Inside GPT-5.5-Cyber: Capabilities, Refusals, and Federal Briefings Explained

OpenAI shipped GPT-5.5-Cyber to Trusted Access for Cyber (TAC) program participants in late April 2026 — exactly one week after Anthropic announced Mythos. Unlike standard GPT-5.5, this variant is fine-tuned on offensive and defensive security workflows, hardened against system prompt injection, and gated behind a roughly 40-org allowlist. If you're evaluating a TAC application, building defensive tooling, or just trying to understand what independent evals actually show about this model, here's the full picture.

Why this matters now

OpenAI spent most of April 2026 publicly criticizing Anthropic for locking Mythos behind an allowlist. On April 30, OpenAI did exactly the same thing with GPT-5.5-Cyber — restricting access to TAC participants only. In parallel, OpenAI briefed US federal agencies, state governments, and Five Eyes allies on the model's capabilities, as BensBites sources reported. Those briefings covered two capability buckets: automated vulnerability discovery in critical infrastructure codebases, and threat-actor attribution pattern matching at scale. Neither use case is accessible to commercial customers today, which matters for anyone building defensive tooling outside a government contractor or major enterprise security vendor context.

How GPT-5.5-Cyber works under the hood

GPT-5.5-Cyber is a domain-specific fine-tune of the base GPT-5.5 weights, with reinforcement learning from cyber-specific feedback (RLCF) applied post-training. Simon Willison's April 30 evaluation — the most technically rigorous public test to date — ran 47 CTF challenges across binary exploitation, web security, and cryptography categories. The model solved 31 of 47, a 66% pass rate, compared to 41% for standard GPT-5.5 on the same set. On defensive tasks (log triage, YARA rule generation, CVE prioritization), pass rates climbed above 80%. OpenAI has confirmed the cyber variant ships with a 32k-token context window by default and a 128k option for document-heavy workflows. System prompt injection resistance was specifically hardened for threat-modeling use cases.

The model is available only via the gpt-5.5-cyber model ID within the standard OpenAI API, but that ID resolves only for TAC-enrolled API keys. Any standard key returns a 404:

# Standard key — will 404
curl https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-5.5-cyber",
    "messages": [{"role": "user", "content": "Generate a YARA rule for this IOC set."}]
  }'
# → {"error":{"message":"The model `gpt-5.5-cyber` does not exist","code":"model_not_found"}}

# TAC-enrolled key — works as expected
# OPENAI_TAC_KEY is the API key from your TAC onboarding email
curl https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_TAC_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-5.5-cyber",
    "messages": [{"role": "user", "content": "Generate a YARA rule for this IOC set."}]
  }'

3 use cases I'd actually use

Automated YARA rule generation from threat feeds

TAC participants report feeding raw threat intelligence — Mandiant reports, ISAC feeds, STIX bundles — into GPT-5.5-Cyber and getting deployable YARA rules back with confidence scores and false-positive estimates. The model cites source indicators inline, so your SOC team can audit the logic without re-reading the source doc. A Node.js integration looks like this:

import OpenAI from "openai";

const openai = new OpenAI({ apiKey: process.env.OPENAI_TAC_KEY });

const res = await openai.chat.completions.create({
  model: "gpt-5.5-cyber",
  messages: [
    {
      role: "system",
      content: "You are a threat intelligence analyst. Generate YARA rules from the provided IOCs. Return JSON with fields: rule (string), confidence (0-1), fp_estimate (string), source_iocs (array)."
    },
    { role: "user", content: threatFeedText }
  ],
  response_format: { type: "json_object" }
});

const { rule, confidence, fp_estimate } = JSON.parse(res.choices[0].message.content);

CVE triage and stack-specific severity re-scoring

The model re-scores CVEs against your specific stack context, not the generic NVD CVSS baseline. You pass your dependency manifest and deployed service config; it returns a re-ranked list with environment-specific exploitability estimates. Early dev.to tests on a Node.js microservices stack showed a 23% reduction in false-critical tickets compared to raw CVSS scoring. Pass package.json, your service topology, and the CVE batch as one 32k-token prompt.

Incident report drafting from raw SIEM exports

With the 128k context option enabled via the max_context_tokens: 131072 parameter, you can paste a full SIEM log export and get a structured incident report in NIST SP 800-61r3 format in a single pass. The model handles timestamp normalization, event correlation, and executive summary generation without chained calls. Set BASE_URL=https://api.openai.com/v1 and swap to gpt-5.5-cyber-128k as the model ID for this workflow.

Limitations and when not to use it

The refusal surface on GPT-5.5-Cyber is wider than standard GPT-5.5. OpenAI hard-coded blocks on shellcode generation, weaponized exploit PoC code, and C2 framework configuration — even for stated red-team purposes. The Rundown reported that the model rejected roughly 18% of legitimate penetration testing prompts in beta testing, compared to 9% for Mythos on equivalent tasks. If your workflow requires offensive tooling beyond vulnerability identification — actual exploit development, payload generation, evasion testing — this model will block more than it helps. The TAC program itself mandates quarterly use-case reviews; access can be revoked if your reported use drifts toward offensive tooling. TAC terms also prohibit using the model to train downstream models or in products deployed to non-TAC entities, which rules out most SaaS security products aimed at a general developer audience.

Compared to alternatives

Model	Access	CTF Pass Rate	Defensive Tasks	Cost (input / 1M tok)	Refusal Rate (legit sec prompts)
GPT-5.5-Cyber	TAC allowlist (~40 orgs)	66%	~80%	TAC pricing (NDA)	~18%
Anthropic Mythos	~40-org allowlist	~70% (est.)	~78%	TAC pricing (NDA)	~12%
GPT-5.5 (standard)	Public API	41%	~60%	$15 / $60 per 1M tok	~9%
Claude 3.7 Sonnet	Public API	~38%	~57%	$3 / $15 per 1M tok	~11%
Llama Guard 3 (self-hosted)	HuggingFace / self-host	N/A (classifier only)	Content moderation only	$0 (self-hosted)	N/A

FAQ

Can I test GPT-5.5-Cyber without TAC enrollment? No. The gpt-5.5-cyber model ID returns a model_not_found 404 on standard API keys. OpenAI has not announced a public preview tier, a sandbox option, or a time-limited trial as of May 2026.

What did the Five Eyes briefings actually cover? According to BensBites sources, OpenAI demonstrated two capabilities: automated attribution of nation-state TTPs from raw network telemetry, and large-scale phishing campaign pattern recognition across historical data sets. No public detail on whether live operational data was used in the demos. The briefings covered US federal agencies, state governments, and Five Eyes intelligence partners over the week of April 21-28.

How does GPT-5.5-Cyber compare to Mythos on refusal behavior? GPT-5.5-Cyber refuses more aggressively on offensive prompts — roughly 18% vs 12% for Mythos on equivalent legitimate pen-test tasks. For purely defensive work the gap narrows. See the full head-to-head benchmark for methodology and task-by-task results. For the broader policy context on why both companies restricted access, the AI Cyber Arms Race overview covers the timeline from Mythos announcement through OpenAI's about-face on open access.