GPT-5.5 Solved 92.4% of Offensive Cyber Tasks and Broke the Benchmark: AI Offensive Capability Is Doubling Every Six Months and the Ruler Can’t Keep Up

CONTEXT FOR SECURITY TEAMS: The research documented here establishes AI offensive capability baselines, not active attack warnings. The immediate operational implications are: (1) Threat model your AI infrastructure now — JADEPUFFER demonstrated that AI agents will exploit your unpatched CVEs autonomously. GPT-5.5’s benchmark performance confirms the underlying capability exists in commercially available models. (2) AI-assisted vulnerability discovery is available to both sides — defenders with access to GPT-5.5-Cyber (via OpenAI’s Trusted Access for Cyber program) or Anthropic’s Mythos (via CISA) can now use the same capability class for offensive security testing. (3) The 5–6 month doubling pace means your current threat model has a short shelf life — build threat models with capability trajectory assumptions, not current snapshots. (4) Token budget matters more than model selection for complex offensive tasks — GPT-5.5’s CyberGym score jumped 32 percentage points between 2M and 50M token budgets. An adversary with compute budget has disproportionate capability over one who doesn’t.
AI neural network representing GPT-5.5 offensive cyber capabilities benchmark Lyptus Research UK AISI frontier LLM hacking 2026
292 out of 316 offensive cybersecurity tasks solved. 92.4% accuracy. Seven independent benchmarks saturated. The evaluation system built in December 2025 as “the hardest questions available globally” was rendered obsolete in five months. | DataWater Threat Brief, July 16, 2026

Sources: Lyptus Research — “GPT-5.5 Saturates Offensive Cyber Evaluation System” (May 27, 2026) · UK AI Security Institute (AISI) — “Our Evaluation of OpenAI’s GPT-5.5 Cyber Capabilities” (April 30, 2026) · OpenAI GPT-5.5 System Card (Deployment Safety Hub) · OpenAI GPT-5.5-Cyber announcement (May 7, 2026) · OpenAI GPT-5.6 Sol preview (June 26, 2026) · MindFort AI — “How Good Is GPT-5.5 for Cybersecurity?” · MindFort AI — “How Good Is GPT-5.6 for Cybersecurity?” · Cloud Security Alliance — “Government-Gated AI: GPT-5.6 Sol’s Dual-Use Cybersecurity Implications” · Infosecurity Magazine (July 16, 2026) | Models covered: GPT-5.5 · GPT-5.5-Cyber · GPT-5.6 Sol/Terra/Luna | Key researchers: Lyptus Research (AU) · UK AISI · Irregular (external OpenAI red team) · Crystal Peak Security | Benchmarks: CyberGym · CTF challenges · CVE-Bench · VulnLMP · ExploitBench · ExploitGym · SEC-Bench Pro · CyScenarioBench | AI offensive doubling pace: Every 5–6 months (Lyptus Research, tracked since 2024)

The benchmark was built in December 2025 using “the hardest questions available globally.” GPT-5.5 saturated it in five months. The researchers declared the evaluation system broken.

On May 27, 2026, Australian research institution Lyptus Research published a report with a finding that forced a complete rethink of how offensive AI capability is measured: GPT-5.5 had solved 292 out of 316 offensive cybersecurity tasks across their evaluation suite, achieving a 92.4% accuracy rate, and in doing so had saturated all seven of their hardest benchmarks simultaneously. The team’s conclusion was not that GPT-5.5 was impressive — it was that their evaluation methodology was no longer functional. A benchmark that is saturated cannot differentiate between models or measure future capability growth. The ruler had broken.

Lyptus had begun building the evaluation in December 2025, deliberately selecting what they assessed as the hardest available offensive cybersecurity questions globally — spanning exploit utilization, CTF flag capture, and real CVE reproduction — with human security expert completion time as the baseline for each task. By their first-edition report in March 2026, there were already signs of data saturation. By May, GPT-5.5 had made the entire framework obsolete. The research team’s judgment: the evaluation method is “no longer applicable” for such tasks.

This finding is the backdrop for everything DataWater has documented in 2026: the JADEPUFFER AI agent ransomware attack, the $1,000 AI agent finding 21 FFmpeg zero-days, the Mythos finding Squidbleed, and the AI missing Bad Epoll in the same code. The models driving those outcomes are operating at capability levels that formal evaluation systems can no longer adequately characterize.

