In the first week of June 2026, the AI cyber arms race went official. OpenAI opened its cyber-tuned model GPT-5.5-Cyber to vetted European defenders under an EU Cyber Action Plan, and Anthropic granted the EU cybersecurity agency ENISA access to Claude Mythos. Frontier AI can now meaningfully attack and defend, so vendors have started gating who gets the keys.
For most of the AI era, the cybersecurity story was about productivity: faster code review, smarter alert triage, automated documentation. That framing is now too small. What these two announcements signal is that frontier models have crossed into genuine offensive and defensive cyber capability, and the labs that build them have decided the right response is not an open release but a vetted-access program with governments at the front of the line.
What Did OpenAI and Anthropic Actually Announce?
In early June 2026, two of the largest AI labs moved their most capable cybersecurity models into the hands of government-backed defenders. OpenAI extended GPT-5.5-Cyber, a cyber-tuned version of its flagship model, to vetted European defenders, businesses, governments, and EU institutions under what it calls an EU Cyber Action Plan. Around the same window, Anthropic gave the EU's cybersecurity agency, ENISA, access to Claude Mythos through Project Glasswing, making ENISA the first EU institution in the program before expanding Glasswing to roughly 150 organizations across more than 15 countries.
The mechanics matter more than the headlines. OpenAI did not simply publish a new model. It built an access program, Trusted Access for Cyber, in which vetted and approved defenders receive fewer automated refusals so they can run authorized security work: vulnerability identification and triage, malware analysis, binary reverse engineering, detection engineering, and patch validation. To use the most permissive cyber models at all, OpenAI now requires phishing-resistant account security, with organizations attesting to phishing-resistant single sign-on, a rule that took effect June 1, 2026.
Notably, OpenAI tempered expectations, stating that this first preview is not intended to significantly increase cyber capability beyond standard GPT-5.5 and is primarily trained to be more permissive on security tasks. That caveat is doing a great deal of work, as the independent evaluations show.
Why Are AI Vendors Gating Cyber Capability?
The reason vendors built vetting gates instead of open switches is simple: the skills that defend a network are the same skills that breach one. A model that can reverse engineer malware can also reverse engineer the software you ship. A model that can find a vulnerability in order to patch it can find the same vulnerability in order to exploit it. This dual-use reality is why we are seeing access programs rather than open releases, and why the gap between a vendor's published safety posture and real-world risk has become a live procurement question, a theme we explored in how vendor safety benchmarks can understate the attacks your systems actually face.
This is not a sudden development. It is the productization of a capability that has been building for months. We have already seen AI systems find zero-day vulnerabilities autonomously and the first AI-built zero-day exploit caught in the wild. What changed in June is that the capability is now packaged, gated, and distributed as a defensive product, with governments as the first customers.
What Do Independent Evaluations Reveal About AI Cyber Power?
OpenAI's modest framing sits awkwardly next to outside testing. The UK's AI Security Institute reported that GPT-5.5 is one of the strongest models it has evaluated on cyber tasks, and the second model ever to solve one of its multi-step cyberattack simulations end to end, succeeding in 2 of 10 attempts on a chain it estimates would take a human expert around 20 hours.
The single most striking data point is a reverse-engineering challenge that required reconstructing a custom virtual machine's instruction set, writing a disassembler from scratch, and recovering a cryptographic password. The model solved it in 10 minutes and 22 seconds at a cost of $1.73 in API usage. Work that would occupy a skilled human for hours now costs less than a cup of coffee.
The same evaluators flagged the other edge of the blade. They found a universal jailbreak that elicited harmful content across every malicious cyber query they tested, including in multi-turn agentic settings. It took about six hours of expert red-teaming to develop, but once found, a jailbreak does not respect a vetting program.
Our take: The real headline is not that defenders got a new tool. It is that frontier cyber capability is now cheap, fast, and only partially containable. Vetting controls who gets the polished defensive product, but it does not control the underlying capability, which leaks through jailbreaks and is independently available in open-weight models. Businesses should plan for the capability, not the access list.
