
GPT-5.5
OpenAI model; matched Mythos on the 32-step attack benchmark; cited by Anthropic in June 2026 export-control dispute.
Last refreshed: 13 June 2026 · Appears in 2 active topics
Is GPT-5.5 the second AI that can carry out a full corporate cyberattack without human help?
Timeline for GPT-5.5
Mentioned in: Anthropic AI ban enters its second week
AI: Jobs, Power & MoneyRemained on sale after the directive despite Anthropic citing it as having the same vulnerability
AI: Jobs, Power & Money: Washington pulls a live AI modelMentioned in: OpenAI heads to market losing money
AI: Jobs, Power & MoneyCleared AISI's 32-step autonomous attack chain benchmark, becoming second model to do so
AI: Jobs, Power & Money: GPT-5.5 clears 32-step attack chain; two models in five daysAISI: GPT-5.5 matches Mythos on 32-step attack
AI: Jobs, Power & MoneyWhat is GPT-5.5 and what did it achieve on the AISI benchmark?
What is the AISI 32-step 'The Last Ones' benchmark?
Which AI models have passed the AISI autonomous cyberattack benchmark?
Background
GPT-5.5 is an AI model released by OpenAI. On 1 May 2026, the UK AI Security Institute (AISI) published an evaluation in which GPT-5.5 scored 71.4% on expert-level capture-the-flag cybersecurity tasks, with 73% on the Mythos benchmark, and became only the second model to complete AISI's 32-step "The Last Ones" enterprise network attack range end-to-end. The first model to pass this benchmark was Anthropic's Claude Mythos Preview.
The 32-step benchmark simulates autonomous traversal of a corporate network, from initial access through lateral movement to data exfiltration. AISI estimated the capability demonstrated is equivalent to approximately 20 hours of trained-human work performed autonomously. The benchmark's completion by a second model signals that advanced autonomous cyberattack capability is no longer exclusive to one frontier AI laboratory.
On 12 June 2026, GPT-5.5's presence in the market became directly relevant to the first US government suspension of a commercial AI product. When Commerce Secretary Howard Lutnick issued a directive forcing Anthropic to disable Claude Fable 5 and Claude Mythos 5 over a claimed jailbreak, Anthropic publicly cited GPT-5.5 as evidence that the capability is widely available: the same jailbreak vector was assessed to be present in GPT-5.5, which remained on sale and was not subject to any equivalent directive. The discrepancy raised immediate questions about the consistency of the export-control framework and whether Anthropic was being treated differently from its primary commercial rival.