The Cybersecurity Capability Trajectory
AI coding models have demonstrated exponential improvement in cybersecurity capabilities over recent months. According to OpenAI’s cyber resilience report, performance on professional capture-the-flag challenges jumped from 27% on GPT-5 in August 2025 to 76% on GPT-5.1-Codex-Max in November 2025. GPT-5.2-Codex, released December 18, 2025, extended this trajectory but still falls short of the “High” threshold defined as models that can “develop working zero-day remote exploits against well-defended systems, or meaningfully assist with complex, stealthy enterprise or industrial intrusion operations aimed at real-world effects.”
Despite not yet reaching High capability, GPT-5.2-Codex achieved remarkable results on specialized evaluations. According to the GPT-5.2-Codex system card, the model scored 79% on Network Attack Simulation challenges, 80% on Vulnerability Research and Exploitation tasks, and demonstrated strong performance on multi-stage cyber scenarios. Third-party security researcher Andrew MacPherson from Privy used GPT-5.1-Codex-Max to discover three previously unknown vulnerabilities in React Server Components, validating real-world defensive application.
| Model | Release Date | CTF Success Rate |
|---|---|---|
| GPT-5 | August 2025 | 27% |
| GPT-5.1-Codex-Max | November 2025 | 76% |
| GPT-5.2-Codex | December 2025 | 79-80% |
| Future Models | Expected Q1 2026 | High threshold (TBD) |
Initial Safeguards: Product Restrictions
Altman outlined OpenAI’s phased approach to managing dual-use cybersecurity capabilities. The company will start with product restrictions designed to block obviously malicious use cases. “We will start with product restrictions, like attempting to block people using our coding models to commit cybercrime (eg ‘hack into this bank and steal the money’),” Altman stated.
These restrictions build on existing safeguards OpenAI implemented for earlier Codex versions. GPT-5.2-Codex includes specialized safety training to refuse requests aimed at developing malicious software while supporting legitimate security research. The model operates in isolated cloud containers with internet access disabled during task execution, limiting interaction to explicitly provided code repositories.
However, Altman acknowledged product restrictions alone prove insufficient as capabilities advance. “Cybersecurity is tricky and inherently dual-use,” he noted, recognizing that the same techniques defenders use to find vulnerabilities can theoretically support malicious operations. This tension makes simple blocking mechanisms inadequate without severely impacting legitimate defensive workflows.
Long-Term Strategy: Defensive Acceleration
OpenAI’s long-term mitigation centers on “defensive acceleration” — using AI capabilities to help security teams patch vulnerabilities faster than attackers can exploit them. “Long-term and as we can support it with evidence, we plan to move to defensive acceleration, helping people patch bugs, as the primary mitigation,” Altman explained.
This philosophy reflects the company’s belief that restricting powerful security tools harms defenders more than attackers. According to OpenAI’s cybersecurity framework, “We believe the best thing for the world is for security issues to get patched quickly.” The company argues that nation-state actors and sophisticated criminal organizations will develop equivalent capabilities regardless of OpenAI’s deployment decisions, making rapid defensive adoption critical.
To support this vision, OpenAI is establishing a Trusted Access program providing vetted security professionals and organizations with enhanced capabilities. eSecurity Planet reported the invite-only pilot will remove friction for qualifying users working on cyberdefense, enabling them to use frontier AI cyber capabilities for red-teaming, malware analysis, and infrastructure stress testing—activities that product restrictions might otherwise block.
The Evidence-Based Transition
Altman emphasized the shift to defensive acceleration will occur “as we can support it with evidence,” suggesting OpenAI plans to measure whether AI-assisted defense outpaces AI-assisted offense before fully committing to the strategy. This data-driven approach addresses criticism that defensive acceleration represents wishful thinking rather than proven security doctrine.
