Connect with us

AI

GPT-5.5 Catches Mythos On Cyber Tests, ARC Reveals Brittle Logic

Published

on

OpenAI’s GPT-5.5 has matched Anthropic’s Mythos Preview on offensive cyber tasks, the UK AI Security Institute reported on April 30, 2026. GPT-5.5 scored 71.4% on AISI’s hardest 95-task suite against Mythos Preview’s 68.6%, and both finished a 32-step network intrusion that a human expert needs roughly 20 hours to clear.

A separate ARC Prize Foundation study, published the next day, found both models still fail problems they could not have seen in training. The two streams of evidence landed in the same week and pull in opposite directions.

The Parity Moment AISI Flagged

Mythos Preview held the top spot on AISI’s expert-tier cybersecurity tasks for two weeks before GPT-5.5 caught and slightly cleared it. The institute treats the gap as statistically meaningless. GPT-5.4, the predecessor, sat at 52.4%. Anthropic’s Opus 4.7 came in at 48.6%. Both new frontier models jumped roughly 20 percentage points over their immediate predecessors in a few months.

AISI’s GPT-5.5 cyber capability evaluation calls the parity itself the headline finding, not the leader. “A second model, from a different developer, now reaches a similar level of performance on our cyber evaluations,” the institute wrote, and warned that further jumps could land “in quick succession” if cyber gains keep arriving as a side effect of general reasoning improvements.

Inside The Last Ones, A 32-Step Network Range

The Last Ones is a simulated breach of a fictional corporate network built jointly with SpecterOps. Spread across four network segments and roughly twenty machines, it asks a model to chain initial access, lateral movement, privilege escalation, and a final objective without prompting. AISI estimates a skilled human operator needs about 20 hours.

GPT-5.5 finished the full chain in two of ten runs. Mythos Preview, the first model to crack it per AISI’s Mythos Preview cyber capability report, did so in three of ten and averaged 22 of 32 steps when it failed. Each attempt ran with a token budget of 100 million, putting even a successful run in the hundreds of dollars on API pricing.

  • 71.4%: GPT-5.5 pass rate on AISI’s hardest expert tier
  • 68.6%: Mythos Preview pass rate on the same tier
  • 2 of 10: GPT-5.5 end-to-end completions of The Last Ones
  • 20 hours: estimated human-expert time to clear all 32 steps

The shape of those numbers matters. A model that finishes a 32-step intrusion two times out of ten is unreliable on any single run, but the long tail of the distribution is what counts for offensive use. An attacker only needs one chain to land.

The 95-task suite covers vulnerability research, reverse engineering, web exploitation, and cryptographic attacks. Tasks score binary pass-fail and group into four difficulty tiers. AISI’s tooling lets the models open shells, edit files, and call out to debuggers like a real operator would.

One footnote sharpens the picture. AISI also tested both labs on a seven-step industrial control simulation built with Hack The Box, called Cooling Tower. No model has finished it yet, GPT-5.5 included. The cyber-physical bar is still out of reach.

The Rust_vm Result Mainstream Coverage Skipped

Tucked into AISI’s report is a single task that reframes the threat picture. The challenge, called rust_vm, asks the model to reverse engineer a Rust-based virtual machine, recover its instruction set, disassemble its bytecode, reverse a custom authenticator, and solve constraints to produce a key. An expert playtester used Binary Ninja, gdb, Python, and the Z3 solver. They needed about 12 hours.

GPT-5.5 finished in 10 minutes and 22 seconds. The total API cost was $1.73.

That figure compresses the whole offensive-AI argument into one line. A task that ate half a day of an experienced reverse engineer’s time fell to a model in under eleven minutes for less than the price of a coffee. The size of the gap, not the raw capability, is what AISI wants regulators to read.

A Universal Jailbreak Found In Six Hours

AISI’s red team also tested the safeguards OpenAI ships with GPT-5.5. Six hours of expert prompting was enough to find a single bypass that defeated every malicious cyber query AISI had prepared, including the multi-step agent runs where the model has to plan and execute over many turns.

OpenAI shipped a safeguard update in response. AISI said a configuration error in the version it received kept it from confirming whether the new defenses held. The audit cycle, in other words, has not closed.

“A second model, from a different developer, now reaches a similar level of performance on our cyber evaluations.”

The line, from AISI’s published evaluation, is the institute’s polite way of saying the parity is not a fluke. OpenAI’s internal classification rates GPT-5.5 a “high” cybersecurity risk under OpenAI’s updated Preparedness Framework, the second-highest tier, meaning the model can amplify existing attack pathways but stops short of “critical,” the bar for entirely new routes to severe harm.

