In a single week in April 2026, two of the frontier AI labs shipped models built specifically for defensive cybersecurity. Anthropic's Claude Mythos Preview went out on April 7 to a tightly limited set of partners under Project Glasswing. OpenAI's GPT-5.4-Cyber followed on April 14, gated behind the company's expanded Trusted Access for Cyber (TAC) programme. Two weeks earlier, in late March, OpenAI had also turned its Aardvark research preview into Codex Security — an autonomous code-vulnerability agent already running across major open-source projects.
Three releases, three different access models, one consistent message: the agentic SOC is no longer a slide. It is a category that frontier labs are ranking high enough to ship purpose-built models for.
The headline is not the models themselves. It is the predecessor track record.
For technology leaders watching the AI-in-security category, that is the data point that ends the debate about whether autonomous models can do real work in production environments. The follow-on questions are no longer "does it work" but "how fast do we ship it" and "what governance do we put around it before we do."
What actually shipped — corrected timeline
Because the press has conflated two separate announcements within the OpenAI release alone, the timeline is worth getting straight.
- March 26, 2026 — Anthropic's existence of an unnamed "step-change" cyber model first leaked publicly via Fortune.
- April 7 — Anthropic formally introduces Claude Mythos Preview. Available only via Project Glasswing to AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, and Nvidia for defensive use. Anthropic explicitly says it will not make Mythos generally available.
- April 14 — OpenAI launches GPT-5.4-Cyber, a fine-tune of GPT-5.4 designed for defensive security work, plus the expanded TAC tier programme. Highest TAC tiers get access to GPT-5.4-Cyber.
- Ongoing — Codex Security (the productised version of OpenAI's earlier Aardvark research preview) continues scanning major open-source projects and reporting CVEs.
The press has, in particular, sometimes labelled April 14 as a single "GPT-5.4-Cyber GA" event. It isn't a GA event in any normal sense. It is the moment OpenAI began letting vetted defenders apply for access to a more permissive cyber model — a controlled deployment, not a public release.
What GPT-5.4-Cyber actually does
The base GPT-5.4 model shipped on March 5, 2026. The cyber variant differs from it in two material ways.
Lowered safety refusals on offensive-adjacent inputs. Defensive security work — exploit triage, malware analysis, red-team exercises, incident response — looks superficially like the work a general assistant is trained to refuse. The cyber variant is permitted to engage with compiled binaries, suspicious network captures, and partial proofs-of-concept that a general assistant would push back on, on the assumption that the operator is a verified security professional acting on their own systems.
Binary reverse-engineering capability. Most existing AI security tools require source code or at least a complete repository. GPT-5.4-Cyber works on compiled software — scanning a finished binary for exploits, vulnerabilities, and malware potential without ever seeing the original code. That single capability changes the threat-model arithmetic for any business shipping software it didn't write itself, or running third-party binaries it can't audit.
In practice, the resulting capability set looks something like:
- Autonomous codebase and binary scanning at machine speed.
- Triaging vulnerability reports — separating real exploitable findings from noise.
- Generating proof-of-concept exploits for verified vulnerabilities so engineering teams can reproduce the issue.
- Red-team exercises against a defined target perimeter.
- Forensic analysis on incident artefacts.
Access is gated. OpenAI's TAC programme uses identity verification (passport-grade IDs and employer affiliation) plus organisational validation, not manual approval queues. Customers in the highest TAC tiers get GPT-5.4-Cyber. That tiering decision is what makes the programme actually scalable; previous gated cyber-AI access programmes capped at a few dozen organisations because every enrolment was a human-in-the-loop process.
What Mythos Preview is, and isn't
Claude Mythos Preview is the more dramatic of the two releases — and the more tightly held. Anthropic's own framing on its red-team site is direct: Mythos is a general-purpose language model that performs strongly across the board, but is strikingly capable at computer security tasks. In controlled evaluations where it was explicitly directed and given network access, it could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously — work that would take human professionals days.
The model has identified thousands of zero-day vulnerabilities across every major operating system and every major web browser, plus a wide range of other software. Expert reviewers agreed with Mythos's severity assessment exactly in 89% of 198 manually reviewed reports, and 98% of the assessments were within one severity level — meaning its risk grading is roughly on par with experienced human security analysts.
In parallel, the UK AI Security Institute's published evaluation gives an external read on Mythos's capabilities and limits. That evaluation, alongside Anthropic's own decision not to make Mythos generally available, sets the bar for how this generation of models is being released: very capable, very gated.
