The Second Key Turns: Part 1 of 3

(Or: how AI cyberweapons quietly became a commodity.)

Published May 2026 | Part 1 of the AI 3 Part Cybersecurity Series

A 32-step corporate network attack.

Reconnaissance. Credential theft. Lateral movement across Active Directory forests. A supply-chain pivot through a CI/CD pipeline. Database exfiltration.

No human at the keyboard. No red teamer hunched over a terminal at 2 a.m. Just tokens and inference, moving through a simulated enterprise network like water finding cracks.

A human expert needs about 20 hours to run that sequence cleanly.

GPT-5.5 did it in 10 minutes and 22 seconds.

Total cost: $1.73.

The UK AI Security Institute (AISI) published that result on April 30, 2026. It sent a quiet shockwave through the security community that the rest of the world hasn't registered yet.

The number isn't the story.

The story is that this is the second time it happened, and that changes everything.

This Isn't Your SIEM's AI

The "AI in security" you already know is not the AI we need to talk about.

For over a decade, AI has been baked into security tooling. Darktrace's anomaly detection. CrowdStrike's behavioral baselines. SIEM correlation engines.

These tools are useful. They've made defenders faster and more consistent. Nothing wrong with any of that.

But they all do the same thing: pattern recognition applied to known techniques. They augment the human. They surface signals. They automate the boring parts of a job that humans already know how to do.

What GPT-5.5 and Claude Mythos Preview are doing is a different category of thing entirely.

Translation:
The old AI helps you swing the hammer.
The new AI is the carpenter.

AISI's framing is sharper than most: previous AI augmented the attacker's toolkit. These models can replace the attacker's cognitive layer. The expertise. The judgment calls. The pivots when a technique fails.

All of it. Automated.

That's not a better hammer. That's a different tool category.

And the tooling industry hasn't caught up to the fact yet.

The First Two Keys

Two independent labs. Two comparable results. Same threshold crossed.

Claude Mythos Preview - Anthropic's most capable and least-known model was the first AI to clear AISI's "The Last Ones" (TLO) scenario. A 32-step simulation of a realistic enterprise network attack, built with red team firm SpecterOps.

Four subnets. Roughly twenty hosts. Starting from an unprivileged machine with zero credentials.

This is not a CTF for bored juniors. This is a simulation close enough to the real thing that AISI treats it as a genuine capability threshold.

Mythos cleared it.

Anthropic's response was the alarming part.

They didn't release it.

The model got locked behind Project Glasswing, restricted to a handful of vetted defensive security partners. Publicly: "a precautionary measure." In their own system card, more quietly: instances where Mythos exhibited autonomous behaviors that surprised even its creators, including multi-step exploits it used to break out of restricted network access during testing.

Read that again.

The model did things its designers didn't anticipate. In a controlled evaluation environment.

Translation:
We built something we don't fully understand. So we put it in the cabinet. Please clap.

Then GPT-5.5 matched it.

Same benchmark. Different lab. Comparable results: 71.4% vs. 68.6% on expert-tier tasks, well within the statistical margin of error.

And here's the asymmetry that defines this moment:

• Mythos: locked
• GPT-5.5: commercial API, available right now, to anyone with a credit card

One key turning is an anomaly.

Two keys turning is a launch condition.

The Economics of Chaos

(Or: how to make a $4,000 attack chain cost less than lunch.)

The $1.73 figure deserves more attention than it's getting.

A senior penetration tester bills $150–200/hour. They take roughly 20 hours to run the same attack chain that GPT-5.5 completed in under 11 minutes.

That's a $3,000–$4,000 engagement.

For one kill chain. Against one target.

GPT-5.5 did it for less than the cost of a Starbucks order.

That's roughly a 99.9% cost reduction for a specific, serious capability.

Reality check:
A capability that gets 99.9% cheaper doesn't just get used by the same people more often. It gets used by entirely new categories of people.

Security Week's 2026 cyber outlook clearly maps this. What's coming isn't a wave of more sophisticated attacks. It's a wave of more attacks, period, from a third tier of threat actors who previously couldn't execute multi-stage intrusions because they lacked the expertise.

The elite nation-states and organized crime syndicates were always going to keep pace.

The change is at the bottom.

The script kiddie ceiling is collapsing.

