OpenAI releases GPT‑5.4‑Cyber

Cybersecurity is the work of finding and fixing software weaknesses before attackers use them, and OpenAI has now built a model just for that job: GPT‑5.4‑Cyber. (openai.com) OpenAI said on April 14, 2026 that it is scaling its Trusted Access for Cyber program to “thousands” of verified individual defenders and “hundreds” of teams, starting with a fine-tuned model it calls GPT‑5.4‑Cyber. The company is not offering the model for open public use. (openai.com) Instead, access is being limited to vetted security researchers, incident responders, bug bounty professionals and organizations defending critical software, with applications handled through OpenAI’s Trusted Access intake process. The form asks about certifications including International Organization for Standardization 27001, Service Organization Control 2 and Federal Risk and Authorization Management Program, along with intended defensive uses. (openai.com, openai.com) OpenAI said the model is tuned to be “cyber-permissive” for defensive work, meaning it is more willing than a general chatbot to help users analyze malware, investigate intrusions and test systems they are authorized to defend. The company paired that broader help with identity checks, use restrictions and monitoring aimed at misuse. (openai.com, openai.com) The release extends a policy shift OpenAI began in February, when it introduced Trusted Access for Cyber alongside GPT‑5.3‑Codex and committed $10 million in application programming interface credits for cyber defense work. At the time, OpenAI described the program as a pilot for placing stronger cyber capabilities in “the right hands.” (openai.com, openai.com) This arrives as OpenAI and Anthropic are both moving sensitive cyber models toward restricted rollouts instead of broad consumer release. CyberScoop reported that OpenAI’s new program expansion puts it in more direct competition with Anthropic’s Project Glasswing after months of debate over who should get access to high-capability security tools. (cyberscoop.com) OpenAI has been laying the groundwork for this for months. In a system card published on March 5, 2026, the company said GPT‑5.4 Thinking was its first general-purpose model with mitigations for “High capability in Cybersecurity,” a sign that cyber misuse had moved into a higher-risk category inside OpenAI’s safety framework. (openai.com) The company has also been testing narrower security tools before this launch. CyberScoop reported in November 2025 that OpenAI released a beta model called Aardvark to scan codebases, model threats and propose patches for human review. (cyberscoop.com) OpenAI said the next step is more capable cyber models “over the next few months,” with Trusted Access acting as the gatekeeper while those systems are rolled out. For now, the company is drawing a line between general artificial intelligence products and a security model that only verified defenders can use. (openai.com)