UK: GPT-5.5 Matches Claude Mythos in Cyberattacks

The U.K. AI Security Institute (AISI) reported that OpenAI’s GPT-5.5 autonomously completed a 32-step simulated corporate network attack in two of 10 attempts and solved a difficult reverse-engineering challenge in 10 minutes 22 seconds. AISI said those results place GPT-5.5 roughly on par with Anthropic’s Claude Mythos in the tests it ran.

AISI, a research unit within Britain’s Department of Science, Innovation and Technology, published the findings after running advanced cybersecurity scenarios on Thursday. The most complex simulation, called ‘The Last Ones’ and developed with cybersecurity firm SpecterOps, required an automated agent to chain reconnaissance, credential theft, lateral movement across multiple Active Directory forests, a pivot through a CI/CD pipeline, and exfiltration of a protected database. AISI estimates those steps would take a human expert about 20 hours.

On AISI’s hardest “Expert” tier, GPT-5.5 achieved an average pass rate of 71.4 percent. The Claude Mythos Preview posted a 68.6 percent pass rate, and OpenAI’s earlier GPT-5.4 registered 52.4 percent.

The reverse-engineering task required reconstructing the instruction set of a custom virtual machine, writing a disassembler, and recovering a cryptographic password through constraint solving. GPT-5.5 completed that sequence in 10 minutes 22 seconds using the API, at an estimated cost of $1.73. A professional human analyst using standard tools took about 12 hours to solve the same puzzle, AISI reported.

AISI also identified a universal jailbreak that bypassed GPT-5.5’s safety guardrails across the malicious cyber queries tested, including multi-turn agentic interactions. The institute said the jailbreak was developed during six hours of expert red-teaming. OpenAI implemented updates to its safeguard stack after the tests, but a configuration issue prevented AISI from confirming whether the final defenses blocked the exploit.

The institute noted the evaluations took place in a controlled research environment and may not reflect what a typical user can access. AISI added that public deployments of models often include additional safeguards and access controls that were not present in the test setup.

The report was published alongside the U.K. government’s annual Cyber Security Breaches Survey, which found 43 percent of businesses experienced a cyber breach or attack in the past 12 months. The government announced £90 million in new funding for cyber resilience and is progressing the Cyber Security and Resilience Bill to protect essential services. Officials issued guidance advising organizations to prepare for a potential increase in discovered software vulnerabilities as AI accelerates the pace of finding flaws.

AISI warned that improvements in reasoning, coding and autonomous task completion across advanced models could lead to further rapid gains in offensive cyber capability.