Posts claim GPT-5.6 Sol beats Mythos 5 on UK AISI and CyberGym tasks
Posts citing UK AISI and CyberGym said GPT-5.6 Sol beat Mythos 5 on narrow cyber tasks and The Last Ones. Greg Brockman separately invited defenders to test it on real systems.

TL;DR
- GPT-5.6 Sol is being framed as the new cyber leader: deredleritt3r's benchmark summary says it beat Mythos 5 on UK AISI narrow cyber tasks and The Last Ones, with 7/10 full solves versus 6/10 for Mythos 5.
- The long-horizon result is compute-hungry: rohanpaul_ai's chart post says The Last Ones runs used 100M-token budgets, while AISI's own writeup says the range is a 32-step corporate network attack across four subnets and about 20 hosts.
- Open-weight cyber models are closing the lag: scaling01's AISI chart read puts GLM-5.2 around Opus 4.5 on The Last Ones, while rohanpaul_ai says the open-weight gap narrowed to 4 to 7 months from 6 to 10 months through much of 2025.
- OpenAI is packaging Sol's cyber capability through Codex Security and Daybreak: OpenAI's Codex Security thread shows the plugin flow, while dkundel's safeguard reply says Sol's cyber safeguards block roughly ten times more potentially harmful activity than previous models.
- GPT-Red is the hardening story behind the launch: OpenAI's GPT-Red thread says automated self-play red-teaming fed GPT-5.6 training, and the Fake Chain-of-Thought screenshot says one attack class fell from above 95% success on GPT-5.1 to below 10% on GPT-5.6 Sol.
OpenAI's GPT-5.6 launch post puts the cyber claims next to ultra, Programmatic Tool Calling, and a multi-agent beta. AISI's open-weight cyber analysis says The Last Ones would take a human expert roughly 20 hours, and gives each model 10 runs with a 100M-token cap. The GPT-Red writeup includes a red-teamer that beat humans 84% to 13% on an indirect prompt-injection arena. The Daybreak page is where OpenAI routes defenders, though its controlled-access table still foregrounds GPT-5.5-tier cyber access.
The Last Ones
The claimed AISI ordering is straightforward:
- Narrow cyber tasks: GPT-5.6 Sol scored higher than Mythos 5, according to deredleritt3r.
- The Last Ones average: GPT-5.6 Sol scored higher than Mythos 5, according to the same summary.
- The Last Ones full solves: Sol completed the benchmark in 7 of 10 attempts, versus 6 of 10 for Mythos 5.
- The Cooling Tower: deredleritt3r left the Sol versus Mythos 5 ordering unresolved, while noting Mythos 5 had previously been the first model to solve it in 3 of 10 attempts.
OpenAI made the same high-level claim in OpenAI's Codex Security thread, calling GPT-5.6 Sol a new state of the art on The Last Ones and tying it to real-world vulnerability finding, validation, and fixing.
AISI's official range description defines The Last Ones as a 32-step corporate network attack simulation across 4 subnets and roughly 20 hosts. The chart milestones run from initial reconnaissance to full network takeover.
ExploitGym
The CyberGym numbers being passed around are score-based, not pass-rate percentages:
- ExploitGym, 6-hour cap: GPT-5.6 Sol scored 293/869, versus 204 for Mythos Preview, according to deredleritt3r's parent post.
- ExploitGym, 2-hour cap: GPT-5.6 Sol scored 216, versus 157 for Mythos 5, according to deredleritt3r's addendum.
- Mythos 5 versus Mythos Preview, 2-hour cap: Mythos 5 scored 157, Mythos Preview scored 127, a 30-point gap, according to the same thread.
OpenAI's GPT-5.6 launch post reports a different presentation of related cyber evals: ExploitBench2 at 73.5% versus GPT-5.5's 47.9%, ExploitGym3 at 24.9% under a two-hour cap versus GPT-5.5's 15.1%, and 33.7% under six hours.
Open-weight gap
AISI's official analysis says GLM-5.2 was the most cyber-capable open-weight model it tested.
The gap breakdown:
- GLM-5.2, released in June 2026, performed similarly to Opus 4.6 and GPT-5.3-Codex on AISI's narrow cyber tasks.
- DeepSeek V4-Pro performed similarly to Opus 4.5 on narrow tasks.
- GLM-5.2 reached about as far as Opus 4.5 on The Last Ones and AISI's longer cyber ranges.
- AISI puts the current open-weight lag at 4 to 7 months, versus a 6 to 10 month lag in internal 2025 evaluations.
The cost numbers are spicy. AISI estimated a 100M-token cyber range run at roughly $85 for Opus 4.5 and 4.6, $46 for GLM-5.2, and $1.19 for DeepSeek V4-Pro.
Kimi K3 is the next obvious test case: emollick said AISI would test it when weights are out, and AISI's post says that release was expected at the end of July.
Runtime compute
The chart makes runtime compute part of the capability claim. rohanpaul_ai read the 100M-token budget as evidence that operators can get materially stronger cyber performance by spending more inference compute without retraining the model.
The curve is not monotonic for every model. scaling01 noted that Mythos Preview outperformed both GPT-5.6 Sol and Mythos 5 through roughly the first 30M tokens, and that its best attempt was slightly faster than Sol's best attempt.
The unresolved bit is the stall. scaling01's follow-up asked whether Mythos Preview flatlined around 30M tokens because progress stopped, budget was limited, or long-context behavior broke down.
Range limitations
AISI's range caveats are doing real work here. Its open-weight analysis says the ranges lack active defenders, defensive tooling, and alert penalties, and that range comparisons are weaker evidence than the larger narrow-task suite.
AISI also says trajectories alone do not explain whether a model stalled because it lacked cyber skill or because it failed at long-horizon planning and execution.
Chart comparability was already under community pressure. teortaxesTex pointed at apparent movement in CAISI overall-capability Elo charts and asked whether the benchmark mix had changed.
OpenAI's system card carries a similar bookkeeping warning: comparison values from previously launched models use recent snapshots and may vary from launch-time values.
Codex Security
OpenAI's product path is Codex Security plus Daybreak. gdb called GPT-5.6 Sol the state of the art in cyber and pointed defenders to OpenAI's signup flow.
The Codex Security flow in OpenAI's plugin thread is four steps:
- Add the Codex Security plugin.
- Click “Try in chat.”
- Choose a folder or repository containing the code to review.
- Send the prepared scan prompt.
OpenAI's launch post says Daybreak Trusted Access covers vulnerability triage and validation, malware analysis, detection engineering, and patch validation in authorized environments.
The friction is explicit. dkundel quoted OpenAI's launch language saying Sol's cyber safeguards block roughly ten times more potentially harmful activity than previous models, with fallback retries on lower-capability models in ChatGPT and Codex. One OpenAI community thread shows a verified user reporting that GPT-5.6 Sol still blocked reverse-engineering prompts and told them to sign up for Trusted Access.
GPT-Red self-play
OpenAI's GPT-Red system is an internal automated red-teamer trained to attack defender models through self-play. The official writeup says GPT-Red sends prompts, observes responses, iterates toward a valid failure, and trains against defender LLMs that are rewarded for resisting.
The threat environments are concrete:
- GPT-Red can control part of a local file.
- GPT-Red can control a webpage banner.
- GPT-Red can control an email body.
- GPT-Red can control the output of a tool.
The attacker got strong enough to beat humans on OpenAI's replicated indirect prompt-injection arena: 84% success for GPT-Red versus 13% for human red-teamers, according to the official post and WesRoth's comparison.
The origin story is funnier than the risk profile. kaicathyc said the effort began after teaching reasoning models to play games with self-play, and that the infra evolved from early Connect 4 experiments into a vulnerability-finding model.
Fake Chain-of-Thought
GPT-Red found a direct prompt-injection class OpenAI calls Fake Chain-of-Thought attacks. The attack text pretends to be hidden reasoning or diagnostic instruction inside a tool result, then tries to hijack the agent.
The before-and-after is stark:
- GPT-5.1: above 95% attack success on Fake Chain-of-Thought, according to the screenshot from OpenAI's writeup.
- GPT-5.6 Sol: below 10% attack success on the same class, according to the same screenshot.
- GPT-5.6 Sol: only 0.05% failure on GPT-Red's direct prompt injections, according to OpenAI's GPT-Red post.
- Developer-tool and browsing prompt-injection benchmarks: above 97% accuracy for OpenAI's latest model, according to the same post.
WesRoth summarized the defender-side curve as GPT-5.1 failing 95% of the time while GPT-5.6 Sol fails less than 10%. That is the cleanest reason the benchmark story and the red-team story belong in the same article.