The high tier carries deployment commitments. OpenAI agreed under the framework to ship monitoring, abuse detection, and rate-limiting around any high-rated production model. AISI’s universal-bypass finding tests whether those commitments translate to defenses that hold against a focused attacker.

Where ARC-AGI-3 Catches Both Models Out

Cyber benchmarks measure tasks that look broadly like training data. ARC-AGI-3 was built to do the opposite. The ARC Prize Foundation, run by Greg Kamradt, places models in 135 hand-crafted environments where no instructions are given and no prior data applies. Every environment has been solved by at least two humans without special training. Frontier models score near zero.

In a study released May 1, 2026, Kamradt’s team analyzed 160 replays and reasoning traces. GPT-5.5 scored 0.43 on the semi-private set. Opus 4.7 scored 0.18. The ARC Prize analysis of GPT-5.5 and Opus 4.7 identifies three repeating failure modes, but the most striking finding is how differently the two models broke.

GPT-5.5 Failed To Compress

GPT-5.5 generated multiple competing hypotheses about each environment but could not commit to one. Kamradt called this “wider hypothesis generation” without the closing step. The model saw that an action sometimes rotated an object and sometimes did nothing, but never compressed the observations into a single rule.

That pattern shows up in offensive cyber work too, just less visibly. Solving a known capture-the-flag means matching a pattern. Reasoning about a brand-new system means building the model and committing to it. AISI’s rust_vm result hides the distinction because the underlying instruction set, while custom, follows familiar conventions.

Opus 4.7 Locked Onto The Wrong Game

Opus 4.7 went the opposite way. It compressed quickly, then refused to revise. “Opus had the wrong compression,” Kamradt wrote. “GPT-5.5 failed to compress.” Opus runs repeatedly mistook ARC environments for Tetris, Frogger, Sokoban, Breakout, Pong, and Boulder Dash, then kept playing those games even after the rules disagreed.

The transfer problem hit both labs hard. Beating one level rarely helped on the next. Whatever a model learned in level one did not survive contact with level two. Background on the benchmark’s construction sits in the ARC-AGI-3 interactive reasoning benchmark paper.

Why Capability And Brittleness Live Together

The two evaluation streams point at the same fact from opposite sides. Cyber benchmarks reward fluency in patterns the model has seen many times. Reasoning benchmarks punish that fluency the moment the patterns no longer apply. Both labs are pushing the first lever and have done little for the second.

If AISI is right that the cyber jump came from general reasoning and agent gains rather than targeted training, the next frontier model will likely show both moves at once. More offensive capability. The same brittle compression. ARC Prize’s 2025 competition results already trailed this pattern, with strong scores on training-aligned tasks and collapses on novel ones.

Frequently Asked Questions

Is GPT-5.5 available to use right now?

GPT-5.5 is in limited preview as of May 2026. OpenAI has rolled it out to enterprise customers and API testers under usage agreements that include the high-risk safety controls AISI tested. A wider ChatGPT release has not been announced. Developers can apply for access through OpenAI’s platform page; rate limits and abuse-monitoring requirements come bundled with the high-risk classification.

Does the AISI finding mean AI can hack on its own?

Not quite. GPT-5.5 finished a full corporate intrusion only twice in ten attempts, and each run cost hundreds of dollars in compute. What changed is the speed on individual subtasks. Reverse engineering jobs that took human experts twelve hours fell in under eleven minutes for $1.73. Defenders should treat the model as a force multiplier for skilled attackers, not an autonomous threat actor yet.

How does ARC-AGI-3 differ from earlier ARC tests?

ARC-AGI-3 is interactive, not single-turn. The earlier ARC-AGI-2 asked models to fill in a missing grid pattern from a few examples. ARC-AGI-3 drops the model into 135 hand-built game environments with no instructions, where the model must figure out rules through trial and error. Humans clear them without training; frontier models score below 1%. The 2026 Kaggle round opens later this year for outside teams.

What did OpenAI say about the universal jailbreak?

OpenAI updated its safeguard stack after AISI shared the bypass details, the company told the institute. AISI then received a follow-up build, but a configuration error in that version blocked retesting, so the fix is unverified externally. OpenAI’s preparedness page lists GPT-5.5 at “high” risk on cybersecurity, the second-highest tier and the trigger for monitoring commitments around the model in production.

The next round of frontier evaluations is already in flight. AISI is iterating its 95-task suite while ARC Prize runs ARC-AGI-3 as a 2026 Kaggle competition with a $1 million prize pool. Whichever lab ships the next jump first will be tested against both, and the gap between those two scores is now the number that matters.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending