- OpenAI released GPT-5.4-Cyber, a fine-tuned model with fewer safeguards specifically for cybersecurity defenders.
- The company is expanding its Trusted Access for Cyber program to thousands of verified defenders and hundreds of teams.
- The move is a direct contrast to Anthropic, which built a powerful cyber model—and then locked it away.
OpenAI is taking the opposite approach to Anthropic on AI and cybersecurity. While Anthropic built its most powerful cyber model and then locked it in a vault, OpenAI just released GPT-5.4-Cyber—a version of GPT-5.4 fine-tuned to be more permissive for defensive security work, and they’re handing it to verified defenders.
The model, announced today as part of an expansion of OpenAI’s Trusted Access for Cyber (TAC) program, lowers the refusal boundary for cybersecurity-related tasks and adds binary reverse engineering capabilities. That means security professionals can analyze compiled software for malware, vulnerabilities, and security robustness without needing source code access.
The TAC program is scaling from a limited pilot to thousands of individual defenders and hundreds of teams responsible for defending critical software. Individuals can verify their identity at chatgpt.com/cyber. Enterprises request access through their OpenAI representative. Higher tiers get GPT-5.4-Cyber; everyone else gets existing models with reduced friction on dual-use cyber activity.
The Anthropic Divergence
Two of the biggest AI labs are now making fundamentally different bets on cyber-capable models. Anthropic’s Mythos found vulnerabilities across every major OS and browser—including one OpenBSD flaw that went undetected for 27 years. But the company concluded the model was too dangerous to release broadly and locked access behind extreme vetting.
OpenAI’s reasoning runs the other direction. The company argues that digital infrastructure is already vulnerable, threat actors are already experimenting with AI, and waiting for a single safety threshold is a losing strategy. Instead, they’re distributing cyber-permissive models to vetted defenders now, with the idea that the best defense is to arm the defenders before the attackers catch up.
It’s a genuine philosophical split in the industry. And it means the next major cyber incident will be a test case for whichever approach turns out to have been right.
GPT-5.4-Cyber isn’t arriving in a vacuum. OpenAI’s cyber capabilities have been doubling roughly every six months, and the company has been iterating on cyber-specific safeguards since GPT-5.2. Codex Security, launched in private beta six months ago, has already contributed to over 3,000 critical and high-severity fixed vulnerabilities across the ecosystem.
The company is also expanding its $10 million Cybersecurity Grant Program and has reached over 1,000 open-source projects with free security scanning through Codex for Open Source.
But the access isn’t unlimited. OpenAI notes that the most permissive tiers may come with restrictions around Zero-Data Retention use cases—particularly for developers accessing models through third-party platforms where OpenAI has less visibility into who’s using them and why. The message is clear: trust, but verify. And verify with KYC.