For most CTOs, the practical implication is that Mythos is not on your purchase order. The Project Glasswing partner list is a tier-1 enterprise list — you may consume Mythos-derived signal indirectly through CrowdStrike, Microsoft Defender, or AWS security services, but you are not running it yourself.
The predecessor that ended the abstract debate
Before either Mythos or GPT-5.4-Cyber, Aardvark / Codex Security had already shipped real outcomes against real codebases.
Over one month — reported by The Hacker News in March 2026 — Codex Security scanned 1.2 million commits across open-source repositories, identifying 792 critical and 10,561 high-severity issues, including 14 vulnerabilities serious enough to be logged in the CVE database. Repeated scans on the same repository reduced noise by 84% versus the initial rollout, false positives across repositories dropped by more than 50%, and over-reported severity dropped by more than 90% — the maturation pattern you'd expect from a system being tuned in production rather than a research demo.
That is the data point operators should anchor on. A semi-autonomous agent now finds CVE-grade issues at industrial scale, in code its operators didn't write, with diminishing false-positive rates. Whatever your security backlog looks like, that agent is now part of the competitive baseline — your attackers have access to similar tooling.
Independent evaluation as a release control
One of the structural changes in this release wave is who's doing the safety evaluation. OpenAI gave the U.S. Center for AI Standards and Innovation (CAISI) and the UK AI Security Institute (UK AISI) access to GPT-5.4-Cyber to evaluate cyber capabilities and safeguards. UK AISI also published an independent evaluation of Claude Mythos Preview.
This matters more than the specific findings. Two frontier labs releasing dual-use cyber models with formal third-party evaluation as part of the release control is a meaningful shift from "trust the lab's word for it." For any CTO building agentic security infrastructure, that evaluation tier is now part of the procurement question: which vendor's model has been independently red-teamed by which government body, and against what threat models.
The four governance gates before you ship
If you operate a security organisation, the practical question is what to do this quarter. The pattern that's holding up in production looks like four gates.
Identity- and role-bound access. Don't put a cyber-permissive model behind ChatGPT-style access. Wrap it in your existing IAM, log every prompt against an authenticated identity, and rate-limit aggressive scanning workloads. The TAC programme's verification model is the floor, not the ceiling.
Sandboxing for any execution. Verified vulnerabilities and proof-of-concept exploits should be executed only inside isolated environments — your own sandbox, not the model's session. Codex Security's pipeline does this by design; your wrapper around GPT-5.4-Cyber needs to do the same.
Human-in-the-loop on remediation. Generating a CVE-grade finding is one thing; pushing a patch to production is another. Keep the loop closed with engineering review — the agent files the report, the human ships the fix. The 84% noise reduction Codex Security achieved over a month is real and impressive, but "down 84%" still leaves false positives in a population an order of magnitude larger than your engineering capacity.
Vendor-evaluation dependency tracking. As OpenAI and Anthropic ship dual-use models with formal third-party evaluation, your security architecture acquires a new dependency: the evaluation cadence of CAISI and UK AISI. Track which model versions have been evaluated against which threat profiles. Treat unevaluated capability bumps as gated rollouts inside your stack, not auto-upgrades.
This is also the discipline that separates agentic AI infrastructure you can actually defend in front of an audit committee from a chat assistant with cyber prompts pointed at it. The model is the easy part; the operating model around it is where most early deployments will succeed or fail.
What CTOs should plan for now
Three things to take into the next quarter:
Budget for the agentic SOC, not just "AI security tools." Codex Security and its descendants are not features you bolt onto an existing scanner. They are first-class agents that execute work — scan, validate, report, escalate — and they require infrastructure to run safely. If your security budget for FY27 still treats AI as a line item under "tooling," rebuild it.
Decide where you sit on the attacker-defender curve. The same capability that lets a defender find CVE-grade issues lets an attacker do the same. Anthropic has been explicit about this with Mythos. Treat your threat model as updated automatically: assume a sophisticated adversary now has access to comparable tooling.
Pilot in a contained perimeter first. Run GPT-5.4-Cyber (if you can get TAC access), or build similar workflows on Codex Security, against one well-defined product or service line. Score outcomes against your existing scanner stack. Use the comparison as the basis for scaling — not vendor pitch decks.
GPT-5.4-Cyber and Mythos are the moment the cyber-AI category becomes a procurement decision rather than a research interest. The labs have shipped. The question CTOs face now is whether their organisations are configured to absorb capability that arrives every quarter, or whether they're going to be on the back foot when the next release lands.
