISI's Expert-tier cyber task benchmark, compared to Mythos Preview at 68.6%, GPT-5.4 at 52.4%, and Opus 4.7 at 48.6%.
- GPT-5.5 completed AISI's 32-step "The Last Ones" corporate-network attack range end-to-end in 2 of 10 attempts — the second model ever to do so after Mythos (3/10). AISI estimates a human expert needs roughly 20 hours to complete the same chain.
- AISI red-teamers found a universal jailbreak in GPT-5.5's safeguard layer within six hours, eliciting violative cyber content across all queries provided by OpenAI, including multi-turn agentic settings.
- OpenAI updated its safeguard stack in response, but a configuration issue in the version supplied to AISI meant the institute could not independently verify the final fix.
- AISI frames this as a trend, not a one-off: if cyber-offensive skill emerges as a byproduct of improvements in long-horizon autonomy, reasoning, and coding, "we should expect further increases in cyber capability from models in the near future, potentially in quick succession."
Why it matters
Two independent frontier labs now produce models that can autonomously chain together multi-step network attacks at a level approaching a skilled human operator. The universal jailbreak found in six hours underscores how quickly safety controls can be bypassed at the model layer, even when the underlying capability is restricted. For defenders, the same evaluation pipeline also demonstrates that frontier models can be directed toward blue-team tasks — AISI explicitly notes its Trusted Access program makes these capabilities available to defenders.
What to do
- Treat frontier model cyber evaluations as threat-informed defense planning data — the AISI "Cooling Tower" ICS range (unsolved by any model so far) defines the next escalation tier.
- Audit which models your organization's agents use and whether safeguard configurations have been independently verified, not just vendor-claimed.
- Watch for AISI's next evaluation drop on extended attack ranges; the gap between expert-tier scores and end-to-end range completion is the real measure of operational risk.