UK AISI finds GPT-5.5 matches Claude Mythos on vulnerability-finding
TL;DR:
- The UK AI Security Institute (AISI) has evaluated OpenAI’s GPT-5.5 on security vulnerability-finding and found it performs comparably to Anthropic’s Claude Mythos on the same evaluation.
- Bruce Schneier flagged the significance bluntly on his blog: GPT-5.5 is generally available, where Claude Mythos has been the model anchoring most recent public discussion of AI-enabled vulnerability research.
- AISI separately analysed a smaller, cheaper model that requires more prompter scaffolding but reaches comparable vulnerability-finding outcomes — significantly lowering the per-task economic threshold for capable AI-assisted vulnerability research.
The result lands during the same week US Treasury Secretary Scott Bessent confirmed publicly that Anthropic’s Mythos has been driving urgent banking-sector software patching, and that comparable “step function” capability jumps are expected from OpenAI and Google Alphabet. Schneier’s commentary frames the UK AISI evaluations as the published, replicable evidence base behind the policy concern.
Why the parity matters
There are three implications. First, vulnerability-finding capability is no longer a single-vendor property — every major frontier lab now appears to be at or near the same performance ceiling. Second, the “generally available” qualifier matters: GPT-5.5 is rolled out broadly, where Mythos has tighter access controls, so the practical attacker-side calculus shifts when generally-available models match controlled-deployment models. Third, the smaller-model result suggests the cost frontier is falling — meaning the threat model needs to assume capable vulnerability-finding from many more actors than the small group with frontier-lab API access.
UK angle: AISI as the international benchmark
The UK AISI’s published evaluations have become the de-facto international benchmark for frontier-model security capability. The Institute publishes pre-deployment evaluations, comparable cross-model results, and methodology that other regulators can cite. Schneier — based in the US — citing AISI as the authoritative source on GPT-5.5 vulnerability-finding capability is a notable signal of the Institute’s reputation. For UK SMEs in cybersecurity, the operational implication is that AI-enabled vulnerability scanning is now a baseline threat to assume, not an emerging one — and the ICO’s five-step guidance this week aligns with that frame.
Looking forward
Two near-term items. First, whether AISI publishes a methodology paper or full evaluation harness that other CERTs and national cyber agencies can adopt. Second, whether industry vulnerability-disclosure timelines compress in response — if the time-to-discovery for AI-assisted research is now significantly shorter than the historic norm, responsible-disclosure windows may need to shorten too. UK CNI operators and software vendors should be reading the AISI work alongside NCSC’s updated Cyber Assessment Framework.