GPT-5.5 Solved 92.4% of Offensive Cyber Tasks and Broke the Benchmark: AI Offensive Capability Is Doubling Every Six Months and the Ruler Can’t Keep Up
Sources: Lyptus Research — “GPT-5.5 Saturates Offensive Cyber Evaluation System” (May 27, 2026) · UK AI Security Institute (AISI) — “Our Evaluation of OpenAI’s GPT-5.5 Cyber Capabilities” (April 30, 2026) · OpenAI GPT-5.5 System Card (Deployment Safety Hub) · OpenAI GPT-5.5-Cyber announcement (May 7, 2026) · OpenAI GPT-5.6 Sol preview (June 26, 2026) · MindFort AI — “How Good Is GPT-5.5 for Cybersecurity?” · MindFort AI — “How Good Is GPT-5.6 for Cybersecurity?” · Cloud Security Alliance — “Government-Gated AI: GPT-5.6 Sol’s Dual-Use Cybersecurity Implications” · Infosecurity Magazine (July 16, 2026) | Models covered: GPT-5.5 · GPT-5.5-Cyber · GPT-5.6 Sol/Terra/Luna | Key researchers: Lyptus Research (AU) · UK AISI · Irregular (external OpenAI red team) · Crystal Peak Security | Benchmarks: CyberGym · CTF challenges · CVE-Bench · VulnLMP · ExploitBench · ExploitGym · SEC-Bench Pro · CyScenarioBench | AI offensive doubling pace: Every 5–6 months (Lyptus Research, tracked since 2024)
The benchmark was built in December 2025 using “the hardest questions available globally.” GPT-5.5 saturated it in five months. The researchers declared the evaluation system broken.
On May 27, 2026, Australian research institution Lyptus Research published a report with a finding that forced a complete rethink of how offensive AI capability is measured: GPT-5.5 had solved 292 out of 316 offensive cybersecurity tasks across their evaluation suite, achieving a 92.4% accuracy rate, and in doing so had saturated all seven of their hardest benchmarks simultaneously. The team’s conclusion was not that GPT-5.5 was impressive — it was that their evaluation methodology was no longer functional. A benchmark that is saturated cannot differentiate between models or measure future capability growth. The ruler had broken.
Lyptus had begun building the evaluation in December 2025, deliberately selecting what they assessed as the hardest available offensive cybersecurity questions globally — spanning exploit utilization, CTF flag capture, and real CVE reproduction — with human security expert completion time as the baseline for each task. By their first-edition report in March 2026, there were already signs of data saturation. By May, GPT-5.5 had made the entire framework obsolete. The research team’s judgment: the evaluation method is “no longer applicable” for such tasks.
This finding is the backdrop for everything DataWater has documented in 2026: the JADEPUFFER AI agent ransomware attack, the $1,000 AI agent finding 21 FFmpeg zero-days, the Mythos finding Squidbleed, and the AI missing Bad Epoll in the same code. The models driving those outcomes are operating at capability levels that formal evaluation systems can no longer adequately characterize.
| Benchmark / Metric | GPT-5.5 Result | Context |
|---|---|---|
| Overall Lyptus suite | 292/316 tasks — 92.4% accuracy | All 7 hardest benchmarks saturated — evaluation declared broken |
| CyberGym (2M token budget) | 54.4% | Hardest single benchmark in the Lyptus suite |
| CyberGym (50M token budget) | 86.4% | +32 percentage points from token budget alone — same model |
| Irregular atomic — Network Attack Simulation | 98% success rate | Third-party red team engaged by OpenAI |
| Irregular atomic — Vulnerability Exploitation | 92% success rate | Real CVE reproduction tasks |
| CyScenarioBench (long-horizon) | More than half solved | Multi-step autonomous offensive scenarios |
| UK AISI basic suite | Fully saturated since Feb 2026 | Models have saturated basic tasks for months |
| UK AISI advanced suite | Rapid improvement confirmed | Realistic targets, modern mitigations, complex search space |
| Time horizon (Claude Opus 4.6, GPT-5.3 Codex) | ~3.1–3.2 hours | January 2026 baseline across top models |
| Time horizon (GPT-5.5) | 5.1 hours | Two months later — beyond 12-hour limit expected soon |
| OpenAI Preparedness Framework rating | High cybersecurity capability | First OpenAI model to reach this designation |
| Doubling pace (Lyptus tracked since 2024) | Every 5–6 months | Consistent trend across model generations |
What the benchmarks actually measure — and what they don’t
The benchmarks Lyptus, AISI, and Irregular used cover five distinct categories of offensive cybersecurity capability that map directly to real attack workflows:
- Exploit utilization — given a known vulnerability and a target environment, construct and execute a working exploit
- CTF flag capture — solve competitive capture-the-flag challenges requiring multi-step reasoning across reconnaissance, exploitation, and post-exploitation
- Real CVE reproduction — reproduce documented vulnerabilities against realistic target environments, not sanitized lab setups
- Network attack simulation — plan and execute multi-step network intrusion scenarios including lateral movement and privilege escalation
- Long-horizon offensive scenarios (CyScenarioBench) — autonomous multi-step offensive operations requiring planning, execution, adaptation to failures, and complex objective completion without human guidance between steps
What the benchmarks do not measure — and what OpenAI’s own system card explicitly acknowledges — is the complete cyberattack lifecycle in real production environments with real defenders responding in real time. GPT-5.6 Sol can identify security flaws and components of an exploit, but in OpenAI’s tests it could not carry out a complete cyberattack on its own. JADEPUFFER demonstrates that this gap can be bridged with an agent framework and pre-positioned infrastructure — the benchmark and the real-world attack are not the same thing, but the benchmark capability is the necessary precondition for the real-world attack.
