OpenAI released the full version of GPT-5.5-Cyber today, June 22, 2026, completing the rollout of a cybersecurity-focused frontier model that had been in limited preview since early May. The release is part of OpenAI’s Daybreak cyber initiative, a multi-strand effort that combines a specialized model, a gated-access program (Trusted Access for Cyber, or TAC), an updated Codex Security plugin, the Patch the Planet open-source disclosure partnership with Trail of Bits and HackerOne, and a formal Daybreak Cyber Partner Program. The combined launch is OpenAI’s most concrete public statement to date that cybersecurity is a distinct workload category requiring distinct model treatment, distinct access controls, and distinct partnerships.
This piece walks through what was released, what GPT-5.5-Cyber does that base GPT-5.5 does not, how the TAC vetting works, the benchmark results OpenAI published with the announcement, the competitive context in which the launch lands, and what the release means for security operations teams considering AI augmentation. The angle is operational and technical. The policy and dual-use conversation is real but is a separate piece.
The short version is that GPT-5.5-Cyber is a fine-tuned variant of GPT-5.5 with relaxed guardrails on security-domain capabilities (vulnerability research, exploit reasoning, patch synthesis), gated to verified defender organizations through TAC, and bundled with tooling specifically built for security workflows. For organizations that already have OpenAI relationships and the engineering depth to integrate AI into their security operations, the release is a meaningful capability bump. For organizations that do not fit the TAC vetting criteria, the release does not change what is available; the base GPT-5.5 remains the option through standard OpenAI access.
What was announced
The June 22 announcement covers four coordinated pieces. The first is the GPT-5.5-Cyber model itself, now generally available to vetted defenders through the TAC program. This is the upgrade from the limited-preview version that had been available to a smaller set of partners since May 7. The full release expands access (still within TAC) and includes the capability improvements from the development cycle since May.
The second is the updated Codex Security plugin. Codex, OpenAI’s agentic coding surface that runs through ChatGPT and through the API, now includes a security-focused mode that uses GPT-5.5-Cyber for vulnerability triage, exploit validation, and patch synthesis on a customer’s codebase. The plugin is configured at the organization level through the TAC console.
The third is the Daybreak Cyber Partner Program. This is a structured engagement track for security vendors and large enterprise security teams who want to integrate GPT-5.5-Cyber into their products or their internal tools. Partner companies named at launch include several SIEM vendors, two of the major SOAR platforms, and a small group of managed security service providers. The named-partner integrations bring GPT-5.5-Cyber capabilities into the security tooling that customers already use, rather than requiring direct API access.
The fourth is Patch the Planet, an open-source vulnerability disclosure initiative jointly announced with Trail of Bits and HackerOne. The program uses GPT-5.5-Cyber to scan open-source codebases for potential vulnerabilities, validate findings through Trail of Bits’ analysis pipeline, and surface confirmed issues through HackerOne’s disclosure infrastructure. The intent is to push large-scale automated vulnerability research toward defensive outcomes rather than leaving the same capability primarily available for offensive use.
What GPT-5.5-Cyber does that base GPT-5.5 does not
The differences between the cyber variant and the base model fall into three categories.
The first is capability. GPT-5.5-Cyber has been fine-tuned on a large corpus of security-domain data including vulnerability research papers, CVE disclosures with their associated patches, exploit code, malware analysis writeups, and historical SOC tickets with their resolutions. The fine-tuning produces a model that is more fluent in security-specific patterns: it recognizes vulnerability classes more readily, it produces more accurate exploit reasoning, and it generates more security-appropriate patches than base GPT-5.5 would for the same input.
The second is guardrail behavior. Base GPT-5.5 refuses or hedges on a wide range of security requests because the model cannot distinguish a defender’s legitimate research from an attacker’s reconnaissance. GPT-5.5-Cyber, used inside the TAC program, has relaxed guardrails on these patterns because the access model establishes the user’s defender identity at the platform layer rather than requiring the model to infer it from context. A TAC member asking GPT-5.5-Cyber to analyze an exploit chain gets a substantive analysis; the same request to base GPT-5.5 from an unverified user would get a hedged refusal.
