Defeating Mythos 5, OpenAI's security-dedicated full-version GPT-5.5-Cyber is here

OpenAI has taken another step forward in the field of cybersecurity.

Today, OpenAI announced the expansion of the Daybreak security program, launching an updated version of GPT-5.5-Cyber, the Codex Security plugin, the Daybreak Cyber Partner Program, and the Patch the Planet program for the open-source ecosystem, among other initiatives.

Among these, the most attention-grabbing is the release of the full version of GPT-5.5-Cyber. OpenAI stated that the updated GPT-5.5-Cyber achieved a score of 85.6% on CyberGym, higher than the 81.8% of GPT-5.5. This score also surpasses the 83.8% of Anthropic Mythos 5.

OpenAI CEO Altman said, "OpenAI hopes to cooperate with the US government and the security ecosystem to help all enterprises enhance their security. The full version of GPT-5.5-Cyber is now available and has achieved the current state-of-the-art performance on CyberGym."

OpenAI President Greg Brockman wrote, "Through OpenAI Daybreak, we are accelerating vulnerability patching with new tools and models, not just accelerating vulnerability discovery. OpenAI's models can now discover and generate patches for critical vulnerabilities in mainstream browsers, network infrastructure, and operating systems, including systems like FreeBSD and the Linux kernel; they also help projects such as cURL, Go, Python, and Sigstore advance vulnerability repairs."

However, netizens don't seem to be convinced. They are more looking forward to the release of GPT-5.6 by OpenAI.

The major updates this time include the following:

GPT-5.5-Cyber: After initially only offering a preview version, OpenAI will launch the full version of GPT-5.5-Cyber to trusted defenders through a continuous restricted release mechanism. This model has achieved a new best performance on CyberGym, scoring 85.6%, higher than the 81.8% of GPT-5.5.

Codex Security: OpenAI will release an update to the Codex Security plugin, integrating the experience accumulated from its internal use and customer use of the model into a set of solutions to accelerate the discovery and repair of vulnerabilities in existing systems and automatically prevent new vulnerabilities from entering the production environment.

Patch the Planet: This is a project jointly initiated by OpenAI and Trail of Bits, and it collaborates with HackerOne, Calif, researchers, and maintainers to help widely used open-source projects move from vulnerability discovery to real repair.

Daybreak Cyber Partner Program: Through this program, OpenAI will enable security partners to use its most powerful models in a trusted access manner in their own products and services, extending these capabilities to more organizations.

Update GPT-5.5-Cyber: Parallel Improvement in Capability and More Open Usage Boundaries

OpenAI is releasing an updated version of GPT-5.5-Cyber. This is a model for advanced, authorized cybersecurity work, which is more capable and less likely to give unnecessary refusals.

The initial preview version of GPT-5.5-Cyber mainly aimed to reduce unnecessary rejections in professional workflows. This update goes even further. It is OpenAI's most powerful model to date in discovering and helping to patch software vulnerabilities, while retaining the general intelligence of GPT-5.5 and the ability to handle long-term, complex tasks.

This model can conduct more in-depth and continuous analysis in large codebases: identify security-related components, track whether vulnerable code is reachable, verify possible issues in a controlled environment, develop and test patches, and prepare evidence for manual review. The goal is to help defenders complete the entire repair cycle, not just generate more vulnerability discoveries.

On CyberGym, the updated GPT-5.5-Cyber reached 85.6% in single-model evaluation, higher than the 81.8% of GPT-5.5. CyberGym measures whether an agent can reproduce known vulnerabilities in a software environment. This is also the highest CyberGym score for a single model measured by OpenAI.

GPT-5.5-Cyber also outperformed GPT-5.5 on two other demanding real-world security benchmarks. On ExploitGym, GPT-5.5-Cyber scored 39.5%, higher than the 25.95% of GPT-5.5. ExploitGym tests whether an agent can turn known vulnerabilities into working exploits and achieve unauthorized code execution. On SEC-bench Pro, GPT-5.5-Cyber scored 69.8%, higher than the 63.1% of GPT-5.5. SEC-bench Pro evaluates the long-term vulnerability discovery and proof-of-concept generation capabilities on complex software targets.

Benchmark tests are just part of the story. What really matters is whether the model can discover real vulnerabilities in real-world scenarios, identify actionable problems from noise, and help defenders complete repairs safely. After the coordinated disclosure work is completed, OpenAI will continue to evaluate the model's performance in complex codebases and real repair workflows.

Regarding OpenAI's cybersecurity approach, including today's releases and the preparations before the upcoming model launch, OpenAI has been in communication with the US government. This includes continuing to cooperate with the Center for AI Standards and Innovation (CAISI) on pre-deployment testing of GPT-5.5 and GPT-5.5-Cyber; it also includes collaborating with the Office of the National Cyber Director (ONCD) and the Office of Science and Technology Policy (OSTP) on the implementation of recent executive orders and relevant industry standards.

For most defenders, GPT-5.5 plus Trusted Access for Cyber, combined with Codex Security, is still a suitable starting point. GPT-5.5-Cyber is designed for verified defenders whose authorized work requires OpenAI's most advanced cybersecurity capabilities and more lenient model behavior, as well as stronger verification, monitoring, scope control, and review mechanisms. In the early Daybreak work, GPT-5.5 and Codex Security have helped defenders identify and verify vulnerabilities in multiple widely used systems, including Firefox, V8, Safari, OpenBSD, FreeBSD, and HTTP/2 implementations.

