OpenAI Launches GPT-5.4 with Reverse Engineering, Vulnerability

OpenAI has unveiled GPT-5.4-Cyber, a specialized variant of its flagship GPT-5.4 model. Fine-tuned for advanced defensive cybersecurity workflows, it grants vetted security professionals expanded access to capabilities like binary reverse engineering, vulnerability scanning, and malware analysis, operating with fewer restrictions than standard models.

GPT-5.4-Cyber is a version of GPT-5.4 specifically trained to lower the refusal boundary for legitimate cybersecurity work. The model enables security professionals to analyze compiled software for malware potential, identify vulnerabilities, and assess security robustness critically, without requiring access to a target’s source code.

This binary reverse-engineering capability represents a significant milestone, giving defenders a powerful tool to inspect software at the machine-code level, previously limited to specialized analysts and threat hunters.

OpenAI classified GPT-5.4 as “High” cyber capability under its Preparedness Framework, reflecting the model’s elevated potential for dual-use risk.

The GPT-5.4-Cyber variant goes further by deliberately relaxing those guardrails for authenticated defenders, making it more permissive specifically within controlled, verified environments.

Expanding the Trusted Access for Cyber Program

Alongside the model launch, OpenAI is significantly scaling its Trusted Access for Cyber (TAC) program, expanding to thousands of verified individual defenders and hundreds of teams responsible for protecting critical software.

Introduced in February 2026, TAC now features additional tiers of access, with higher verification unlocking progressively more powerful capabilities.

Customers approved for the highest TAC tier gain access to GPT-5.4-Cyber, which supports advanced defensive workflows such as vulnerability research, exploit analysis, and agentic security automation.

Individual users can verify their identity at chatgpt.com/cyber, while enterprise teams can request access through their OpenAI representative.

Because of its more permissive design, initial deployment is deliberately limited to vetted security vendors, organizations, and researchers, with OpenAI noting that access to permissive models may come with restrictions, particularly around Zero-Data Retention (ZDR) environments where OpenAI has less direct visibility into user intent.

Codex Security and the Broader Defensive Ecosystem

The GPT-5.4-Cyber launch is part of a broader cybersecurity strategy that OpenAI describes as scaling cyber defense in lockstep with increasing model capabilities.

A core pillar of this strategy is Codex Security, which automatically monitors codebases, validates issues, and proposes fixes. Since its recent research preview launch, Codex Security has contributed to fixing over 3,000 critical and high-severity vulnerabilities across the ecosystem, in addition to numerous lower-severity findings.

OpenAI also highlighted that capture-the-flag (CTF) benchmark performance across its models improved from 27% on GPT-5 in August 2025 to significantly higher scores with current-generation models, demonstrating rapid capability growth in offensive and defensive cyber tasks.

The move comes one week after rival Anthropic released Claude Mythos to the cybersecurity industry, signaling an escalating AI arms race focused on security-specific model variants.

OpenAI’s TAC program distinguishes itself on emphasizing democratized access, using robust KYC and automated identity verification to expand access based on objective trust signals rather than manual gating decisions.

OpenAI maintains that its safeguards — including account-level monitoring, asynchronous content classifiers, and tiered verification are sufficient to reduce cyber misuse risk while enabling legitimate defenders to operate at scale.

The company also warned that future, more capable models will require more expansive defenses as AI capabilities continue to advance beyond even today’s purpose-built models.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.