OpenAI is quietly assembling a powerful new cybersecurity product-but only a narrow circle of “trusted” organizations will ever touch it, at least at first. According to reports, the tool will be offered exclusively through the company’s “Trusted Access for Cyber” program, a controlled distribution channel meant to keep its strongest offensive and defensive capabilities out of the general public’s hands and firmly in the domain of professional security teams.
The Trusted Access for Cyber initiative, first revealed in February, represents a clear shift in how frontier AI models are being deployed. Rather than pushing out new systems as broad consumer products, OpenAI is opting for a gated model: carefully vetted partners, strict usage terms, and oversight geared toward defensive use only. The company launched the program around GPT-5.3-Codex, which is currently its most advanced cybersecurity-focused model, and is supporting early adopters with a sizable pool of $10 million in API credits.
This move does not exist in a vacuum. It lands in the middle of an intense debate within the security and AI communities about how far-and how fast-offensive cyber capabilities should be democratized through large language models. Researchers have warned that as models become more capable at scanning, exploiting, and automating attacks, existing cyber defenses, legal frameworks, and even organizational playbooks could be quickly outpaced.
Anthropic’s recent experience with its own cutting-edge system, Claude Mythos, has become a cautionary tale for the entire sector. The firm described Mythos as its most powerful model to date, and internal testing reportedly showed that it was able to uncover zero-day vulnerabilities across every major operating system and web browser it was pointed at. The model was so adept at discovering previously unknown flaws that Anthropic ultimately decided it could not responsibly release it to the open market.
Instead, Anthropic placed Mythos behind a tightly controlled access layer, electing to share a “Mythos Preview” only with a small group of carefully chosen organizations. These include some of the largest technology, finance, and security firms in the world, as well as entities involved in maintaining critical infrastructure. The common thread among these partners is significant in-house security expertise, hardened operations, and a strong incentive to use the model for defense rather than offense.
The trigger for that decision was alarming: a leaked Mythos Preview was reportedly able to surface “tens of thousands of vulnerabilities,” many of which experienced human bug hunters would typically struggle to find-or might never discover at all. The model was described internally as “extremely autonomous,” able to reason and operate with the sophistication of a senior security researcher. For defenders, that is a dream capability. For attackers, in the wrong context, it is a nightmare scenario.
In response, Anthropic launched an initiative often referred to as Project Glasswing, essentially an access-control framework for Mythos Preview. Through it, the model is being shared only with vetted partners such as Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, major open-source and infrastructure-focused organizations, Microsoft, Nvidia, Palo Alto Networks, and several dozen others responsible for key pieces of the digital ecosystem. Those partners are expected to use the model to harden systems, close vulnerabilities, and pressure-test critical infrastructure before malicious actors can exploit the same weaknesses.
OpenAI appears to be taking notes from this blueprint. By restricting its upcoming cybersecurity product to a trusted-access program, the company is effectively preempting some of the legal and regulatory blowback that Anthropic is facing. Anthropic has already found itself embroiled in a dispute after the U.S. Department of Defense identified it as a potential supply chain risk, in part because the company refused to relax usage safeguards on Claude for applications involving surveillance and autonomous weapons. That standoff underscored how national security interests and AI safety principles can collide.
Government scrutiny of advanced AI labs has been intensifying since early April, especially around systems with dual-use potential-the same tools that can secure software and infrastructure can also be repurposed to attack them. OpenAI’s decision to voluntarily constrain who can use its strongest cyber tooling looks like an effort to position itself as a responsible actor, rather than wait to be forced into constraints by regulators or defense agencies.
There is also a broader technical concern lurking beneath these specific product decisions. Anthropic’s own safety assessments acknowledged that Cybench-the benchmarking tool used to evaluate whether an AI model presents serious cybersecurity risk-is no longer an adequate yardstick for the most advanced systems. Mythos effectively maxed out the benchmark, rendering it too blunt to capture the subtleties and edge-case risks that frontier models now present. In its safety materials, Anthropic openly noted that many of its determinations about Mythos came down to human judgment and that there remains “fundamental uncertainty” in how these tools might behave in the wild.
To blunt some of the criticism and to reinforce the narrative that these systems can be a net positive for security, Anthropic paired Mythos access with a significant financial commitment: up to $100 million in usage credits and $4 million in direct donations earmarked for open-source security efforts. The idea is straightforward: supercharge the capabilities of defenders-especially in resource-constrained environments-so they can keep pace with or outstrip the capabilities that attackers may eventually gain.
