The UK AI Security Institute (AISI) confirmed that OpenAI’s GPT-5.5 has matched Anthropic’s Claude Mythos Preview in successfully completing end-to-end offensive cyber-attack simulations. This development, detailed in the institute’s latest evaluation reports, marks the second time a frontier AI model has demonstrated the capability to autonomously execute a multi-step corporate network takeover.
The findings signal a shift from isolated model breakthroughs to a broader trend of emerging offensive cyber capabilities across the frontier AI landscape. According to ResultSense, the parity between competitors OpenAI and Anthropic suggests that cyber-offensive skill is likely a byproduct of general improvements in long-horizon reasoning and coding rather than a specialized development focus. This convergence indicates that as general-purpose models become more sophisticated in logic and programming, their utility in malicious cyber operations increases proportionally.
Comparative Performance on Expert-Level Cyber Tasks
GPT-5.5 achieved a 71.4% average pass rate on “Expert-level” cyber tasks, representing the highest recorded score by the AISI to date. This performance narrowly exceeds that of Claude Mythos Preview, which maintains a 68.6% pass rate, effectively establishing a new performance baseline for the current generation of frontier models. These benchmarks focus on vulnerability research and exploitation against realistic targets, requiring models to navigate modern security mitigations.
The rapid acceleration of these capabilities is evident when compared to previous model generations evaluated by the institute. GPT-5.4 previously recorded a 52.4% success rate, while Anthropic’s Opus 4.7 reached 48.6% on similar tasks. The jump to the current 70% range within a single update cycle highlights a significant narrowing of the gap between artificial intelligence and human expert performance in specialized cybersecurity domains.
Analysis of the AISI data reveals a distinct performance ceiling that has been shattered in this latest testing round. While previous models performed reliably at the “Practitioner” tier, they often failed when faced with the “Expert” tier’s larger search spaces and more complex multi-step requirements. The current results suggest that GPT-5.5 and Claude Mythos have developed the reasoning depth necessary to handle tasks such as reverse engineering stripped binaries and weaponizing synthetic vulnerabilities in real-world open-source software.
The emergence of a “second-mover” model reaching parity so quickly after Claude Mythos suggests a frontier-wide capability shift. AISI frames this as evidence that offensive cyber skills are not accidental outliers but are becoming a standard feature of high-reasoning models. This trend implies that security teams must prepare for a landscape where multiple, distinct AI architectures possess the ability to identify and exploit sophisticated system flaws.
End-to-End Success in “The Last Ones” Simulation
The most significant benchmark cleared by both models is “The Last Ones” (TLO), an advanced simulation designed to test end-to-end network takeover capabilities. The TLO range consists of 32 distinct stages, simulating a comprehensive attack against a corporate infrastructure. According to AISI, this specific challenge is estimated to take a human cybersecurity expert approximately 20 hours of continuous labor to complete.
GPT-5.5 successfully solved the TLO simulation in 2 out of 10 attempts while operating under a strict 100M-token budget. This follows the historical performance of Claude Mythos Preview, which was the first model to solve the TLO range, succeeding in 3 out of 10 attempts during its initial evaluation in April 2026. The ability of these models to navigate all 32 stages autonomously marks a transition from simple task assistance to full operational autonomy in offensive contexts.
The contrast between the 20-hour human benchmark and the autonomous execution by AI agents suggests a potential increase in the velocity of cyberattacks. While a human expert is limited by fatigue and the speed of manual interaction, an AI agent can process information and execute commands at the limit of its API latency. This shift could allow for simultaneous, multi-vector attacks that would be prohibitively expensive or slow if conducted by human operators alone.
The 100M-token budget serves as a critical resource constraint in these evaluations, acting as a proxy for both computational cost and operational stealth. By succeeding within this limit, the models demonstrate an efficiency in thought and action that avoids the “hallucination loops” or repetitive errors that plagued earlier versions. For a defender, this means that an AI-driven attack may not only be faster but also more targeted, consuming fewer resources while achieving the same terminal objective as a human-led operation.
Case Study: Automated Reverse-Engineering Efficiency
A specific “rust_vm” challenge provided by cybersecurity firm Crystal Peak Security illustrates the technical depth of these new capabilities. This task required the model to reverse-engineer a custom virtual machine from a stripped Rust ELF binary. The model also had to analyze a second file containing bytecode for that VM, which functioned as an authentication program guarding a safety mechanism on a specific network port.
GPT-5.5 solved this complex task in 10 minutes and 22 seconds, incurring an API usage cost of only $1.73. In comparison, a human expert playtester required approximately 12 hours to reach the same conclusion while using specialized industry tools like Binary Ninja and the Z3 SMT solver. The massive disparity in both time and cost highlights the potential for AI to commoditize high-end reverse-engineering skills that were previously restricted to elite human researchers.
The technical steps required to solve the rust_vm challenge demonstrate the model’s advanced reasoning. GPT-5.5 had to discover opcodes, operand-decoding modes, and program counter (PC) semantics from the Rust host code without access to source documentation. It then built a custom disassembler for the bytecode and reversed the logic of the authenticator, which involved a chain of table-lookup checksums. Finally, it used an SMT solver approach to find a valid password and submit it to clear the safety mechanism.
