OpenAI just announced that GPT-5.5 Cyber, its specialized cybersecurity testing tool, will initially be available only to “critical cyber defenders.” That means no public access, no open beta, no letting script kiddies poke at it. Just a curated list of vetted security teams.
This is the same company that, not long ago, publicly criticized Anthropic for limiting access to its own cybersecurity model, Mythos. Remember that? OpenAI’s team was quick to call it anti-competitive, claiming that restricting access stifles innovation and leaves the broader security community in the dark.
Now they’re doing the exact same thing. The irony isn’t lost on anyone who’s been watching this space.
Look, I get the logic. Cyber is a powerful model designed to find and exploit vulnerabilities. In the wrong hands — or even in moderately careless ones — it could cause real damage. A public release would be reckless. OpenAI’s cautious rollout is the responsible move.
But the hypocrisy stings. You can’t bash a competitor for the same strategy you’re now adopting without looking like you’re playing politics. Either both approaches are wrong, or both are right. OpenAI seems to want it both ways.
Still, let’s talk about what Cyber actually does. It’s built on GPT-5.5, fine-tuned on penetration testing data, vulnerability databases, and exploit patterns. Early benchmarks show it outperforms Mythos on several standard CTF (Capture The Flag) challenges and bug bounty scenarios. That’s genuinely impressive.
The restricted access model also makes practical sense. Security teams are already drowning in false positives and manual triage. A tool that can autonomously probe systems and generate actionable reports is a game-changer — but only if it’s used responsibly. OpenAI’s vetting process, whatever it ends up looking like, could prevent another SolarWinds-style disaster.
What I’m less convinced about is the timeline. OpenAI says “at first,” which implies eventual broader access. When? Under what conditions? And who decides who qualifies as a “critical cyber defender”? The lack of transparency here is frustrating. If you’re going to gatekeep a powerful tool, at least explain the criteria.
Anthropic hasn’t commented publicly on OpenAI’s move, but I imagine there’s some quiet satisfaction in Redwood City. They took the heat for being cautious, and now OpenAI is following the same playbook. If anything, this validates Anthropic’s original decision.
For the rest of us — researchers, hobbyists, small security firms — we’re left waiting. Maybe Cyber will trickle down eventually. Maybe it won’t. Either way, the message is clear: AI-powered hacking tools are too dangerous to leave unguarded, and the companies building them are finally acting like it.
That’s a good thing, even if the path there was hypocritical.
Comments (0)
Login Log in to comment.
Be the first to comment!