Overview
New evaluation results from the UK’s AI Security Institute (AISI) reveal that OpenAI’s GPT-5.5 matches Anthropic’s Mythos Preview across a comprehensive suite of cybersecurity benchmarks — including the first-ever AI success on a simulated 32-step corporate network intrusion. The finding is significant not because any single model has achieved a novel capability in isolation, but because it demonstrates that dangerous autonomous offensive cyber ability is now a general property of frontier LLMs, not an anomaly confined to one vendor’s system.
The results directly challenge Anthropic’s framing around Mythos Preview’s restricted release, which positioned the model as uniquely dangerous and warranting controlled distribution to ‘critical industry partners’ only.
Technical Analysis
AISI evaluated both models against 95 Capture the Flag (CTF) challenges spanning reverse engineering, web exploitation, and cryptography. On ‘Expert’-tier tasks:
- GPT-5.5: 71.4% pass rate
- Mythos Preview: 68.6% pass rate (within margin of error)
In a representative task, GPT-5.5 autonomously built a disassembler to decode a compiled Rust binary — completing the challenge in 10 minutes 22 seconds at a cost of $1.73 in API calls, with zero human intervention.
More critically, both models made successful attempts on ‘The Last Ones’ (TLO), AISI’s simulation of a 32-step data extraction attack on a corporate network:
- GPT-5.5: 3/10 attempts successful
- Mythos Preview: 2/10 attempts successful
- All prior models tested: 0/10
Neither model succeeded on ‘Cooling Tower’, a harder simulation targeting industrial control system disruption — indicating a current ceiling on autonomous OT/ICS attack capability.
AISI attributes the capability leap to broader improvements in long-horizon autonomy, reasoning, and coding rather than any cybersecurity-specific training.
Framework Mapping
AML.T0047 (ML-Enabled Product or Service): Both models are being used as autonomous agents capable of executing multi-step offensive operations via API access — the precise threat vector this technique describes.
AML.T0040 (ML Model Inference API Access): The cost and speed profile ($1.73, ~10 minutes) confirms that API-accessible frontier models present a low-barrier offensive capability.
LLM08 (Excessive Agency): The TLO results are a textbook case — an LLM autonomously executing a 32-step intrusion chain represents agency far exceeding safe operational boundaries without human-in-the-loop controls.
Impact Assessment
The primary risk is democratisation of multi-stage network intrusion. Previously, executing a 32-step data exfiltration chain required significant human expertise. Frontier LLMs now compress that requirement to API access and a prompt. The $1.73 cost-per-task figure underscores the economic accessibility of this threat vector.
Organisations relying on complexity as a defence layer — assuming attackers lack the skill to chain exploitation steps — face meaningful erosion of that assumption. Security operations centres (SOCs) and red teams should treat autonomous LLM agents as a plausible adversarial tool in threat modelling exercises immediately.
Mitigation & Recommendations
- Restrict agentic model access: Do not expose frontier LLMs to tooling with network, file system, or credential access without strict sandboxing and human approval gates.
- Enforce identity verification: Follow OpenAI’s Trusted Access for Cyber model — require verified identity before granting API access to frontier models for any security-adjacent use case.
- Update threat models: Incorporate autonomous LLM-driven intrusion as a realistic threat actor capability in enterprise risk registers and red team exercises.
- Track regulatory thresholds: AISI’s benchmarks are increasingly informing policy; organisations in critical infrastructure should monitor for mandatory reporting or access restriction obligations tied to these scores.