For years we’ve been chronicling our work to accelerate cybersecurity defenders, as part of our broader work to build the core infrastructure for AI. Last week, we released our action plan Cybersecurity in the Intelligence Age, which lays out our vision for democratizing AI-powered defense. Two weeks ago, we released GPT‑5.5, our smartest and most intuitive model to date, which is already delivering powerful cybersecurity capabilities to developers and security teams through Trusted Access for Cyber (TAC).
Today, we are rolling out GPT‑5.5‑Cyber in limited preview to defenders responsible for securing critical infrastructure to support specialized cybersecurity workflows that help protect the broader ecosystem.
We are focused on providing proportional safeguards and access to empower cyber defenders to protect society, and our approach has been informed by conversations with cybersecurity and national security leaders across federal and state government and major commercial entities.
The cyber defense ecosystem is broad, and GPT‑5.5 and GPT‑5.5‑Cyber play different roles in meeting the needs of organizations and researchers across it, depending on the task, the setting, and the safeguards around how the model is used. For most teams, GPT‑5.5 with TAC is our strongest broadly useful model for legitimate defensive work, with strong safeguards against misuse.
In this post, we are sharing more details on how Trusted Access for Cyber works, how GPT‑5.5 and GPT‑5.5‑Cyber meet the varied needs of defenders across the ecosystem, and how different levels of access affect model outputs.
How trusted access works
Trusted Access for Cyber is an identity and trust-based framework designed to help ensure enhanced cyber capabilities are being placed in the right hands. It is designed to make the cyber capabilities of GPT‑5.5 more useful for verified defenders working on defensive tasks, while continuing to restrict requests that could enable real-world harm.
When defenders are vetted and approved for Trusted Access for Cyber, they receive lower classifier-based refusals to enable authorized cybersecurity workflows, including vulnerability identification and triage, malware analysis, binary reverse engineering, detection engineering, and patch validation. Safeguards continue to block malicious activity such as credential theft, stealth, persistence, malware deployment, or exploitation of third-party systems.
As we announced last week, with increased access, defenders are required to have phishing-resistant account security protections. Individual members of Trusted Access for Cyber accessing our most cyber capable and permissive models will be required to enable Advanced Account Security beginning June 1, 2026. Organizations with trusted access can, as an alternative, attest that they have phishing resistant authentication as part of their single sign-on workflow.
Here is a breakdown for how to think about the current trusted access levels:
Access | What changes | Intended use cases |
GPT-5.5 (default) | Standard safeguards for general-purpose use | General-purpose, developer, and knowledge work |
GPT-5.5 with TAC | More precise safeguards for verified defensive work in authorized environments | Most defensive security workflows, including secure code review, vulnerability triage, malware analysis, detection engineering, and patch validation |
GPT-5.5-Cyber | Most permissive behavior for specialized authorized workflows, paired with stronger verification and account-level controls | Preview access for specialized workflows, including authorized red teaming, penetration testing, and controlled validation |
The differences between model access levels are most pronounced when comparing prompts and responses. The first example illustrates how GPT‑5.5 compares to GPT‑5.5 with Trusted Access for Cyber on a defensive task: create a proof-of-concept from a published vulnerability to validate remediation within an authorized environment.
Prompt
create a proof of concept with the exploit, then document in README.md for this CVE: - cve.org/CVERecord?id=CVE-2025-55182 - react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
GPT-5.5 (default)
GPT-5.5 with TAC
For most defenders, GPT‑5.5 with Trusted Access for Cyber is the right starting point: this model can handle the vast majority of legitimate defensive workflows while preserving the model's broad strengths and safety posture. That includes secure code review, vulnerability triage, malware analysis, detection engineering, and patch validation.
More specialized access becomes relevant only when authorized workflows still run into refusals. This occurs with higher risk workflows such as red teaming and penetration testing, where defenders may need to go beyond analysis, and validate exploitability in a controlled environment. GPT‑5.5‑Cyber is designed to facilitate these more specialized dual-use workflows.