The third is tool integration. GPT-5.5-Cyber ships with first-class integration with the Codex Security plugin, with the partner SIEM/SOAR integrations, and with the Patch the Planet pipeline. These integrations are not just about model availability; they include security-specific tool-call surfaces (querying CVE databases, fetching vulnerability advisories, validating against static analysis output, generating exploit harnesses for verification) that the base model does not have.
The combination of these three differences produces a model that is meaningfully more useful for defensive security work than base GPT-5.5 would be. The capability improvement is the smallest of the three for many use cases; the guardrail and tool-integration differences are what make GPT-5.5-Cyber a genuinely different product rather than a relabeled base model.
How Trusted Access for Cyber works
TAC is OpenAI’s vetting and access-control program for the cyber variant. The program restricts access to organizations that pass a verification process and that maintain ongoing operational compliance. The verification process examines the organization’s identity, its security posture, its stated use cases, and its compliance with OpenAI’s published acceptable use policy for the cyber variant.
The verification is meaningful rather than nominal. OpenAI has published that several organizations were rejected from TAC during the limited-preview phase, and that approved members must enable Advanced Account Security (which includes hardware-key authentication and IP allowlisting) as of June 1, 2026. The intent is that TAC’s access controls make it operationally hard for someone to use GPT-5.5-Cyber for offensive purposes even if they were able to obtain TAC credentials.
The TAC console is the management surface for member organizations. The console handles user provisioning, integration configuration, and usage telemetry. Member organizations can integrate GPT-5.5-Cyber directly through the OpenAI API with TAC credentials, or they can integrate through one of the partner platforms that has built TAC-aware integrations.
The TAC vetting is not free. The program has a meaningful annual subscription cost on top of standard OpenAI usage-based pricing for the model. The exact figures vary by organization size and use case and are negotiated rather than published. The pattern is that TAC is positioned for organizations whose security AI spend is in the high five-figures to low six-figures annually at minimum.
The benchmark results
OpenAI published three benchmark results with the launch. All three are widely-used cybersecurity AI benchmarks, though all three are also new enough that the benchmark community has not yet built strong norms around how to interpret marginal score improvements.
CyberGym is the most-cited of the three. It measures a model’s performance on a structured set of cybersecurity reasoning tasks including vulnerability identification, exploit chain construction, patch validation, and incident response triage. GPT-5.5-Cyber scored 85.6 percent on CyberGym, up from 81.8 percent for base GPT-5.5 and up from 78.4 percent for the limited-preview version of GPT-5.5-Cyber from May. The 7-point improvement over base is meaningful in absolute terms and represents a substantial step on a benchmark where each percentage point has been hard-won.
ExploitGym tests exploit synthesis specifically. The model is given a CVE description and source code excerpts and asked to produce a working exploit harness. The benchmark is more directly capability-revealing than CyberGym because there are fewer ways to score well without actually producing exploit-capable output. GPT-5.5-Cyber scored 39.5 percent on ExploitGym, up from 25.95 percent for base GPT-5.5. The 14-point improvement is the largest single jump in the announcement and is the result most often cited as evidence that the cyber fine-tuning is doing meaningful work.
SEC-bench Pro is a broader security-knowledge benchmark covering topics from cryptographic protocol analysis to incident response. GPT-5.5-Cyber scored 69.8 percent, up from 63.1 percent for base. The improvement is moderate and consistent with the cyber fine-tuning helping on knowledge-recall tasks without dramatically reshaping them.
The benchmark methodology is published in OpenAI’s accompanying technical report. The independent verification work is in early days. The UK AI Safety Institute published a pre-deployment evaluation alongside the launch that broadly agrees with OpenAI’s numbers, though AISI’s methodology focuses on specific risk dimensions rather than headline benchmark scores. The third-party benchmark verification ecosystem for cybersecurity AI is still maturing; treat the numbers as indicative rather than definitive.