Benchmark / MetricGPT-5.5 ResultContext
Overall Lyptus suite292/316 tasks — 92.4% accuracyAll 7 hardest benchmarks saturated — evaluation declared broken
CyberGym (2M token budget)54.4%Hardest single benchmark in the Lyptus suite
CyberGym (50M token budget)86.4%+32 percentage points from token budget alone — same model
Irregular atomic — Network Attack Simulation98% success rateThird-party red team engaged by OpenAI
Irregular atomic — Vulnerability Exploitation92% success rateReal CVE reproduction tasks
CyScenarioBench (long-horizon)More than half solvedMulti-step autonomous offensive scenarios
UK AISI basic suiteFully saturated since Feb 2026Models have saturated basic tasks for months
UK AISI advanced suiteRapid improvement confirmedRealistic targets, modern mitigations, complex search space
Time horizon (Claude Opus 4.6, GPT-5.3 Codex)~3.1–3.2 hoursJanuary 2026 baseline across top models
Time horizon (GPT-5.5)5.1 hoursTwo months later — beyond 12-hour limit expected soon
OpenAI Preparedness Framework ratingHigh cybersecurity capabilityFirst OpenAI model to reach this designation
Doubling pace (Lyptus tracked since 2024)Every 5–6 monthsConsistent trend across model generations

What the benchmarks actually measure — and what they don’t

The benchmarks Lyptus, AISI, and Irregular used cover five distinct categories of offensive cybersecurity capability that map directly to real attack workflows:

  • Exploit utilization — given a known vulnerability and a target environment, construct and execute a working exploit
  • CTF flag capture — solve competitive capture-the-flag challenges requiring multi-step reasoning across reconnaissance, exploitation, and post-exploitation
  • Real CVE reproduction — reproduce documented vulnerabilities against realistic target environments, not sanitized lab setups
  • Network attack simulation — plan and execute multi-step network intrusion scenarios including lateral movement and privilege escalation
  • Long-horizon offensive scenarios (CyScenarioBench) — autonomous multi-step offensive operations requiring planning, execution, adaptation to failures, and complex objective completion without human guidance between steps

What the benchmarks do not measure — and what OpenAI’s own system card explicitly acknowledges — is the complete cyberattack lifecycle in real production environments with real defenders responding in real time. GPT-5.6 Sol can identify security flaws and components of an exploit, but in OpenAI’s tests it could not carry out a complete cyberattack on its own. JADEPUFFER demonstrates that this gap can be bridged with an agent framework and pre-positioned infrastructure — the benchmark and the real-world attack are not the same thing, but the benchmark capability is the necessary precondition for the real-world attack.

The token budget finding — compute is now a direct multiplier on offensive AI capability

The most operationally significant finding in Lyptus’s research is not the headline accuracy rate — it is the token budget result. On the hardest benchmark, CyberGym, GPT-5.5 scored 54.4% with a 2-million token budget. With a 50-million token budget, that rose to 86.4% — a 32-point jump for the same model. Token budget is a function of compute cost, which means offensive AI capability on the hardest tasks is not purely a function of which model you use; it is a function of how much compute you deploy.

A well-resourced attacker who can afford 50 million token inference on CyberGym-class tasks operates at a fundamentally different capability level than one constrained to 2 million tokens. As JADEPUFFER demonstrated, an attacker who has already compromised LLM API keys can run inference at the victim’s expense — effectively eliminating the attacker’s compute cost constraint entirely. The LLMjacking vector is not just an economic curiosity. It is the mechanism by which a compute-constrained attacker becomes a compute-unconstrained one, at the victim’s expense.

The doubling curve — and why your current threat model is already stale

Since 2024, Lyptus has tracked and fitted the conclusion that offensive AI cybersecurity capabilities double every 5 to 6 months. This is not a prediction — it is a fitted curve from observed benchmark data across multiple model generations. The data points: at the start of 2026, Claude Opus 4.6 and GPT-5.3 Codex both had autonomous time horizons of approximately 3.1–3.2 hours. Two months later, GPT-5.5 reached 5.1 hours. The 12-hour measurement ceiling Lyptus uses is expected to be exceeded soon — at which point the metric itself becomes unrepresentative of what the model can do.

The practical implication: a threat model built on what AI agents could do six months ago is already outdated. A threat model built on today’s capability will be outdated by January 2027. This is a reason to build threat models with explicit capability trajectory assumptions — “AI agents can currently perform X; in six months they will likely be able to perform Y” — and to revisit them on a six-month cycle rather than annually.