The token budget finding — compute is now a direct multiplier on offensive AI capability
The most operationally significant finding in Lyptus’s research is not the headline accuracy rate — it is the token budget result. On the hardest benchmark, CyberGym, GPT-5.5 scored 54.4% with a 2-million token budget. With a 50-million token budget, that rose to 86.4% — a 32-point jump for the same model. Token budget is a function of compute cost, which means offensive AI capability on the hardest tasks is not purely a function of which model you use; it is a function of how much compute you deploy.
A well-resourced attacker who can afford 50 million token inference on CyberGym-class tasks operates at a fundamentally different capability level than one constrained to 2 million tokens. As JADEPUFFER demonstrated, an attacker who has already compromised LLM API keys can run inference at the victim’s expense — effectively eliminating the attacker’s compute cost constraint entirely. The LLMjacking vector is not just an economic curiosity. It is the mechanism by which a compute-constrained attacker becomes a compute-unconstrained one, at the victim’s expense.
The doubling curve — and why your current threat model is already stale
Since 2024, Lyptus has tracked and fitted the conclusion that offensive AI cybersecurity capabilities double every 5 to 6 months. This is not a prediction — it is a fitted curve from observed benchmark data across multiple model generations. The data points: at the start of 2026, Claude Opus 4.6 and GPT-5.3 Codex both had autonomous time horizons of approximately 3.1–3.2 hours. Two months later, GPT-5.5 reached 5.1 hours. The 12-hour measurement ceiling Lyptus uses is expected to be exceeded soon — at which point the metric itself becomes unrepresentative of what the model can do.
The practical implication: a threat model built on what AI agents could do six months ago is already outdated. A threat model built on today’s capability will be outdated by January 2027. This is a reason to build threat models with explicit capability trajectory assumptions — “AI agents can currently perform X; in six months they will likely be able to perform Y” — and to revisit them on a six-month cycle rather than annually.
The UK AISI evaluation — independent government confirmation
The UK AI Security Institute published an independent evaluation of GPT-5.5’s cyber capabilities on April 30, 2026. Their basic suite — tasks like recovering a flag from a packet capture, cryptanalysing a misused cipher, or reverse-engineering a small binary — had been fully saturated by models since at least February 2026. For their advanced suite, built in collaboration with Crystal Peak Security and Irregular and specifically designed to probe vulnerability research and exploitation against realistic targets with modern mitigations, the AISI found rapid improvement on GPT-5.5 relative to prior generations. Their summary: GPT-5.5 shows that rapid improvement on cyber tasks may be part of a more general trend. The AISI used the same external tester — Irregular — as OpenAI’s own red-team evaluations, giving the results cross-validation across both datasets.
GPT-5.5-Cyber and the Trusted Access for Cyber program — the defensive side
OpenAI’s response to GPT-5.5’s capability level was to build a parallel access tier for defenders. On May 7, 2026, OpenAI announced GPT-5.5-Cyber in limited preview through the highest tier of the Trusted Access for Cyber (TAC) program — for vetted defenders responsible for securing critical infrastructure. OpenAI is explicit that the preview is not intended to significantly increase cyber capability beyond GPT-5.5 itself. The cyber-permissive variant is not a more powerful model — it is a version with loosened safety constraints for legitimate offensive security workflows: binary reverse engineering, vulnerability research, exploit chain analysis, penetration testing. The TAC program has already helped fix more than 3,000 vulnerabilities and is being expanded to thousands of individual defenders.
The dual-use tension that the Cloud Security Alliance identifies is precise: the skills, tools, and knowledge that enable effective defense are largely identical to those that enable effective attack. GPT-5.5-Cyber makes this tension explicit in a commercial AI product for the first time — the same capability level, distributed differently based on vetting status.
GPT-5.6 Sol — the first government-gated model launch
On June 26, 2026, OpenAI previewed GPT-5.6 Sol — the first AI model launch in history gated by the US government before public release. OpenAI started with a limited preview for trusted partners whose participation was shared with the government, citing the model’s step change in capability. The trigger is the June 2026 executive order directing a framework to designate covered frontier models with advanced cyber capabilities — the same White House AI EO DataWater covered on June 4.