The competitive landscape
GPT-5.5-Cyber lands in a market that has been actively forming through the first half of 2026. The other major participants:
Microsoft Security Copilot has been generally available since 2024 and is now bundled into Microsoft 365 E5 plans following an Ignite 2025 announcement. Security Copilot is deeply integrated with the Microsoft security stack (Defender, Entra, Intune, Purview, Sentinel) and is positioned as the natural choice for organizations heavily invested in Microsoft security tooling. The recent Microsoft 365 E7 SKU bundles Security Copilot with the rest of the security and identity products at $99 per user per month.
Google’s Sec-Gemini family includes the production SecLM platform powering Gemini in Google SecOps and the gated-access Sec-Gemini v1 research model. Google’s positioning emphasizes the integration with Google Threat Intelligence and the production SecOps workflow. The combination of Mandiant’s threat intelligence (acquired by Google in 2022) and Gemini-based reasoning is the differentiator Google leans on.
CrowdStrike’s Charlotte AI launched at RSA 2026 with Charlotte AI AgentWorks, a no-code platform for building custom security agents that can use multiple underlying models including (as of the announcement) Anthropic Claude and OpenAI’s models. CrowdStrike’s positioning is that the agentic orchestration layer is the value, with the underlying model being substitutable.
Anthropic’s Claude for security workloads has been in public beta as Claude Enterprise since April 30, 2026, running on Opus 4.7. Capabilities include vulnerability discovery, severity reasoning, targeted patch generation, secure code review, and data-flow tracing. Anthropic has positioned Claude as both a standalone product and as an underlying engine for competitors’ stacks, with CrowdStrike, Microsoft Security, Palo Alto, SentinelOne, and Wiz all integrating Opus 4.7. The recent restriction of the Mythos model has been a complication for some of these integrations.
GPT-5.5-Cyber enters this market with the strongest standalone-frontier-model story (the benchmark results, the focused fine-tuning, the gated access) but the smallest integrated security platform footprint (no Defender, no SecOps, no native SIEM). The Daybreak Cyber Partner Program is OpenAI’s mechanism for closing this footprint gap through integrations rather than building competing first-party platforms.
The market shape that has emerged: platform vendors (Microsoft, CrowdStrike, Palo Alto, SentinelOne, Cisco/Splunk) compete on agentic SOC orchestration tied to their existing telemetry, and model providers (Anthropic, Google, now OpenAI) compete on the underlying reasoning engine. The platform vendors and model providers are increasingly partnered with each other, which means the standalone-vs-platform framing is less polarized than it was even six months ago. Customer choice in 2026 is often less about which provider to use and more about which combination.
What this means for security operations
For an organization considering AI augmentation of its security operations, GPT-5.5-Cyber’s release does not change the strategic question; it changes the answer for some specific cases. The strategic question (should we use AI in our SOC, and how) remains the same as it was a month ago. The cases where GPT-5.5-Cyber is the right specific answer are those where:
The organization has the engineering depth to integrate a frontier model into its security tooling rather than just consuming a packaged product. The TAC access and the API integration are not turnkey; they require security-engineering investment.
The organization fits the TAC vetting criteria and is willing to commit to the program’s operational requirements (the Advanced Account Security setup, the use-case attestation, the recurring re-vetting).
The organization values the specific capability advantages that the cyber fine-tuning provides over base GPT-5.5 or over the competing security AI offerings. For vulnerability research and patch synthesis specifically, the GPT-5.5-Cyber benchmark numbers are meaningful enough that some teams will find the choice clear.
The organization is willing to pay the TAC subscription on top of usage-based model pricing. The break-even point depends on volume and on what the alternative is being benchmarked against.
For organizations that do not meet these criteria, the right answer is often one of the platform-integrated alternatives. Microsoft Security Copilot for Microsoft-stack customers, CrowdStrike Charlotte AI for CrowdStrike customers, Google SecOps for Google Cloud customers. These options are easier to adopt and produce most of the value without requiring the engineering depth of direct frontier-model integration.
The honest reading is that GPT-5.5-Cyber is positioned at the more sophisticated end of the security AI market and is not aiming to be the mass-market choice. The mass-market choice is the platform-integrated AI inside the security tools customers already buy. GPT-5.5-Cyber is for the smaller set of customers who want frontier capability with their own integration layer.
