GPT-5.5 matches Claude Mythos in cyber attack tests, UK AI Security Institute finds

OpenAI's GPT-5.5 performs on par with Anthropic's Claude Mythos Preview in cyber evaluations run by the UK AI Security Institute. The agency sees this as evidence of a broader trend in AI-powered attack capabilities.

The UK AI Security Institute (AISI) put OpenAI's GPT-5.5 through a battery of cyberattack tests. The takeaway: GPT-5.5 is the second model after Claude Mythos Preview to fully complete a multi-stage simulation of an enterprise attack. On isolated expert-level security tasks, GPT-5.5 even edged out Anthropic's model.

For AISI, the bigger picture is that the capabilities first observed in Claude Mythos back in April aren't a one-off, but a byproduct of broader gains in autonomy, reasoning, and coding.

GPT-5.5 edges out Claude Mythos on isolated expert tasks

AISI evaluates AI models with a suite of 95 capture-the-flag tasks across four difficulty levels. The advanced tasks, built in collaboration with cybersecurity firms Crystal Peak Security and Irregular, cover reverse engineering, exploit development for various memory flaws, cryptographic attacks, and unpacking obfuscated malware.

At the highest "Expert" difficulty, GPT-5.5 hits an average success rate of 71.4 percent, according to AISI. Claude Mythos Preview lands at 68.6 percent. The gap falls within the statistical margin of error, but GPT-5.5 may be the strongest model tested so far. For comparison, GPT-5.4 scored 52.4 percent and Claude Opus 4.7 came in at 48.6 percent. Every current frontier model has fully solved the basic tasks since at least February 2026.

After Mythos, GPT-5.5 also cracks a full network attack simulation

Isolated tasks test individual skills, but real attacks require chaining many steps together. To capture that, AISI uses cyber ranges: simulated network environments with multiple hosts, services, and vulnerabilities.

The simulation "The Last Ones" (TLO) covers 32 steps across four subnets and around 20 hosts. The AI agent starts with no credentials and has to find vulnerabilities, steal credentials, move laterally through the network, and ultimately reach a protected database. AISI estimates this would take a human expert about 20 hours.

GPT-5.5 fully solved TLO in 2 out of 10 attempts. Claude Mythos Preview hit the same bar in 3 out of 10. Performance keeps scaling with inference compute, AISI says, and even the best models haven't plateaued yet. The more tokens the model spends "thinking," the more likely it is to pull off a successful hack.

That said, the tests had no active defenders, no security monitoring, and no consequences for actions that would set off alarms in the real world. Whether GPT-5.5 or Mythos could hold up against well-defended systems is an open question. But for poorly protected networks, the capability is clearly there.

A second simulation called "Cooling Tower," which models an attack on an industrial control system, was beyond GPT-5.5. No model has solved this 7-step scenario yet. According to AISI, GPT-5.5, like Mythos, tripped up on the upstream IT steps rather than the control system itself.

A universal jailbreak bypassed every safeguard

Beyond raw capability, AISI also tested GPT-5.5's safety measures for public use. The researchers found a universal jailbreak that worked on every malicious cyber request OpenAI flagged, including multi-step agent scenarios. It took just six hours to develop.

OpenAI then pushed several updates to the safety system, but AISI couldn't verify how well the final configuration held up due to a configuration issue in the deployed version. It's yet more proof that jailbreaks remain a serious security weakness in LLMs, even the most capable ones.

One key difference from Mythos: GPT-5.5 is already available in ChatGPT and through the API, while Anthropic still limits Claude Mythos to a small group. The AISI results suggest Anthropic could have skipped that extra layer of caution. Or maybe critics have a point, and the slow rollout has less to do with safety ethics and more to do with Anthropic's compute constraints.