OpenAI, by contrast, has not yet announced an equivalent funding package alongside its Trusted Access for Cyber program. What it has done, however, is frame its approach in similar terms: if the highest-performing cyber models cannot be safely handed to everyone, then they should at least be made available to organizations tasked with protecting critical digital infrastructure, corporate networks, and government systems. Giving defenders early access to tools that can methodically find and fix vulnerabilities is presented as a tradeoff worth making, even if it means the broader developer community gets a more limited or delayed version.
What is emerging across the frontier AI landscape is a new distribution model for the most capable systems. Instead of splashy, public rollouts where anyone with a credit card can call an API, these tools are starting to look more like classified research: selective distribution, legal agreements, auditing obligations, and strict requirements around logging, monitoring, and how outputs may be used. In some sense, AI labs are building their own quasi-regulatory frameworks ahead of, or alongside, formal government regulation.
From a practical standpoint, this shift raises significant questions for both defenders and independent researchers. On one hand, concentrated access means that core infrastructure providers and large enterprises can coordinate on defenses using identical high-end tools, potentially improving baseline security across the internet. On the other hand, limiting access can sideline smaller security teams, startups, academics, and independent bug hunters who have historically driven much of the innovation in vulnerability discovery and disclosure.
Another tension lies in the assumption that access controls will meaningfully limit offensive use. Restricting the strongest models to trusted partners can slow down widespread abuse, but it does not eliminate the risk that similar capabilities will gradually filter into less-regulated systems, open models, or black-market offerings. History suggests that techniques and tools tend to diffuse over time. The current strategy essentially buys a window of advantage for defenders, with the hope that they can raise the cost and complexity of real-world attacks before the offensive side catches up.
For the organizations that are likely to be admitted into programs like Trusted Access for Cyber, the upside is clear: automated vulnerability scanning at a scale no human team can match, assistance in reverse engineering and patch development, and continuous stress-testing of their own systems. Enterprises can use these models to simulate sophisticated adversaries, run red-team exercises, and proactively harden their software supply chains. Governments and infrastructure operators can similarly apply them to critical sectors such as energy, finance, transportation, and healthcare.
Yet even among trusted partners, there are thorny implementation issues. How do you ensure that logs of model interactions do not themselves become sensitive targets? What happens if a contractor inside a vetted organization misuses access for personal gain or sells capabilities on the side? How do you verify that the outputs-such as exploit code, escalation paths, or detailed attack playbooks-are safely handled, stored, and eventually purged? Building governance mechanisms that are robust enough to handle those scenarios is as important as any technical safeguard inside the model.
There is also the question of how these policies scale internationally. Many countries are aggressively investing in generative AI and cyber capabilities, and they may not align with the self-imposed limitations that companies like OpenAI and Anthropic are experimenting with. That could lead to a fragmented landscape in which some jurisdictions host tightly controlled, safety-forward AI ecosystems, while others become havens for more permissive or opaque deployments. In that environment, trusted-access programs become both a security strategy and a geopolitical statement.
For security professionals deciding whether to engage with such programs, the calculus will revolve around trust, transparency, and measurable benefit. They will want to know how models are trained, what safeguards exist against model exfiltration or replication, how incident response would work if something goes wrong, and whether they can meaningfully influence model behavior through feedback. If AI labs can demonstrate that these partnerships genuinely reduce risk-by driving down exploitable vulnerabilities, shrinking attack surfaces, and improving response times-then the argument for limited access grows stronger.
Looking ahead, the pattern seems clear: the days when the most advanced models were rolled out as general-purpose tools to anyone with an API key are coming to an end. For high-stakes domains like cybersecurity, companies are converging on a model of privileged access, layered safeguards, and ongoing oversight. Whether that approach can keep pace with the accelerating capabilities of frontier AI-and the ingenuity of real-world attackers-will be one of the central security questions of the coming years.
For now, OpenAI’s planned cybersecurity product remains officially unconfirmed in public statements, but its direction is evident. Restricting its most capable tools to a circle of trusted defenders is both a strategic bet and a risk-management exercise: empower those on the front lines without handing the same power to everyone else. How well that balance is struck will help define not only the company’s reputation, but also the broader relationship between cutting-edge AI and the security of the digital world.