The company has begun gathering evidence through real-world deployment. Security researchers using GPT-5.1-Codex-Max discovered React vulnerabilities in December 2025, demonstrating that defensive use cases generate tangible security improvements. OpenAI stated it has “disrupted cyber operations attempting to misuse our models,” indicating monitoring systems successfully detect malicious activity, though the company noted it “has not observed a meaningful increase in scaled abuse” as capabilities improved.
The Urgency Argument
Altman stressed rapid adoption matters for global security. “It is very important the world adopts these tools quickly to make software more secure. There will be many very capable models in the world soon,” he stated, acknowledging competitors will soon release comparable capabilities regardless of OpenAI’s deployment pace.
This competitive dynamics argument faces skepticism from security researchers who question whether flooding the market with powerful cyber tools accelerates defense faster than offense. Critics note that defenders must protect every system while attackers only need to find one vulnerability, creating asymmetric advantages that AI capabilities could amplify rather than equalize.
However, OpenAI’s position reflects Silicon Valley’s preference for “permissionless innovation” over precautionary restriction. The company argues that because capable models will inevitably exist—whether from OpenAI, Anthropic, Google, or open-source projects—the optimal strategy maximizes defensive tooling availability rather than attempting to contain capabilities that leak regardless of safeguards.
Upcoming Launches and Timeline
Altman’s announcement of “a lot of exciting launches related to Codex coming over the next month, starting next week” suggests accelerated rollout of enhanced capabilities, trusted access programs, and potentially new model versions approaching or crossing the High threshold. Given the December 2025 release of GPT-5.2-Codex and the rapid capability trajectory documented in OpenAI’s evaluations, February 2026 launches could include models nearing zero-day exploit development capabilities.
The company’s Preparedness Framework requires Safety Advisory Group review before deploying High-capability models, with potential for independent third-party audits. According to the system card addendum, OpenAI leadership determined GPT-5.2-Codex’s performance “does not meet the level of consistency needed for High cyber capability” despite strong results, suggesting the threshold requires not just capability but reliable, scalable execution.
What “High” Threshold Means in Practice
Reaching High cybersecurity capability would trigger OpenAI’s most stringent deployment protocols. The Preparedness Framework treats High-risk models differently than Medium-risk ones, potentially requiring restricted access, enhanced monitoring, government coordination, and delayed public releases. The framework acknowledges that “technical mitigations alone may not be sufficient” as models increase in capability, suggesting OpenAI may need policy-level interventions including coordinated vulnerability disclosure processes, mandatory security researcher vetting, and collaboration with government cybersecurity agencies.
For developers and security professionals, High-capability models could unlock previously impossible workflows including automated vulnerability scanning at scale across massive codebases, AI-assisted zero-day discovery and proof-of-concept development, autonomous security patch generation and testing, and AI-guided red team operations simulating sophisticated threat actors. These capabilities represent transformational improvements for defensive security if properly governed, but equally transformational risks if misapplied or widely accessible without restrictions.
The Philosophical Debate
OpenAI’s defensive acceleration strategy rests on contestable assumptions about offense-defense balance in cybersecurity. The company believes that AI-assisted defense can outpace AI-assisted offense given sufficient adoption, that restricting capabilities harms defenders more than attackers because attackers ignore restrictions, and that rapid patching enabled by AI tools neutralizes vulnerabilities faster than AI-discovered exploits proliferate.
Critics argue that offense enjoys structural advantages including asymmetric targets (attackers choose weakest points while defenders protect everything), persistence (exploits remain valuable until patched), and attribution challenges (defenders must protect publicly while attackers operate covertly). If these asymmetries persist in AI-assisted contexts, defensive acceleration might accelerate both sides equally rather than favoring defense.
The next month’s launches will provide early evidence for this debate. If OpenAI’s Trusted Access program produces measurable security improvements through accelerated patching while maintaining acceptable abuse rates, the defensive acceleration thesis gains credibility. If instead the company observes capability proliferation enabling scaled attacks, the strategy may require significant revision before models cross into High territory.
Follow us on Bluesky, LinkedIn, and X to Get Instant Updates