Here’s a simple example that shows what that looks like in practice:
Prompt
Test the above exploit by executing uname on a live target: xyz.example.domain
GPT-5.5 with TAC
GPT-5.5-Cyber
How GPT‑5.5 and GPT‑5.5‑Cyber perform on cyber tasks
GPT‑5.5 is our smartest, most intuitive model for both general-purpose knowledge work and cybersecurity tasks, and it is the model we expect most defenders to use. We evaluate cyber performance on tasks that require multi-step reasoning, tool use, and persistence across realistic defensive workflows.
The initial preview of cyber-permissive models like GPT‑5.5‑Cyber is not intended to significantly increase cyber capability beyond GPT‑5.5 - it’s primarily trained to be more permissive on security-related tasks.
As a result, this first preview is not expected to outperform GPT‑5.5 across every cyber evaluation. Instead, it supports an iterative deployment process to both accelerate defenders and safely support more specialized authorized workflows that require more permissive behavior, paired with stronger verification, misuse monitoring, approved-use scoping, and partner feedback. For now, GPT‑5.5 with Trusted Access for Cyber remains the recommended starting point for most security workflows.
Scaling defensive capability across the security ecosystem
We are partnering with security vendors because they sit where model capability can become customer protection: discovery, development, detection, response, and network enforcement. When those layers improve together, they create a security flywheel: researchers disclose vulnerabilities with exploit proof-of-concepts and patch guidance, software supply chain tools prevent vulnerable code and compromised dependencies from reaching production, EDR and SIEM partners detect exploitation in the wild, and network and security providers deploy WAF-level mitigations while fixes roll out.
GPT‑5.5 with Trusted Access for Cyber is the broad starting point for this work. It can help verified defenders move faster across the security lifecycle, while GPT‑5.5‑Cyber lets a smaller set of partners study advanced workflows where specialized access behavior may matter. The goal is to help the security ecosystem protect customers faster, then learn from partner feedback where tighter evaluation, verification, or safeguards are needed.
Network and security providers
Network and security providers can reduce exposure while fixes are still rolling out. As defenders validate a vulnerability and watch for exploitation, they can also deploy WAF rules, edge mitigations, and configuration changes that blunt likely attack paths before every affected system has been remediated. GPT‑5.5 can support rule review, configuration analysis, incident investigation, and secure change management across complex environments.
We’re working with these partners to help us evaluate how those capabilities translate into protections customers can deploy at internet scale, including for critical infrastructure and public services where reducing exposure quickly matters.
“At Cisco, we view frontier models as a powerful force multiplier for defenders. Models like GPT-5.5 are fundamentally changing the velocity of our operations, enabling us to move faster on everything from incident investigation to proactive exposure reduction. But speed cannot be traded for trust. The true value of this technology isn't found in the model alone, but in the enterprise-ready framework we wrap around it. A framework that helps us make more secure products. Our focus is on transforming our secure development and operations processes with these new capabilities. For us, it's about enabling innovation that is as reliable as it is fast.”
— Anthony Grieco, SVP, Chief Security & Trust Officer, Cisco
Vulnerability research and patching
The flywheel starts with finding vulnerabilities, validating their criticality, and patching affected systems. GPT‑5.5 with Trusted Access for Cyber can help with most of this work: understanding unfamiliar code, mapping affected surfaces, tracing root cause, reviewing patches, building safe reproduction harnesses, prioritizing severity, and turning findings into remediation guidance.
Some vulnerability research requires more permissive behavior, especially when authorized partners need exploit proof-of-concepts for coordinated disclosure or controlled validation. Those are the workflows where GPT‑5.5‑Cyber can help us learn with a smaller set of partners, under stronger verification, monitoring, and feedback loops.
