OpenAI launched Daybreak this week โ its answer to Anthropic's Mythos and Project Glasswing โ using a new GPT-5.5-Cyber model to find software vulnerabilities at scale. Apple, Microsoft, Google, and Amazon have already been running Glasswing since April; Daybreak now puts OpenAI in the same room. For anyone running software at meaningful scale, the AI-finds-the-bugs-before-attackers-do tooling layer just became contested between two frontier labs.
Daybreak combines GPT-5.5-Cyber with Codex Security, which builds an editable threat model from a company's software repository and automates monitoring for higher-risk vulnerabilities. Discovered issues get investigated in an isolated environment. OpenAI is shipping three model tiers: GPT-5.5 (general purpose, standard safeguards), GPT-5.5 with Trusted Access for Cyber (verified defensive work, authorized environments), and GPT-5.5-Cyber (specialized authorized workflows, stronger verification and account-level controls). OpenAI claims GPT-5.4-Cyber โ the prior version โ contributed to fixing more than 3,000 vulnerabilities. No independent verification or scope breakdown is public yet. Access requires formal vetting from OpenAI; the platform is in preview, pricing unlisted. EU rollout is happening; Anthropic has reportedly held back Mythos from the same regions.
The dual-use problem at the center: a model that can find vulnerabilities can find them for defense or for offense, which is exactly why both Anthropic and OpenAI restrict access. Anthropic launched Mythos in April with similar restrictions; CNBC reported the launch set off "cybersecurity hysteria" among financial sector institutions. OpenAI's pivot from criticizing Anthropic's restrictions in late April to imposing its own a few weeks later is the visible signal that the frontier labs are aligned on this being unsafe to ship broadly. The deeper move: cybersecurity AI is becoming a frontier-lab product category alongside coding agents, not a security-vendor product. That changes who small orgs go to for help โ and who they can't reach because vetting bars rise. The Glasswing adoption list (Apple, Microsoft, Google, Amazon) is also a "AI-built infrastructure now needs AI-built security" admission, since those four are the biggest customers of AI-assisted code shipping.
Daybreak is preview-only, request-gated, pricing TBD. For most builders the practical implication isn't "I'll use Daybreak" but "the labs are now contesting cybersecurity infra directly." If your org is large enough to qualify, both platforms target overlapping problems with different threat-model assumptions and are worth evaluating side-by-side. For everyone else, the trickle-down to mainstream security tools โ Snyk, Semgrep, GitHub Advanced Security โ over the next year is the story to watch. The 3,000-vulnerabilities number is the kind of claim that wants independent corroboration before it ships into procurement decks.