OpenAI's GPT-5.5 matches Mythos

Bruce Schneier wrote on May 13 that the UK’s AI Security Institute found OpenAI’s GPT-5.5 “comparable” to Anthropic’s Mythos at finding software security vulnerabilities. The result matters because Mythos has been treated as a restricted, high-end cyber model, while GPT-5.5 is a more broadly available OpenAI system, according to Schneier’s summary and separate reporting on the UK evaluation. (schneier.com) (theglobeandmail.com) Canada is also moving from benchmark results to operational access. The Globe and Mail reported on May 14 that Canada’s Communications Security Establishment, or CSE, is set to get access to GPT-5.5-Cyber to assess risks in systems tied to critical infrastructure, citing sources. (engadget.com) The new cyber push is arriving as OpenAI faces fresh legal scrutiny around ChatGPT. Engadget reported on May 13 that the family of 19-year-old Sam Nelson sued OpenAI, alleging ChatGPT advice contributed to an accidental overdose, while Yahoo Finance reported on May 14 that OpenAI faces a class action accusing it of sharing ChatGPT user queries with Meta and Google through tracking tools. (schneier.com) ### What did the UK testing actually say about GPT-5.5? Bruce Schneier said the UK’s AI Security Institute evaluated GPT-5.5 on vulnerability-finding tasks and found it comparable to Anthropic’s Mythos. Schneier linked that result to the institute’s earlier Mythos work and said a smaller, cheaper model analyzed in related work also performed strongly with more prompting support. (theglobeandmail.com) The Information reported last week that the UK group said GPT-5.5 was roughly on par with Mythos in some cybersecurity tasks. Its brief said GPT-5.5 completed a difficult corporate network attack simulation in two of 10 attempts, a concrete result that suggests the comparison was based on task performance rather than marketing claims. (engadget.com) ### Why does Canada’s CSE access matter now? The Globe and Mail reported on May 14 that GPT-5.5-Cyber was built to hunt and fix software vulnerabilities and will be used by CSE to assess risks in systems tied to critical infrastructure. The report attributed that plan to sources and placed Canada’s signals-intelligence and cybersecurity agency directly inside the next testing phase. (schneier.com) CSE’s involvement shows the model is moving beyond lab-style evaluations into government risk assessment. That is an inference from the reported access arrangement and the stated use on critical-infrastructure systems, not a public characterization from CSE in the material reviewed here. (theinformation.com) ### How does this fit into OpenAI’s cyber rollout? MacRumors reported on May 11 that OpenAI launched a cyber-defense effort called Daybreak and positioned it against Anthropic’s Project Glasswing and Mythos. That report said the effort is meant to help technology companies find security vulnerabilities in their platforms. (theglobeandmail.com) Separate coverage this week described GPT-5.5-Cyber as a cybersecurity-focused model for vetted professionals and researchers. Those reports are not primary-source product documentation, but they align with the Canada access report’s description of a model aimed at vulnerability discovery and remediation. (theglobeandmail.com) ### What lawsuits are landing at the same time? Engadget reported on May 13 that Leila Turner-Scott and Angus Scott sued OpenAI, alleging the company designed and distributed a defective product that led to the death of their son, Sam Nelson, from an accidental overdose. A separate press release from Tech Justice Law said Nelson died on May 31, 2025, after following medical advice from ChatGPT, though that account reflects the plaintiffs’ allegations. (macrumors.com) Yahoo Finance reported on May 14 that a class action accuses OpenAI of sharing ChatGPT user queries with Meta and Google through embedded trackers on its website. Cybernews separately reported that the complaint, filed in the name of plaintiff Amargo Couture, alleges OpenAI embedded Facebook Pixel and Google Analytics code that transmitted user queries and personal information in real time. (msn.com) ### What comes next? Canada’s next step is the reported CSE evaluation of GPT-5.5-Cyber on critical-infrastructure risk, according to the Globe and Mail’s May 14 report. OpenAI’s next public milestones are likely to come through court filings in the California wrongful-death case and the newly filed data-sharing complaint, as well as any further disclosures from the UK AI Security Institute or government agencies testing the model. (engadget.com) (theglobeandmail.com) (finance.yahoo.com)