But the ExploitGym number matters structurally. The gap between GPT-5.5 and GPT-5.5-Cyber on that benchmark is not primarily about intelligence. OpenAI is explicit: the model is "the same underlying GPT-5.5 with safety classifiers tuned to allow authorized defensive workflows." The capability was already there. The question was always what the guardrails would permit. GPT-5.5-Cyber is essentially GPT-5.5 with specific refusals turned off for people who can prove they belong to an approved organization.
That is the honest description of what they shipped. It is also a reasonable design choice. The alternative is leaving defenders with a hobbled model while attackers use the same base architecture with their own fine-tunes or jailbreaks. OpenAI's answer is to build an access program that is strict enough to matter: vetting, audit logging, scoped use cases, hardware authentication. Whether it holds under adversarial pressure from insiders, credential theft, or social engineering is a different question, and one the Canadian Centre for Cyber Security essentially flagged in May when it warned that AI-driven exploitation may now outpace vendors' capacity to publish corrective measures.
The Codex Security side of the release is, in some ways, more interesting for everyday developers. Since its research preview in March, it has scanned over 30 million commits across more than 30,000 codebases. Human reviewers marked over 70,000 findings fixed. More than 500,000 were automatically resolved. Those numbers are large enough that something real is happening at the infrastructure level, separate from the controlled-access story.
What I keep coming back to: a model that produces exploit code and a model that produces patches are the same model. The distinction is entirely operational. OpenAI built a permission structure around that fact and called it safety. That is not sarcasm. It may be the only honest approach available. But it means the safety story for GPT-5.5-Cyber is the access program, not the weights. If the access program has a hole, the capability is already out.