Skip to main content
AI & Machine LearningQuantum Computing

UK Banks Gain Access to OpenAI's GPT-5.5 Cyber Model

Professionals in a brightly-lit data center with server racks and a large computer screen.

Which organizations gain early access to cyber-capable AI — Anthropic’s Mythos Preview through Project Glasswing or OpenAI’s rival GPT-5.5 Cyber — is now determining who can test and harden critical infrastructure against advanced automated vulnerability-finding tools. UK banks excluded from Anthropic’s Glasswing expansion have been offered OpenAI’s GPT-5.5 Cyber instead.

Anthropic expands Project Glasswing from ~50 to 200 partners

Anthropic announced a fourfold increase in Project Glasswing’s membership, taking the program from “around 50” partners to 200. The expansion adds roughly 150 organizations drawn from 15 countries and is focused on “security shops and other tech giants, government agencies, and open-source maintainers,” the company said. Reports cited by The Register name South Korea among the countries and its science ministry, Samsung, SK Hynix, and SK Telecom among likely new inductees, though Anthropic has not published an official list.

Anthropic framed Glasswing as a tightly curated program that gives early access to its Mythos Preview model for organisations that manage critical infrastructure services, arguing that “for most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security.” The company said each prospective partner must “pass its own security requirements” before receiving access.

UK banks offered OpenAI’s GPT-5.5 Cyber after Glasswing exclusions

The Register reports that UK banks shut out of Anthropic’s fresh intake are being offered OpenAI’s GPT-5.5 Cyber. Per the BBC, HSBC, Lloyds Banking Group, and Nationwide will receive access to GPT-5.5 Cyber; NatWest and Santander have “already been playing with it as part of separate agreements.” OpenAI reportedly offered nine UK banks access to its Mythos-rival model in total, after those banks were snubbed from Glasswing.

Only one financial institution — JPMorganChase — was named among the banks receiving access to Mythos Preview as part of Anthropic’s expansion, a disparity that has generated scrutiny in the UK. It is not clear whether the Bank of England is among the nine UK banks offered OpenAI’s model; the bank’s governor, Andrew Bailey, told Bloomberg TV last week that despite pushing for access “Anthropic has not handed over the keys to Mythos Preview.”

Divergent expert assessments of Mythos Preview’s capabilities

Anthropic launched Mythos in April and described it as “too dangerous to unleash on the public,” billing the model as an “expert bug hunter and zero-day specialist.” The company said Mythos found a 27‑year‑old OpenBSD bug during testing and identified a range of novel zero-days and critical vulnerabilities.

Early testers have offered mixed verdicts. Cloudflare CISO Grant Bourzikas wrote that the model represented “a real step forward,” and that it was “able to find a series of low-severity bugs and chain them into working exploits.” By contrast, cURL maintainer Daniel Stenberg called Mythos Preview “an amazingly successful marketing stunt” after it found one vulnerability in his project, and security expert Kevin Beaumont said the model “is not great” and “it’s marketing, essentially,” adding it was mainly effective against “vibe‑coded applications.”

Security access, politics, and the role of ENISA, CISA, and the Bank of England

The Register also reported that the EU cybersecurity agency ENISA will receive access to Mythos Preview, while the US equivalent, CISA, “is yet to be selected.” That split — ENISA in and CISA unresolved — has fed questions about how Anthropic chooses which national agencies and institutions it trusts with powerful cyber tools. Anthropic has not commented publicly on its selection approach for financial institutions.

Liam Salsi, director of architecture at Talion, told The Register he suspects the decision to exclude UK banks “was political.” He elaborated: “The US government wants to control who has access to the platform and this is largely because it will limit the chances of it falling into the wrong hands.” Salsi warned that limiting access could “ultimately leave some banks more exposed to cyber threats” and “could impact their vulnerability management, leaving larger windows of opportunities for attackers,” and he added that concentrating use on a single product “could also introduce a single point of failure in the global banking sector if every institution were using the same product.”

Anthropic acknowledged the difficulty of releasing powerful cyber-capable models to broad audiences, saying safeguards needed “to prevent the model’s cyber capabilities from being misused” have not yet been developed. “We’re working as quickly as we can to safely release Mythos-level capabilities in general access,” the company said, while also forecasting that “other AI companies will produce Mythos-level capabilities within their own models inside 6‑12 months.” Confusingly, Anthropic also stated on Friday that it would be “releasing Mythos-class models to all customers in the coming weeks,” even as it continues to expand Glasswing and its Cyber Verification Program.

The near-term landscape is now defined by competing vendor programs, selective access to high-risk tools, and contrasting public statements from vendors about timelines and safeguards. Whether the Bank of England, CISA, and a broader set of critical institutions will be brought into Anthropic’s loop — and how OpenAI’s GPT-5.5 Cyber will be used in its place — are immediate open questions with practical consequences for defensive readiness.

Source: The Register — "Anthropic ups Glasswing partner count 4x; UK banks snubbed"