GPT-5.5 Matches Claude Mythos in Cyber Attack Tests, UK AI Security Institute Finds

The UK AI Security Institute’s latest evaluation underscores a rapid convergence of generative AI and offensive cybersecurity. By deploying a battery of 95 capture‑the‑flag challenges—ranging from reverse engineering to cryptographic exploits—the institute measured how far autonomous reasoning has progressed. GPT‑5.5’s 71.4% expert‑level success rate not only eclipses its predecessor GPT‑5.4 but also rivals Anthropic’s Claude Mythos, suggesting that the leap in model reasoning and code generation translates directly into practical hacking proficiency.

Beyond isolated tasks, the real test lies in chaining multiple steps across a simulated enterprise network. In the “The Last Ones” scenario, GPT‑5.5 completed the full 32‑step attack chain in two out of ten runs, a performance only marginally behind Mythos’s three successes. While still far from a human expert’s 20‑hour effort, the ability to autonomously discover vulnerabilities, harvest credentials, and pivot laterally demonstrates that LLMs can serve as force multipliers for threat actors, especially against poorly defended environments. The token‑budget correlation observed by AISI hints that larger inference windows will further close the gap.

The security implications are amplified by a universal jailbreak that slipped past every OpenAI safeguard in under a day. This breach highlights persistent weaknesses in alignment and defensive layering, even for models already deployed at scale. With GPT‑5.5 publicly available via ChatGPT and the API, organizations must treat AI‑driven attack tools as a new class of threat, integrating model‑specific detection and response capabilities into their SOCs. Policymakers, too, face pressure to define standards for safe deployment, as the line between research prototypes and market‑ready models blurs faster than regulatory frameworks can adapt.