OpenAI mocked Anthropic for gating cyber tools. Now it’s gating Cyber too

Sam Altman spent part of April criticizing Anthropic for restricting access to its cybersecurity model, Mythos. Ten days later, OpenAI is doing the same with its own competing system, GPT-5.5 Cyber.

Altman said this week that OpenAI will roll the model out first to “critical cyber defenders.” Access goes through an application process called Trusted Access for Cyber, or TAC. Applicants have to submit credentials and explain how they plan to use it. OpenAI says TAC now covers thousands of verified defenders and hundreds of security teams protecting critical software. Those users get a version of the latest model with fewer safety restrictions for cyber tasks.

The contradiction is obvious. The bigger point is the category itself.

Once a model can materially help with penetration testing, vulnerability discovery, exploitation chains, and malware reverse engineering, broad public release gets much harder to justify. OpenAI has now conceded that in practice.

An awkward reversal

Anthropic argued that Mythos was powerful enough to justify a restricted release. Altman brushed that off as fear-based marketing. Now OpenAI is saying, with different wording, that its own cyber model should initially go only to vetted defenders and trusted teams.

That’s a reversal, whatever label OpenAI puts on it.

The company says it wants to widen access over time while consulting with the U.S. government and tightening its rules around who counts as a legitimate cyber user. Fair enough. It also shows the basic problem with these tools. Once model capability crosses from "useful assistant" into "operationally useful offensive aid," the old mass API release model starts to fall apart.

This was always coming. Labs spent the past year bragging about how well their models handle offensive security workflows. Eventually they had to decide whether they believed their own claims.

If they do, gated access follows.

What OpenAI says Cyber can do

OpenAI’s application page is direct. The model is meant for:

• penetration testing
• vulnerability identification
• exploitation
• malware reverse engineering

That puts GPT-5.5 Cyber in a different class from generic coding copilots or general chat models with some security knowledge. The intended use is hands-on security work: reasoning through attack surface, analyzing code paths, inspecting binaries, helping an operator move faster.

That matters because cybersecurity is one of the clearest dual-use areas in AI. The same capability stack that helps a blue team validate defenses can also help an attacker write an exploit chain, adapt malware, or speed up an intrusion.

This is a workflow problem, not an abstract safety debate.

A model that summarizes CVEs is useful. A model that can suggest proof-of-concept exploit logic, spot weak assumptions in a target, and assist with reverse engineering changes the economics on both sides.

There are limits. These models aren’t autonomous top-tier operators. They hallucinate, miss environmental constraints, and still need a skilled human to frame the task and catch bad output. But when the user is already skilled, "needs supervision" is not much comfort.

TAC is identity-gated access to a risky capability

OpenAI’s TAC program looks a lot like a trusted researcher program for security work. Verify the user. Verify the organization. Review the use case. Then grant access to models with looser safeguards for approved cyber tasks.

The company’s wording matters. TAC is tiered, and “critical defenders with legitimate defensive use cases” can apply for access to more cyber-permissive models like GPT-5.4-Cyber and the forthcoming GPT-5.5-Cyber.

That suggests a few things:

1. OpenAI already separates standard flagship model access from special-purpose cyber access.
2. The cyber models likely refuse less often on requests that would trigger general safety systems.
3. OpenAI believes user identity and institutional context are enough to justify that looser behavior.

That last point is where this gets messy.

Identity-gated access sounds tidy until it meets the actual security market. Contractors, consultants, red teams, bug bounty researchers, academics, platform security teams, MSSPs, and independent defenders don’t fit a clean verification template. Some legitimate users will be blocked. Some risky users will get through. Some approved organizations will misuse the system or lose control of privileged accounts.

And once a model leaves the lab, exclusivity doesn’t last forever.

Anthropic already got a preview of that when an unauthorized group reportedly obtained access to Mythos. Restricted access may reduce abuse. It does nothing to erase leakage, credential theft, insider risk, or the simple fact that outputs can be copied out.

The capability threshold matters

For security teams and tool builders, the practical question is straightforward: what can these cyber-tuned models reliably do better than a strong general model plus a good toolchain?

That’s the line worth watching.

A lot of "specialized model" launches are mostly packaging and prompt tuning. If GPT-5.5 Cyber can consistently handle exploit analysis, deobfuscation, reverse engineering notes, weak-auth flows, and vulnerability triage with meaningfully better accuracy or much less prompt overhead, then the gating makes sense. The capability gain is real.

If the gap is small, TAC starts to look partly like safety policy and partly like product segmentation.

OpenAI hasn’t published the kind of evaluation detail technical buyers would actually want. There’s no serious task-level breakdown. No clear evidence showing where Cyber beats the base model, where it fails, and which guardrails had to be relaxed to make it useful. Without that, defenders are being asked to trust a category label.

That’s thin support for procurement. It should also make engineering leaders cautious.

The benchmark that matters isn’t whether the model can answer security questions. Plenty can. The question is whether it shortens real analyst and operator loops without adding enough bad advice to wipe out the gain.

Less friction cuts both ways

OpenAI says verified defenders get access with less safeguard friction. That phrasing carries a lot.

General-purpose safety systems often block the exact prompts legitimate defenders need: exploit reproduction, malware behavior analysis, payload explanation, attack path simulation, credential abuse scenarios, privilege escalation patterns. Loosening those restrictions is what makes a cyber model useful.

It also creates the obvious risk. A model that stops refusing offensive-looking queries becomes much more practical for anyone who gets access, borrows access, or compromises an approved environment.

There’s no clean technical fix for that. Vendors can add monitoring, logging, rate limits, and auditing. They can require organization-level accounts and review abuse reports. But once a model is built to support serious offensive-security-adjacent work in a defensive setting, safety depends heavily on who’s using it, not just on the model.

That’s why the Altman-Anthropic argument always looked a bit performative. The disagreement was about posture.

What changes for developers and security teams

A few practical consequences stand out.

First, if you’re building internal security tooling, expect identity-gated AI access to become normal for sensitive model classes. General coding APIs will remain broad. Models tuned for cyber, bio, and other misuse-prone domains will increasingly sit behind applications, verification, and usage review.

Second, access is becoming a procurement issue, not just a developer one. If only “trusted” organizations can use the best cyber models, the buyer is no longer an individual engineer. It’s the CISO, compliance lead, or head of platform security who can satisfy the vendor and accept the accountability.

Third, API parity will probably get worse. A lot of teams still assume the public endpoint is the product. In this category, the real product may be a private tier with different policies, more logging, and materially different behavior.

Fourth, ask boring vendor questions. They matter more than the model name:

• What exact tasks are allowed?
• What gets logged?
• Can outputs be retained for vendor training?
• What audit trails exist for regulated environments?
• How does the model behave on exploit development requests inside approved scopes?
• What happens when the system is wrong?

That last one matters because cyber work punishes confident nonsense. A model that invents exploitability, misses mitigations, or misreads malware logic can waste hours and send analysts in the wrong direction.

OpenAI ended up endorsing the same premise

OpenAI can still say Anthropic overplayed the risk. But by putting GPT-5.5 Cyber behind TAC and reserving it for vetted defenders, it has accepted the same underlying point: some model capabilities are useful enough, and abusable enough, that open access is a bad idea.

You can argue over where that line sits. You can question whether vendor-run trust programs are fair, consistent, or effective. The hypocrisy angle is real.

The broader shift matters more. Frontier labs are starting to split public-facing model access from operational access in sensitive domains. For security teams, that split is probably just getting started.