GPT-5.6 Sol, Terra, and Luna are all rated “High” cybersecurity capability under OpenAI’s Preparedness Framework — the strongest cyber rating any GPT family has carried at launch. In cybersecurity, GPT-5.6 advances the performance-efficiency frontier on long-horizon security tasks, including vulnerability research and exploitation. The White House Gold Eagle program announced yesterday is the operational mechanism for coordinating AI-assisted vulnerability discovery across federal agencies at scale — the direct operational follow-through on the EO, now running on GPT-5.6-class capability.
Five operational implications for enterprise security teams
- Treat AI-assisted vulnerability discovery as a current-generation attacker capability, not a future concern. GPT-5.5 achieves 92% success on real CVE reproduction tasks. JADEPUFFER used an AI agent to autonomously chain those capabilities into a complete ransomware operation. The gap between benchmark and production attack is infrastructure and target selection, not capability. Both are attacker responsibilities, not model limitations.
- The compute-capability relationship changes your attacker model. A 32-point accuracy jump from a larger token budget means the most dangerous AI-assisted attacks are not necessarily using the newest model — they may be running the current model with a larger inference budget. Attackers with stolen LLM API keys face no compute cost constraint. This makes compute-rich AI-assisted attacks available to lower-resourced threat actors than any prior technology inflection point.
- Your threat model needs a six-month refresh cycle, not an annual one. The 5–6 month capability doubling pace means any threat model built on AI offensive capability has a shelf life measured in months. Build explicit trajectory assumptions into your threat models and revisit them on a fixed short-cycle schedule.
- Claim your defensive access to the same capability tier. GPT-5.5-Cyber via OpenAI’s Trusted Access for Cyber program, and Anthropic’s Mythos via CISA’s program, give vetted defenders access to the same capability class that offensive researchers are benchmarking. Offensive security teams, red teams, and vulnerability researchers should evaluate whether they qualify and integrate AI-assisted capability into their workflow — because adversaries are not waiting.
- Remove LLM API keys from internet-facing AI infrastructure. The token budget finding means AI-assisted attacks are most effective when the attacker has unconstrained compute. Removing LLM API keys and cloud credentials from internet-facing AI infrastructure eliminates the LLMjacking vector that allows attackers to run unconstrained inference at your expense — the attack path JADEPUFFER used to operate at near-zero cost.
Related DataWater Coverage
- → JADEPUFFER — First AI Agent Ransomware — The Production Attack That Demonstrates What GPT-5.5’s Benchmark Capability Looks Like Operationalized
- → White House AI Executive Order — The June 4 Policy That Triggered Government-Gating of GPT-5.6 Sol and Gold Eagle
- → Squidbleed — Claude Mythos — The Defensive Side: What 92.4% Offensive Accuracy Looks Like Applied to Finding Vulnerabilities Humans Missed for 29 Years
- → Bad Epoll — The Bug Mythos Missed — What the Remaining 7.6% That GPT-5.5 Didn’t Solve Contains: Race Conditions That Defeat AI Auditing
- → $1,000 AI Agent Finds 21 FFmpeg Zero-Days — The Earlier Benchmark: What AI Offensive Capability Looked Like Before the Doubling Pace Accelerated
- → DuneSlide — Cursor IDE CVSS 9.8 — AI Coding Tools as Attack Surface: The Opposite Direction of the Same Dual-Use Capability Arc
- → Browse the full DataWater threat archive →
Sources and further reading
- 36Kr English — GPT-5.5: Completely Breaks Through 300 Hacker Evaluation Tasks with Just 50 Million Tokens (Lyptus Research Summary)
- UK AI Security Institute — Our Evaluation of OpenAI’s GPT-5.5 Cyber Capabilities
- OpenAI — GPT-5.5 System Card: Cybersecurity (Deployment Safety Hub)
- MindFort AI — How Good Is GPT-5.5 for Cybersecurity? (Benchmarks, TAC Program, System Card Analysis)
- MindFort AI — How Good Is GPT-5.6 for Cybersecurity? (Government-Gating, Sol/Terra/Luna Analysis)
- Cloud Security Alliance — Government-Gated AI: GPT-5.6 Sol’s Dual-Use Cybersecurity Implications
- Help Net Security — GPT-5.6 Gets Better at Cybersecurity
- GBHackers — OpenAI Launches GPT-5.6 Sol AI Model With Advanced Cyber Capabilities and Layered Safeguards
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #43 — July 16, 2026. Previous: UEFI Secure Boot Bypass — 11 Microsoft-Signed Shims (July 15) · CitrixBleed 2 — Seven Steps to DragonForce Ransomware (July 13) · JADEPUFFER — First AI Agent Ransomware (July 9). Browse the full threat brief archive →
