OpenAI gates a cyber model

Cybersecurity is the work of finding and fixing software flaws before attackers use them. On April 14, OpenAI released a model tuned for that job, but only to vetted security users rather than the public. (openai.com) OpenAI said the new system, GPT-5.4-Cyber, is a fine-tuned version of GPT-5.4 that is “cyber-permissive,” meaning it will answer more sensitive defensive-security requests than its standard models. Reuters reported the first rollout is limited to vetted security vendors, organizations and researchers. (openai.com) (money.usnews.com) The company is also widening its Trusted Access for Cyber program, or TAC, to thousands of verified individual defenders and hundreds of teams that protect critical software. OpenAI said higher verification tiers unlock more capable tools, and Reuters reported the top tier gets access to GPT-5.4-Cyber. (openai.com) (money.usnews.com) The release comes as OpenAI says its own frontier models are getting stronger at cyber tasks. In its March 5 GPT-5.4 system card, the company said GPT-5.4 Thinking was the first general-purpose model it deployed with mitigations for “High” cybersecurity capability. (deploymentsafety.openai.com) (openai.com) That creates a narrow policy problem for model makers: the same system that helps a defender audit code can also help an attacker study a target. OpenAI said TAC is built around identity checks, trust levels and staged deployment instead of a fully open release. (openai.com 1) (openai.com 2) OpenAI has been building toward this for months. It launched TAC in February with a $10 million commitment in application programming interface credits for cyber defense, then introduced Codex Security in research preview in March after private testing that found a server-side request forgery bug and a cross-tenant authentication flaw in OpenAI’s own systems. (openai.com 1) (openai.com 2) The competitive pressure is not subtle. Reuters reported OpenAI’s announcement came one week after Anthropic introduced Project Glasswing on April 7, giving select organizations access to Claude Mythos Preview for defensive cybersecurity work. (money.usnews.com) (anthropic.com) Anthropic’s launch partners include Amazon Web Services, Apple, CrowdStrike, Google, Microsoft, Nvidia and Palo Alto Networks. OpenAI is taking a broader but still gated route, saying it wants advanced defensive tools to reach “legitimate actors large and small” without handing them to malicious users. (anthropic.com) (openai.com) The immediate result is that cyber-capable models are moving into the market behind identity checks, partner programs and restricted tiers instead of a public application programming interface. OpenAI’s April 14 launch makes that gatekeeping strategy explicit. (axios.com) (openai.com)