Turn Discovery into Repair with Codex Security

Since the cloud version of Codex Security was launched as a research preview in March, it has scanned more than 30 million submissions, covering more than 30,000 codebases; human reviewers have manually marked more than 70,000 discoveries as repaired, and more than 500,000 discoveries have been automatically determined to be repaired.

This is exactly the scale required for today's vulnerability patching.

When OpenAI built Codex Security, it was based on a simple premise: by directly integrating into Codex, it puts the capabilities equivalent to a security engineer beside every software developer.

Codex Security doesn't just generate alerts. It understands the team's code and its threat model; if the threat model doesn't exist, it can also generate one; it identifies possible vulnerabilities, determines whether the affected code is reachable, collects evidence and provides verification steps, develops targeted patches, and verifies the repair results. Humans still have control over key decisions: which discoveries to investigate, which changes to apply, and which information to share.

Today, OpenAI is releasing an update to the Codex Security plugin to support out-of-the-box defensive security workflows. Developers can run in-depth scans or review recent changes; they can generate reports containing severity, location of affected code, verification evidence, and repair suggestions; they can track attack paths, build threat models, verify discoveries, and generate patches for specific codebases for review.

Users can set the scan scope to cover the entire codebase, a part of the codebase, or a specific change and submission.

This plugin can also grade and verify existing discoveries from scanners, security announcements, vulnerability bounty reports, or ticket systems, and then automatically generate patches on a large scale to help quickly clear the backlog of vulnerabilities. After Codex Security completes the scan, it can be exported to existing vulnerability management systems or integrated into other tools through SARIF files, CodeQL queries, etc. This plugin makes these capabilities more accessible, either to support automated pipelines with the Codex CLI or to be integrated into the developer workflow in the Codex application.

Patch the Planet: Make Open-Source Repairs a Reality

Patch the Planet is a project that helps maintainers move from vulnerability discovery to real repair. This project is jointly initiated by OpenAI and Trail of Bits and collaborates with HackerOne and Calif. OpenAI will fund professional security researchers and equip them with Codex Security and advanced models to let them directly cooperate with open-source maintainers.

Open-source software supports products, public services, developer tools, and critical infrastructure in various industries. A vulnerability in a widely used network library may affect thousands of downstream systems. However, many such projects are maintained by very small teams with very limited time and funds. Research by the Linux Foundation and Harvard found that in the widely used projects they studied, 94% of the projects were responsible for more than 90% of the newly added code in a year by fewer than 10 developers.

As AI makes it possible to discover and patch more vulnerabilities faster, it also brings more work to maintainers. Maintainers need to filter out truly valuable problems from thousands of reports, many of which are of low quality or even false alarms. Maintainers should not just receive more reports without having more capabilities to repair. Therefore, the core of Patch the Planet is expert-level manual security review.

Each cooperation will start with communication between security researchers and the assisted maintainers. The maintainers will define their priorities, preferences, and existing disclosure processes. Subsequently, the security researchers of Patch the Planet will manage the relevant work end-to-end, completing verification and deduplication before submitting vulnerabilities and patches to the maintainers, thus significantly reducing the maintainers' burden and accelerating the repair speed.

The open-source projects participating in the project will obtain conditional access to ChatGPT Pro and Codex Security, as well as API quotas for core development, maintainer automation, and release workflows.

The first five-day sprint covering multiple projects has discovered hundreds of issues to be reviewed, merged dozens of patches, and promoted the progress of more patches. At the same time, the project has also built reusable fuzz testing, variant analysis, differential testing, and specification-based testing workflows.

Discovering vulnerabilities is important, but what really protects the world is making repairs a reality. And this requires collaboration and community support.

Cooperate with the Security Ecosystem

As part of this expansion, OpenAI will also jointly launch the OpenAI Daybreak Cyber Partner Program with leading security software and service providers.

Through this program, participating partners can use GPT-5.5 with Trusted Access for Cyber in the security products and services they provide to customers. This is OpenAI's main model for most defensive cybersecurity workflows. In this way, customers can benefit from the model's defensive capabilities and enhance software resilience, while direct model access remains in the hands of the participating partners.

OpenAI will also collaborate with the partners of this program to continue to strengthen the safeguards, monitoring mechanisms, and anti-abuse standards required for the responsible deployment of these capabilities in the security ecosystem. OpenAI will first launch this program with a group of initial partners and plans to continue to expand to more organizations in the next few months.

What's Next

Daybreak integrates models, Codex Security, Patch the Planet, expert researchers, maintainers, security partners, critical infrastructure operators, and trusted access control to help human defenders face this challenge.

Both public and private sector organizations can cooperate with OpenAI Daybreak to identify, verify, and repair vulnerabilities in the software they build and rely on. Developers and maintainers can run Codex Security on their own code, review discoveries, and promote the implementation of repairs. Security partners and practitioners can use OpenAI's cutting-edge models to strengthen their own defense tools and quickly bring these capabilities to more organizations.

The goal is to go beyond the stage of "using models to discover more vulnerabilities" and move towards a world with safer software and stronger network resilience.

Reference Links:

https://x.com/OpenAI/status/2069104283824640023

https://openai.com/index/daybreak-securing-the-world/

https://x.com/sama/status/2069121360744550796

https://x.com/gdb/status/2069112120206332130