Two things happened within 24 hours this week that define the current state of AI-assisted cyber operations. On May 6, the UK AI Security Institute (AISI) published a comparative evaluation of GPT-5.5, Anthropic's Mythos Preview, and Claude Opus against a 32-step simulated corporate cyberattack. On May 7, OpenAI announced it was broadening access to GPT-5.5-Cyber to vetted security professionals. If you work in cybersecurity and want access to either tool, here is what you are dealing with.
What the AISI evaluation actually measured
The AISI evaluation had one specific scenario: complete a 32-step simulated corporate cyberattack chain autonomously, with no human coaching after the initial system prompt. Results:
- GPT-5.5: 2 out of 10 successful completions.
- Mythos Preview: 3 out of 10.
- Claude Opus: below both (exact figures not published).
The framing matters. A 2-3 success rate in 10 attempts is not "AI can autonomously hack corporate networks." It means these models are unreliable assistants for multi-step attack chains at present. But the economics of that unreliability shift when you run the model at scale: an attacker who can afford to run GPT-5.5 ten times against a target gets two to three complete attack paths with no additional human skill required. The cost of a capable red-team skill is collapsing toward the cost of API tokens.
The 1-run gap between GPT-5.5 and Mythos is real but not decisive. At 10 trials, the difference between a 20% and 30% success rate is one attack path. That is not an insurmountable moat.
Anthropic's approach: Project Glasswing, 40 organizations, $104 million
Anthropic has Mythos Preview in a controlled preview with approximately 40 organizations. Project Glasswing extends $100 million in usage credits to selected commercial organizations and $4 million to open-source security groups. Applications are evaluated for defensive posture, sector criticality, and responsible use commitments. Central banks and most government agencies are currently excluded. Operational technology vendors are explicitly frustrated about their exclusion, per Nextgov reporting from this week.
The rationale Anthropic gives: unrestricted access to a model that discovered thousands of unpatched vulnerabilities in "every major operating system and web browser" would cause net harm. The access restriction is framed as the harm-reduction mechanism.
OpenAI's approach: vetted access, fewer guardrails for qualified applicants
OpenAI is taking a different path. GPT-5.5-Cyber (codename "Spud" internally) is available in two configurations: a guardrailed version for broader access, and a version with reduced restrictions for organizations that apply and qualify. The qualification criteria focus on "responsibility for securing critical infrastructure." The application process is more permissive than Anthropic's.
OpenAI previously criticized Anthropic's restrictive approach before restricting its own Cyber model. The reversal is documented by TechCrunch. What both companies now agree on: unconstrained public release of capability at this level is not the right call.
What this means if you want access
For commercial security teams in NATO-aligned jurisdictions: applying for GPT-5.5-Cyber access through OpenAI is the more accessible path. The application process is documented at the OpenAI security portal. Expect evaluation to take weeks, not days.
For OT vendors and government agencies currently excluded from Glasswing: the right move is to document your use case and submit it to Anthropic directly. The Nextgov coverage indicates Anthropic is aware of the OT exclusion and under pressure to expand. Roundtable participation is the fastest path to getting a favorable review.
For everyone else: the AISI evaluation is the best public benchmark available for understanding what these models can currently do. The 2-3 out of 10 figure is a ceiling on autonomous attack completion, not floor-level capability. These models are significantly more capable as assisted tools with a skilled human in the loop. Plan your AI security policy accordingly.
The structural problem this creates
The access programs assume that defenders who hold credentials to Glasswing or GPT-5.5-Cyber are more trustworthy than defenders who do not. They also assume that adversaries do not have equivalent tools. Both assumptions are wrong.
Nation-state actors with access to closed frontier models or equivalent in-house capability are not applying for Glasswing. They are running their own cyber models or operating through affiliates who are not subject to any access gate. The access programs are a defensive equipping mechanism, not a capability non-proliferation scheme. The OT community's frustration is rooted in exactly this gap: the people defending the systems that matter most are on the wrong side of the access divide.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are trying to navigate the AI cyber tool access landscape for your organization.