The UK AISI evaluation — independent government confirmation

The UK AI Security Institute published an independent evaluation of GPT-5.5’s cyber capabilities on April 30, 2026. Their basic suite — tasks like recovering a flag from a packet capture, cryptanalysing a misused cipher, or reverse-engineering a small binary — had been fully saturated by models since at least February 2026. For their advanced suite, built in collaboration with Crystal Peak Security and Irregular and specifically designed to probe vulnerability research and exploitation against realistic targets with modern mitigations, the AISI found rapid improvement on GPT-5.5 relative to prior generations. Their summary: GPT-5.5 shows that rapid improvement on cyber tasks may be part of a more general trend. The AISI used the same external tester — Irregular — as OpenAI’s own red-team evaluations, giving the results cross-validation across both datasets.

GPT-5.5-Cyber and the Trusted Access for Cyber program — the defensive side

OpenAI’s response to GPT-5.5’s capability level was to build a parallel access tier for defenders. On May 7, 2026, OpenAI announced GPT-5.5-Cyber in limited preview through the highest tier of the Trusted Access for Cyber (TAC) program — for vetted defenders responsible for securing critical infrastructure. OpenAI is explicit that the preview is not intended to significantly increase cyber capability beyond GPT-5.5 itself. The cyber-permissive variant is not a more powerful model — it is a version with loosened safety constraints for legitimate offensive security workflows: binary reverse engineering, vulnerability research, exploit chain analysis, penetration testing. The TAC program has already helped fix more than 3,000 vulnerabilities and is being expanded to thousands of individual defenders.

The dual-use tension that the Cloud Security Alliance identifies is precise: the skills, tools, and knowledge that enable effective defense are largely identical to those that enable effective attack. GPT-5.5-Cyber makes this tension explicit in a commercial AI product for the first time — the same capability level, distributed differently based on vetting status.

GPT-5.6 Sol — the first government-gated model launch

On June 26, 2026, OpenAI previewed GPT-5.6 Sol — the first AI model launch in history gated by the US government before public release. OpenAI started with a limited preview for trusted partners whose participation was shared with the government, citing the model’s step change in capability. The trigger is the June 2026 executive order directing a framework to designate covered frontier models with advanced cyber capabilities — the same White House AI EO DataWater covered on June 4.

GPT-5.6 Sol, Terra, and Luna are all rated “High” cybersecurity capability under OpenAI’s Preparedness Framework — the strongest cyber rating any GPT family has carried at launch. In cybersecurity, GPT-5.6 advances the performance-efficiency frontier on long-horizon security tasks, including vulnerability research and exploitation. The White House Gold Eagle program announced yesterday is the operational mechanism for coordinating AI-assisted vulnerability discovery across federal agencies at scale — the direct operational follow-through on the EO, now running on GPT-5.6-class capability.

Five operational implications for enterprise security teams

  1. Treat AI-assisted vulnerability discovery as a current-generation attacker capability, not a future concern. GPT-5.5 achieves 92% success on real CVE reproduction tasks. JADEPUFFER used an AI agent to autonomously chain those capabilities into a complete ransomware operation. The gap between benchmark and production attack is infrastructure and target selection, not capability. Both are attacker responsibilities, not model limitations.
  2. The compute-capability relationship changes your attacker model. A 32-point accuracy jump from a larger token budget means the most dangerous AI-assisted attacks are not necessarily using the newest model — they may be running the current model with a larger inference budget. Attackers with stolen LLM API keys face no compute cost constraint. This makes compute-rich AI-assisted attacks available to lower-resourced threat actors than any prior technology inflection point.
  3. Your threat model needs a six-month refresh cycle, not an annual one. The 5–6 month capability doubling pace means any threat model built on AI offensive capability has a shelf life measured in months. Build explicit trajectory assumptions into your threat models and revisit them on a fixed short-cycle schedule.
  4. Claim your defensive access to the same capability tier. GPT-5.5-Cyber via OpenAI’s Trusted Access for Cyber program, and Anthropic’s Mythos via CISA’s program, give vetted defenders access to the same capability class that offensive researchers are benchmarking. Offensive security teams, red teams, and vulnerability researchers should evaluate whether they qualify and integrate AI-assisted capability into their workflow — because adversaries are not waiting.
  5. Remove LLM API keys from internet-facing AI infrastructure. The token budget finding means AI-assisted attacks are most effective when the attacker has unconstrained compute. Removing LLM API keys and cloud credentials from internet-facing AI infrastructure eliminates the LLMjacking vector that allows attackers to run unconstrained inference at your expense — the attack path JADEPUFFER used to operate at near-zero cost.

Related DataWater Coverage

Sources and further reading


DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #43 — July 16, 2026. Previous: UEFI Secure Boot Bypass — 11 Microsoft-Signed Shims (July 15) · CitrixBleed 2 — Seven Steps to DragonForce Ransomware (July 13) · JADEPUFFER — First AI Agent Ransomware (July 9). Browse the full threat brief archive →

Similar Posts