“Intel is a leader in silicon and software, providing a trusted foundation for the global computing industry. As AI models continue to advance in reasoning and speed, their ability to identify, analyze, and help mitigate security threats becomes increasingly critical. Intel looks forward to partnering with OpenAI to bring governed, scalable AI capabilities into real-world cyber workflows—helping enterprises accelerate vulnerability research, strengthen remediation processes, and operate more securely at scale.”
— Dhinesh Manoharan, Head of INT31 Security Research, Intel Corporation
**
Detection and monitoring**
If vulnerable software is already deployed, the next question is whether anyone is exploiting it. EDR, SIEM, IGA/PAM, and monitoring partners turn a new advisory into evidence from live environments: telemetry, alerts, detections, and response workflows. GPT‑5.5 can help analysts connect those signals, summarize what matters, draft detections, and move more quickly from disclosure to investigation. That same loop is especially important in cloud environments, where exposure, remediation, and detection are tightly coupled.
“At SentinelOne, the real value of AI is how quickly it helps us turn signals into an actionable advantage for defenders. GPT-5.5 helps analysts connect telemetry, focus on what matters, and strengthen how organizations investigate, detect, and respond to emerging threats.”
— Gregor Stewart, Chief AI Officer, SentinelOne
Software supply chain security
The next turn is preventing known-bad code from reaching production in the first place. Once a vulnerability or package compromise is understood, software supply chain tools can help stop risky dependencies, malicious updates, and vulnerable code paths before they spread across customer environments. GPT‑5.5 with Trusted Access for Cyber can help inspect dependency changes, reason about exploitability in owned code, prioritize remediation, and surface suspicious package behavior earlier in the development cycle.
Partners such as Snyk, Gen Digital, Semgrep, and Socket can help us test how these capabilities apply to incidents like the axios compromise, where the fastest fix is preventing vulnerable or compromised dependencies from entering the build at all.
“Attackers are already weaponizing frontier models. By deploying OpenAI’s Trusted Access for Cyber and GPT-5.5, we are giving defenders at Snyk the capability they need to protect critical supply chains. This partnership isn’t just a milestone; it’s a strategic necessity.”
— Manoj Nair, Chief Innovation Officer, Snyk
Codex Security for open source and defenders
Open source is one of the fastest ways a vulnerability can spread across the ecosystem, so we are also investing upstream with maintainers. Codex Security helps teams identify, validate, and remediate vulnerabilities by building a codebase-specific threat model, exploring realistic attack paths, validating issues in isolated environments, and proposing patches for human review.
Through Codex for Open Source, selected maintainers of critical projects can receive conditional access to Codex Security alongside Codex and API credits to reduce maintenance and review load.
We’ve also released a Codex Security plugin that brings the existing security workflow directly into any Codex interface like the app or CLI, helping developers move from threat modeling to finding discovery, validation, attack-path analysis, and verified fixes.
Looking ahead
As models become more capable in cybersecurity, the best use of that capability is to help defenders find and fix weaknesses faster. Expanding access to those capabilities responsibly requires stronger confidence in who is using the model, what systems they are targeting, and whether the work is authorized. As stronger identity and organization verification, approved-use scoping, and misuse monitoring improve, we expect access to broaden over time.
Gaining access to Trusted Access for Cyber is straightforward:
All customers approved through this process will gain access to versions of existing models with reduced friction around safeguards which might trigger on dual-use cyber activity, allowing them to continue to support security education, defensive programming, and responsible vulnerability research.
During alpha testing, GPT‑5.5‑Cyber has already been used to scale automated red-teaming of critical systems and validate high-severity vulnerabilities, which we will document in a future technical deep-dive as part of responsible disclosure.
We expect to continue to accelerate defenders with various models, including both our flagship models through Trusted Access for Cyber, and with dedicated cyber models like GPT‑5.5‑Cyber and even more cyber-capable models in the future.
Instagram Engineering
Shopify Engineering