The dual-use consideration
A model that can analyze vulnerabilities to patch them can also analyze them to exploit them. This dual-use problem is the central tension in security AI and is the reason OpenAI built the TAC program in the first place. The TAC vetting and the Advanced Account Security requirements are the operational response to the dual-use risk: the access controls make it harder for an attacker to use GPT-5.5-Cyber, and the platform-layer identity verification removes the model’s ability to refuse defender requests on uncertainty grounds.
The approach is not the only one. Anthropic’s recent restriction of the Mythos model represented a different choice: rather than gating access through vetting, Anthropic restricted the model’s capabilities. The two approaches make different tradeoffs. Gated access produces stronger capability for verified users but creates a smaller eligible user base. Capability restriction makes the model broadly available but limits what it can do for anyone.
The right tradeoff depends on how one models the dual-use risk. If the worry is that bad actors will abuse capability that is too broadly available, gated access is the right answer. If the worry is that bad actors will work around access controls through credential compromise or insider threat, capability restriction is more defensible. Both worries are real and the choice between them is partly a judgment call about which risk model dominates.
OpenAI’s published rationale for the TAC approach emphasizes that the security domain benefits substantially from frontier capability, that legitimate defenders need that capability to keep pace with attackers who do not respect access controls, and that the right path is to give defenders the capability while making access difficult enough to compromise that it does not effectively reach attackers. This is a reasonable framing. Whether it is the right framing in the long run depends on how durably TAC’s access controls actually resist compromise. The early operational results from May and June will be the test.
Frequently asked questions
Can I use GPT-5.5-Cyber through the standard ChatGPT or OpenAI API today? No. Access requires TAC vetting. Standard ChatGPT and the standard API give you base GPT-5.5, which has the hedged guardrails on security topics.
What does TAC vetting actually verify? Identity of the organization, the security posture of the requesting team, the use cases that will be served, and ongoing compliance with the published acceptable use policy. The verification is performed by OpenAI staff and takes several weeks for typical applications.
Is GPT-5.5-Cyber available in regions outside the US? TAC has been expanding regional availability through the year. As of the June 22 launch, the US, UK, Germany, France, Japan, and Australia are supported. Other regions are on the roadmap with no committed timeline.
How does pricing compare to base GPT-5.5? The per-token rates for GPT-5.5-Cyber match base GPT-5.5. The TAC subscription is an additional annual fee on top of usage-based pricing. The combined cost is meaningfully higher than base GPT-5.5 alone for organizations with non-trivial volumes.
Can I use GPT-5.5-Cyber with Claude Code, Cursor, or other agentic coding tools? The Codex Security plugin is the OpenAI-supplied integration. Third-party agentic tools can integrate through the API if their customers have TAC credentials, but the integrations are customer-by-customer rather than packaged into the tools.
Does GPT-5.5-Cyber participate in Claude-style "thinking" budgets? GPT-5.5-Cyber inherits the reasoning-budget parameter from base GPT-5.5. Security workloads benefit from moderate-to-high budgets because the reasoning depth matters substantially for the harder vulnerability and exploit analysis tasks.
Is the Patch the Planet initiative open to outside contributors? The disclosure pipeline is operated by Trail of Bits and HackerOne with OpenAI providing the model. Outside researchers can submit findings through HackerOne’s existing infrastructure; the model-based analysis happens upstream of submission.
How does GPT-5.5-Cyber relate to the OpenAI Daybreak announcement from earlier in the year? Daybreak is the umbrella for OpenAI’s cybersecurity initiatives. GPT-5.5-Cyber is the model component. The earlier Daybreak announcement covered the program’s structure and the initial partner roster; today’s announcement is the model’s full release and the expanded partner program.
What happens to organizations currently on the limited-preview GPT-5.5-Cyber? Preview customers transition automatically to the full release. The model version updates, the partner integrations expand, and the TAC subscription terms shift to the GA pricing structure at the customer’s renewal.
Is there a smaller, lower-cost cyber model variant? Not at launch. OpenAI has indicated that a smaller cyber-tuned model based on GPT-5.5-mini is in development, with availability expected in Q4 2026. The smaller variant would address use cases where the TAC subscription cost is hard to justify for the volume.
