OpenAI's GPT-5.5-Cyber Outscores Claude Mythos on Benchmark, Faces No White House Restrictions

The Benchmarks

OpenAI launched the full version of GPT-5.5-Cyber on June 23, 2026, through a limited release for verified security professionals, according to Neowin. The model scored 85.6% on CyberGym, a standardized AI cybersecurity benchmark, compared to 83.8% for Anthropic's Claude Mythos 5 and 81.8% for the base GPT-5.5 model.

The advantage extends to other tests. GPT-5.5-Cyber scored 39.5% on ExploitGym — a benchmark for automated exploitation tasks — versus 25.95% for base GPT-5.5. On SEC-bench Pro, it scored 69.8% against 63.1% for the baseline. Neowin reported these figures directly from OpenAI's announcement.

The model was previewed in May 2026 and built on top of GPT-5.5. Its core capabilities: vulnerability discovery, binary reverse engineering, and automated patching.

What Daybreak Actually Does

OpenAI has been building out a broader cybersecurity infrastructure around these models. The Daybreak platform, also expanded on June 23, sits on top of the models and automates vulnerability management for enterprise customers.

The updated Codex Security plugin — part of this ecosystem — can run deep code scans, trace attack paths, validate findings, and generate codebase-specific patches. Since its March 2026 preview, Codex Security has scanned more than 30 million commits across over 30,000 codebases, according to Neowin. Human reviewers marked more than 70,000 findings as fixed. An additional 500,000 findings were automatically resolved.

OpenAI also announced the Daybreak Cyber Partner Program, signing on Accenture, Akamai, Cisco, Cloudflare, CrowdStrike, IBM, Palo Alto Networks, Proofpoint, SentinelOne, Wiz, and Zscaler as initial partners. The Patch the Planet initiative, launched alongside, includes Trail of Bits, HackerOne, and over 30 open-source projects — cURL, Go, Python, Sigstore, and others.

The Anthropic Comparison

Anthropic unveiled Claude Mythos Preview in early April 2026, advertising autonomous cyber capabilities. OpenAI responded with GPT-5.4-Cyber in April and GPT-5.5-Cyber in May, per Crypto Briefing. Both companies effectively built the same class of tool: AI that can find and exploit software vulnerabilities.

In June 2026, the Trump administration directed Anthropic to restrict access to its Fable 5 and Mythos models for foreign nationals, citing national security concerns, according to Crypto Briefing. The directive reportedly created internal disruption at Anthropic, which had been positioning Mythos for global security teams.

OpenAI's Trusted Access for Cyber (TAC) program, which vets security teams before granting model access, has provided access to thousands of verified defenders since May. The program operates without comparable government restrictions. In June, OpenAI moved to offer GPT-5.5-Cyber to nine major UK banks — institutions effectively blocked from accessing Anthropic's Mythos under the new rules.

The UK AI Security Institute provided the CyberGym benchmark scoring, according to Crypto Briefing.

The Legitimate Concern Worth Taking Seriously

Critics of OpenAI's approach have a reasonable point. Models capable of automated vulnerability exploitation are dual-use by definition. The same system that finds a flaw in your bank's codebase can find a flaw in critical infrastructure. Anthropic's Project Glasswing reportedly applies tighter distribution controls specifically because of offensive hacking risk. If the Trump administration's national security concern about Mythos is valid, the logic applies equally to a model that scores higher on ExploitGym.

The counterargument is that the TAC vetting process and the partner program structure create meaningful access controls. OpenAI argues its defenders-first distribution model reduces misuse risk. Whether that argument holds up to scrutiny depends on specifics of the TAC vetting process that OpenAI has not publicly disclosed in full.

The Unresolved Question

Crypto Briefing's framing — that selective government restrictions amount to picking winners between competitors — is pointed, but it stops short of proving intent. No administration official has publicly stated why OpenAI's models face no comparable order. It may reflect genuine differences in distribution architecture between TAC and Glasswing. It may not. The distinction, whatever it is, is worth a direct answer from the administration.

The concrete next step is the Daybreak Cyber Partner Program rollout. If major security vendors like CrowdStrike and Palo Alto Networks embed GPT-5.5-Cyber into their commercial products at scale, the model's reach will expand well beyond the verified-defender cohort OpenAI is currently citing. Whether TAC's vetting standards extend to downstream partner deployments is a question OpenAI has not yet answered publicly.