OpenAI offers restricted-access GPT-5.5 "Cyber" for authorized penetration testing

OpenAI has introduced a specialized GPT-5.5 variant named Cyber and is making it available only through a new Trusted Access for Cyber program. The variant accepts substantially more security — focused requests than the company’s public models and, in demonstration scenarios, has been shown to execute exploit code against controlled test servers. The move is intended to help security teams reproduce vulnerabilities and test defenses that public models often block.

Access to OpenAI's offerings is being split into three tiers. The public tier retains standard safety filters; a middle tier relaxes filtering to support defensive research and can produce exploit code accompanied by documentation; and the top tier — GPT-5.5 Cyber — has the fewest restrictions for authorized penetration testing. OpenAI says Cyber still prevents clearly malicious actions such as stealing passwords or attacking third — party systems. In one demo cited, the Cyber model reportedly took control of a test system and read out system information.

The rollout includes named launch partners and curated programs for security organizations and open-source projects. Companies listed as partners include Cisco, CrowdStrike, Palo Alto Networks, Cloudflare, Intel, Snyk, and SentinelOne. Select developers working on major open-source projects can obtain discounted access through a Codex Security program. OpenAI is also enforcing account controls: individuals granted the highest access tier must enable phishing — resistant authentication beginning June 1, 2026. OpenAI emphasizes that Cyber is not a differently architected model but a less-restricted configuration intended specifically for defensive and research use. The tiered design aims to let defenders reproduce vulnerabilities, analyze malware, and review security patches without the guardrails of public models that often block legitimate security work.

On competitive benchmarks and third — party testing, the Cyber variant performs roughly on par with a comparable model from another developer for finding and exploiting software vulnerabilities, according to published reporting cited in early coverage. That other developer limits access far more tightly — reportedly to about 40 organizations under a separate access program — while OpenAI’s tiered system seeks broader distribution among authorized defenders.

Independent testing cited by OpenAI and in coverage shows mixed results. The UK’s AI Security Institute ran a simulated 32 — step attack sequence against a corporate network: GPT-5.5 completed the full chain in 2 out of 10 runs, while the comparator completed it in 3 out of 10 runs. GPT-5.5 did perform slightly better on some individual expert — level tasks, but the overall results were not decisive.

The combination of demonstrable offensive capability and narrower, but still notable, distribution has drawn attention from policymakers; the White House is reportedly weighing executive options to influence how such models are released. OpenAI frames the program as a controlled way to improve defensive capabilities while attempting to limit misuse.