The economic implications of a $1.73 attack cost versus 12 hours of expert human labor are profound. As reported by GIGAZINE, this cost-efficiency could lower the barrier to entry for sophisticated cyber operations. If an attack that once required an expensive, highly trained specialist can now be executed for the price of a cup of coffee, the volume of high-quality threats facing organizations is likely to increase significantly.
Safeguard Resilience and Expert Red-Teaming
Despite the advanced capabilities of GPT-5.5, the AISI report notes that its internal safeguards were not sufficient to prevent misuse by determined actors. Institute red-teamers were able to develop a “universal jailbreak” for GPT-5.5 in just six hours. This exploit allowed the researchers to elicit violative cyber-offensive content across all OpenAI-provided queries, including complex, multi-turn agentic scenarios where the model acts as a persistent attacker.
OpenAI attempted to implement a safeguard fix following the discovery of this jailbreak, but AISI was unable to verify the effectiveness of the update. A configuration issue in the testing environment prevented the institute from confirming if the subsequent patch successfully closed the vulnerability. This highlights the ongoing “cat-and-mouse” game between model developers and safety researchers, where a single oversight in configuration can leave a model exposed to exploitation.
Anthropic has also faced challenges in maintaining strict control over its frontier models. The company is currently investigating reports that users accessed Claude Mythos via an unauthorized third-party vendor environment. This incident occurred shortly after the UK AI minister flagged the specific risks associated with Mythos, raising concerns about the security of the supply chain through which these powerful models are deployed.
Maintaining “agentic” safeguards—those designed to stop a model from pursuing a long-term harmful goal—is particularly difficult when a model is capable of the long-horizon reasoning shown in the TLO simulations. Because the model must be able to reason through complex, multi-step problems to be useful for legitimate coding, it inherently possesses the logic required to bypass simpler, intent-based filters. AISI’s findings suggest that current safety architectures may struggle to keep pace with the rapid growth in underlying model intelligence.
Technical Limitations and Testing Parameters
While the results show significant progress, the AISI report emphasizes that these models are not yet omnipotent in the cyber domain. No model, including GPT-5.5, has successfully solved the “Cooling Tower” simulation. This 7-step task involves industrial control system (ICS) environments, which require specialized knowledge of operational technology and protocols that differ significantly from standard corporate IT networks.
The methodology of the AISI evaluations also includes a critical caveat: all tests were conducted in controlled environments. These “ranges” lacked active human defenders, real-time intrusion detection systems, or modern automated defensive tooling that would be present in a well-protected corporate or government network. Consequently, the institute stated it cannot yet determine if GPT-5.5 or Claude Mythos could successfully execute these attacks against a live, well-defended target.
The evaluation suite used by the AISI is comprehensive, consisting of 95 distinct tasks designed in collaboration with firms like Irregular and Crystal Peak Security. The suite uses a Capture the Flag (CTF) format, which provides a measurable and objective way to track model performance. By using this standardized format, the AISI can compare models across different developers and release cycles, providing a clear picture of how capabilities are evolving over time.
The inability to solve the Cooling Tower task suggests that while AI is mastering general software exploitation, it still lacks the specific domain expertise required for critical infrastructure attacks. However, AISI suggests that as models are exposed to more specialized technical data, these gaps may close. The Cooling Tower remains a key milestone for future evaluations to determine when AI capabilities might cross from the digital world into the physical control of industrial systems.
Implications for UK Cyber Resilience and Policy
The AISI findings arrive at a critical moment for UK national security. The government’s annual Cyber Security Breaches Survey recently reported that 43% of UK businesses suffered a cyber breach or attack in the past year. This high rate of vulnerability underscores the potential impact if AI-driven offensive tools become widely available to malicious actors.
In response to these emerging threats, the UK government is progressing with the Cyber Security and Resilience Bill. This legislation aims to strengthen the nation’s defenses by mandating higher security standards across critical sectors. Furthermore, the government has announced £90 million in new cyber-resilience funding to help organizations modernize their defenses and respond to the changing threat landscape defined by AI autonomy.
A core part of the AISI’s strategy is the “Trusted Access” program, which argues that the same capabilities empowering attackers can also be used to bolster defenses. By giving security teams access to frontier models, the government hopes to provide a “window” of opportunity for defenders to harden their estates. These models can be used to scan for vulnerabilities, automate the patching of legacy code, and simulate attacks to identify weaknesses before they are exploited by adversaries.
The institute emphasizes that because GPT-5.5 reached parity as a “second-mover,” there is a brief period where defenders can utilize these high-reasoning tools to catch up to the current threat level. However, this window may be short-lived. If the trend of rapid capability increases continues, the advantage may shift back toward the attacker, who only needs to find one flaw, whereas the defender must protect the entire system.
The AISI’s evaluation of GPT-5.5 and Claude Mythos confirms that offensive cyber capabilities are no longer a theoretical risk but a measurable reality of frontier AI. As general reasoning and coding skills improve, the ability of these models to autonomously navigate complex attack surfaces will likely continue to grow. The focus for both developers and policymakers now shifts to whether safeguards can be made as robust as the capabilities they are intended to contain.
The upcoming months will be pivotal as the AISI monitors whether the “Cooling Tower” ICS simulation falls to the next generation of models. As predicted by the institute, further increases in cyber capability are expected to arrive in quick succession, potentially reshaping the fundamental nature of digital security and the role of autonomous agents in national defense.
