GPT 5.5 adds advanced cybersecurity capabilities while restricting access through OpenAI’s pre-existing vetting framework.

OpenAI launched GPT-5.5-Cyber, a specialized version of its GPT-5.5 model designed for advanced cybersecurity testing, with access managed through its existing Trusted Access for Cyber (TAC) program. 

GPT-5.5-Cyber supports defensive cybersecurity processes, including vulnerability identification, malware analysis, penetration testing, and code-level risk assessment. The model can analyze software systems, identify potential weaknesses, and simulate attack scenarios in controlled environments. It can also support reverse engineering of software and generate controlled test exploits, allowing organizations to verify whether their systems are vulnerable under simulated attack conditions. These capabilities are not available in OpenAI’s general-purpose models.

Only organizations approved under the recently introduced TAC program can access to 5.5-Cyber. Eligible participants are cyber professionals from industry, academia, and the government. Applicants must demonstrate a defined defensive use case and agree to operational restrictions. OpenAI did not specify how many organizations currently have access, what jurisdictions are included, or the precise evaluation criteria used in the approval process.

5.5-Cyber comes with additional safeguards, including usage monitoring, restrictions on certain outputs, and unspecified enforcement mechanisms to detect misuse. In some testing scenarios, safeguards may be partially relaxed to evaluate model behavior, although the company did not define the conditions, participants, or specific controls for these more-relaxed testing scenarios.

The release comes as Anthropic’s cybersecurity model, Mythos, made waves, with claims that it was too powerful for general release. Anthropic immediately restricted access to a few dozen industry and government partners for controlled testing.

Organizations seeking to test GPT-5.5-Cyber can obtain approval only through the TAC program. Once approved, they must implement internal controls governing access, define approved use cases, and maintain records of system interactions to support compliance and audit requirements.