AI systems are getting terrifyingly good at breaking into things. A new research report from Lyptus Research found that AI offensive cyber capabilities double every 9.8 months — and since 2024, that rate has accelerated to every 5.7 months. That’s not a typo.
The study tested 291 security tasks against 10 professional human experts using the METR time-horizon method — which measures how long it takes an AI to solve a task at 50% success rate. In 2019, GPT-2 could manage about 30 seconds of useful work. By 2026, Anthropic’s Opus 4.6 and OpenAI’s GPT-5.3 Codex are cracking tasks that take humans roughly three hours. That’s a 360x jump in seven years.
Give GPT-5.3 Codex a 10-million-token budget and its effective time horizon stretches from 3.1 hours to 10.5 hours. These aren’t cherry-picked demos — 291 tasks, 10 professionals, rigorous methodology. Ramez Namous flagged the findings on X, and the security community is paying close attention.
Opus 4.6 went a step further: it uncovered over 500 previously unknown high-severity vulnerabilities hiding in open-source libraries. That’s not theoretical risk — that’s active, mass-scale exploitation potential sitting undiscovered in code the internet runs on every day. The researchers openly admit they’re probably underestimating the pace of progress.
Open-source models trail closed-source frontier models by roughly 5.7 months — but that gap is closing fast. Meta is already pushing its internal AI teams to operate at maximum output, and it’s only a matter of time before those open weights catch up. The offense-defense balance in cybersecurity is about to get very ugly.
All benchmark data, task definitions, and evaluation code are published on GitHub and Hugging Face. The full Lyptus Research report is live at lyptusresearch.org. If you’re in security, this is your wake-up call. If you’re not, the wake-up call is coming anyway.