OpenAI released GPT-5.5-Cyber, its highest-performing AI model for vulnerability detection and patching, alongside a new open-source security program called Patch the Planet.

On Monday, OpenAI formally expanded its Daybreak cybersecurity program with GPT-5.5-Cyber, a model specifically optimized for finding, validating, and patching software vulnerabilities. Built on top of the GPT-5.5 foundation, the specialized variant achieves an 85.6% score on the CyberGym benchmark — notably higher than the 81.8% previously recorded by the base model. It also posts stronger results on ExploitGym (39.5% vs. 25.95%) and SEC-bench Pro (69.8% vs. 63.1%).

Unlike standard GPT-5.5, GPT-5.5-Cyber is not available through the public API. Access is restricted through a Trusted Access for Cyber program that includes major security vendors such as Akamai, CrowdStrike, and Palo Alto Networks, as well as government partners including agencies from Australia, Canada, Japan, and the UK. OpenAI co-developed the safety framework with the White House Office of the National Cyber Director and the Center for AI Standards and Innovation.

Company officials linked the launch directly to President Trump's June 2026 executive order on AI security, which called for stronger defensive AI tools to protect critical infrastructure.

The second arm of Monday's announcement is Patch the Planet, a coordinated open-source security initiative run with Trail of Bits and HackerOne. The program uses Codex Security and GPT-5.5-Cyber to scan critical open-source projects for vulnerabilities, but requires every finding to be reviewed by a human Trail of Bits engineer before it is sent to project maintainers. The initial effort targeted more than 30 widely used libraries, including cURL, Python, sigstore, and Go.

A Harvard-Linux Foundation study recently found that 94% of widely used open-source projects have fewer than 10 active contributors, making them especially vulnerable to large volumes of unvetted AI-generated bug reports. Patch the Planet's mandatory human review step is designed to address that risk directly.

Not everyone is convinced. Some independent security researchers questioned whether a gated commercial model should play a central role in securing infrastructure used by hundreds of millions of systems. Several open-source maintainers noted that the initial five-day sprint produced only dozens of merged patches from hundreds of flagged issues.

The industry reaction has been cautiously positive overall, though Access Now raised concerns about government-vendor partnership structures. A group of European security researchers noted that GPT-5.5-Cyber's restricted access model may slow international collaboration on critical vulnerabilities. OpenAI has not yet provided a timeline for widening access beyond its initial partner list.

For practitioners, the takeaway is straightforward: GPT-5.5-Cyber represents the most capable application of large language models to offensive security work to date, but its real-world impact will depend on how quickly OpenAI can expand access beyond a small circle of vetted partners.

Image source: v3b.fal.media