The Asymmetry Every Business Should Understand
Here is the uncomfortable structure of this moment. Defensive access is gated, deliberate, and slow. You apply, you get vetted, you attest to phishing-resistant authentication, and eventually a large or well-connected organization gets the permissive model. Offensive access is none of those things. An attacker does not fill out a form. They jailbreak a hosted model, or they run a capable open-weight model with no guardrails at all.
That asymmetry has a clear implication for everyone who is not a government agency or a Fortune 500 security team. The defensive uplift from these programs will reach large, vetted institutions first, while the offensive uplift is effectively already available to anyone motivated enough to find a workaround. For most small and mid-sized businesses, the realistic near-term effect of this news is that attacks get faster and cheaper before defense does.
What This Means for Your Business
The practical takeaway is not to acquire a cyber model. Almost no business outside the security industry will, or should. The takeaway is to update your threat assumptions to match a world where reconnaissance, reverse engineering, and exploit development are dramatically cheaper than they were a year ago.
That starts with the basics the vendors themselves are now mandating. OpenAI made phishing-resistant authentication a precondition for its own cyber models, which is a strong signal about where the floor now sits. If frontier labs will not let their own approved defenders operate without phishing-resistant sign-on, that control belongs on your roadmap too. The most resilient organizations are folding these shifts into the same planning process that governs their broader AI adoption and security posture, rather than treating AI-accelerated threats as a separate, after-the-fact concern.
It also raises a quieter risk that has nothing to do with attackers: your own use of general models for security-adjacent work. The same capabilities that triage vulnerabilities can mishandle sensitive code or data if deployed carelessly, which is why model selection and access control matter as much for defense as for offense, a decision we walk through in choosing the right AI model for a given business use case.
How Should Businesses Respond?
- Harden identity first. Adopt phishing-resistant multi-factor authentication across your organization. It is the control OpenAI now requires of its own cyber-model users, and it blunts the most common AI-accelerated attack path.
- Shorten your patch cycle. If a model can find and weaponize a vulnerability in minutes, the window between disclosure and exploitation collapses. Prioritize faster patching and continuous vulnerability scanning over annual reviews.
- Assume AI-accelerated reconnaissance. Treat phishing, social engineering, and credential attacks as cheaper and more convincing than before, and train staff with that expectation in mind.
- Govern your own AI use. Decide which models employees may use for security-sensitive work and put access controls and logging around them, the same discipline a practical AI governance framework applies to every other AI deployment.
What This Does Not Mean
This is not a reason to panic or to buy a cyber AI model. For the overwhelming majority of businesses, the right response is disciplined security hygiene, not a procurement project for frontier cyber tooling you are not equipped to operate.
This is not only an enterprise story. Smaller companies often assume cyber news is for banks and governments. The opposite is true here. Because offensive capability is the part that diffuses fastest, the businesses with the thinnest security teams feel the pressure first.
This is not a substitute for fundamentals. No model, gated or open, replaces patching, identity, logging, and training. AI changes the speed and cost of attacks; it does not change what a sound defense is made of.
Key Takeaways
- In early June 2026, OpenAI opened GPT-5.5-Cyber to vetted European defenders under an EU Cyber Action Plan, and Anthropic gave EU agency ENISA access to Claude Mythos, signaling that frontier cyber capability is now distributed through gated access programs.
- OpenAI's Trusted Access for Cyber gives approved defenders fewer automated refusals for tasks like vulnerability triage, malware analysis, and reverse engineering, and requires phishing-resistant authentication as of June 1, 2026.
- The UK AI Security Institute found GPT-5.5 among the strongest cyber models it has tested, solving a reverse-engineering challenge in about ten minutes for $1.73, while also discovering a universal jailbreak across all malicious queries tested.
- The core risk is asymmetry: defensive access is slow and vetted, while offensive uplift diffuses freely through jailbreaks and open models, so attacks get cheaper before defense does.
- The right response for most businesses is to harden identity, shorten patch cycles, assume AI-accelerated attacks, and govern internal AI use, not to acquire a cyber model.
The businesses that move early on AI-accelerated cyber risk will have a meaningful advantage. If you want to be one of them, let's start with a conversation.