OpenAI is selling GPT-5.6 Sol as its most secure model for cybersecurity work yet. The UK's AI Security Institute broke it in hours.
OpenAI launched GPT-5.6 Sol on July 9, 2026, pitching it directly at security teams: vulnerability research, exploit analysis, patch development, code review. Days later, the UK AI Security Institute reported that it found universal jailbreaks in Sol's cyber capabilities during every round of testing before launch. Some took only hours to develop. Once broken, the model would carry out long-form, autonomous hacking tasks, not just describe how a flaw works.
That is the tension sitting at the center of this launch. A company markets a model for cybersecurity defense. A government safety body proves, within days, that the same model can be turned toward offense.
AISI's testers had access most attackers do not. According to Fortune's reporting on the disclosure, researchers were given grey-box access to the chain of thought inside Sol's safety reasoning monitor, the exact wording of OpenAI's policies, and real-time labels from the classifiers meant to catch bad requests. AISI lead Xander Davies said the jailbreaks his team found are still findable without that access. They just take longer.
What the jailbreaks unlocked was specific. Once past the guardrails, Sol could complete long-form agentic tasks in vulnerability discovery and exploit development on its own, according to AISI's evaluation. That is a meaningfully different risk than a chatbot explaining a known CVE. It is a model doing the work.
The numbers from OpenAI's own system card show how far that work goes. On a cyber range called The Last Ones, a simulated 32-step attack on a corporate network, Sol completed the full chain in 7 of 10 attempts. Its predecessor, GPT-5.5, managed 2 of 10. On a harder range called Doing Life, built around hardened infrastructure with antivirus tooling and legacy protocols disabled, Sol reached step 21 of 23 in just 3 of 10 attempts.
Browser exploitation told a slightly different story. In evaluations against Chromium and Firefox, Sol identified real bugs and exploit primitives but never assembled a complete, working exploit chain under the conditions OpenAI tested. That kept it under the company's self-defined Cyber Critical threshold, the line OpenAI uses to decide whether a model needs to be locked down harder before release.
On raw capability, Sol is not chasing a new frontier so much as matching one more cheaply. On ExploitBench, it performs roughly on par with Anthropic's Mythos Preview while using about a third as many output tokens to get there. Frankly, that efficiency claim is the part OpenAI wants you to focus on. The jailbreak story is the part it would rather you didn't.
Why no export controls this time #
This is not the industry's first brush with this exact problem this summer. Anthropic's Fable 5 triggered US export controls in June after a jailbreak was discovered, controls that stayed in place until early July before being lifted through negotiation. GPT-5.6 got White House clearance to launch just a day before it shipped. Yet by AISI's own account, the Sol jailbreaks look more severe than what tripped up Fable 5. Anthropic's flaw mainly unlocked vulnerability identification. OpenAI's unlocks autonomous exploitation. So far, no equivalent controls have followed.
OpenAI is not pretending the model is unbreakable. Its own launch materials concede there is no such thing as perfect security, and the company says it spent more than 700,000 GPU hours on automated red-teaming aimed at finding universal jailbreaks before anyone else could. Its defense is layered: trained refusals, real-time classifiers on risky output, continuous monitoring, and what it calls rapid remediation once a new jailbreak surfaces.
Access is still limited. OpenAI rolled Sol out first to a small group of vetted partners, whose identities it shared with US government officials, before promising broader availability within weeks. Pricing puts Sol at five dollars per million input tokens and thirty dollars per million output tokens, with cheaper Terra and Luna variants underneath it for teams that don't need the top tier.
The industry keeps building cybersecurity models and testing them with the same institute, and the same pattern keeps repeating: strong benchmark numbers, a jailbreak found within days, a public disclosure, and a launch that proceeds anyway. Whether that pattern holds once Sol reaches a wider audience than a handful of vetted partners is the next thing worth watching.
Also read: Anthropic Limits Claude Fable 5 Access as It Runs Out of Compute • UK Safety Regulator Finds Jailbreaks That Turn GPT-5.6 Sol Into a Hacking Tool • Databricks Hits $188 Billion Valuation With New $3 Billion Coatue Round