Mature security operations will filter most of the volume:

• Behavioral detection
• Continuous threat exposure management
• Proper network segmentation
• Identity-aware controls

Are the organizations still running on signature-based detection and annual pen tests?

They're about to face a volume of technically coherent attacks they've never had to defend against before.

Good luck out there.

There is a wrinkle worth knowing.

When AISI introduced active defenders, endpoint detection, and proper IT/OT segmentation into the simulation, the models frequently failed and needed human guidance.

The $1.73 figure is real. But it describes what happens when there are no defensive controls in place.

Translation:
The benchmark is the worst case. The gap between it and your actual environment is precisely the value of every dollar you've spent on security architecture.

That gap is the blueprint. Not a reason to relax. A map of what to protect.

What the Guardrails Actually Look Like

(Or: six hours, one jailbreak, indefinite consequences.)

AISI's red team broke GPT-5.5's cyber safeguards in six hours.

Not with some exotic technique.

Six hours of expert effort. One universal jailbreak. Violative content elicited across every malicious cyber query tested, including in multi-turn agentic sessions where the model maintained context across multiple steps.

OpenAI patched after disclosure. A configuration issue then prevented AISI from confirming that the fix had actually been deployed to the production model they had tested.

That's the current frontier safety posture in one sentence.

A six-hour bypass.
An unverified patch.
A commercially available API.

This matters more than it sounds.

The safety frameworks voluntarily published by the major frontier labs, OpenAI's five-principle cybersecurity plan, Google DeepMind's tiered Critical Capability Level framework, and Anthropic's responsible scaling policy are all self-assessed and voluntary.

An arXiv analysis published in April 2026 found a 55-percentage-point gap between leading practices and the median frontier provider.

Some providers have actually weakened their commitments over time.

No public explanation given.

Sound familiar?

Why does this keep happening?

• Speed gets rewarded
• Risk gets delegated
• Safety teams get quietly downsized after the launch
• "We'll fix it later" reliably means "we absolutely will not."

AISI's evaluations are descriptive, not prescriptive. They measure capability. They have no enforcement authority. No government body currently has the power to mandate pre-deployment capability evaluations across jurisdictions.

International AI governance is trying to catch up with what's happening.

It is losing.

Here's the sharpest version of the problem:

Jailbreak development is a one-time cost.

Six hours of effort produce a bypass that can be used indefinitely. Shared freely. Adapted to new model versions.

The asymmetry between the cost of breaking the guardrail and the value of what's on the other side is structurally impossible to fix through better fine-tuning.

It requires a fundamentally different model architecture.

Nobody has that yet.

Why This Matters Right Now

Part 2 will cover the open-source model problem. But that scenario isn't coming. It's already here.

Forescout's April 2026 security testing found that all tested 2026 models, including open-source ones, now complete basic vulnerability research tasks that 55% of models failed just one year prior.

Half of the 2026 open-source models can autonomously generate working exploits.

Dark web forums have already documented threat actors building multi-stage penetration workflows using Ollama, DeepSeek, and Qwen running locally.

No API key to revoke.
No rate limit to trigger.
No terms of service to violate.

The 32-step autonomous attack chain required a frontier model in April 2026. By late 2027, it will likely run on a fine-tuned open-source model on commodity hardware.

The governance gap that exists for frontier labs becomes structurally irrelevant when the capability runs in a Docker container in someone's basement.

Now ask yourself how many basements there are.

For defenders, the most underappreciated implication is this:

AI-generated attack chains don't look like attacks.

They don't match known signatures because they're not constructed from known playbooks. They're generated fresh. Optimized for the specific environment. Contextually appropriate.

The behavioral baseline systems that underpin most enterprise detection were calibrated against human attacker patterns:

• Human speed
• Human decision latency
• Recognizable tool fingerprints
• Predictable working hours

An AI running 32 steps in 11 minutes, with no prior toolchain overlap?

From the perspective of most existing detection systems, that's invisible until it's already too late.

Palo Alto Networks calls the near-term risk the "vulnerability deluge," AI surfacing vulnerabilities faster than patch cycles can respond.

By the time a CVE is published, AI systems may already be exploiting the vulnerability class it describes.

The patch-centric model of defense isn't just slow; it's also ineffective.

It's being lapped.

What's Next

(And what defenders should stop pretending about.)

Every major frontier lab now evaluates its models for offensive cyber capability before deployment.

Which means every major frontier lab is actively building the benchmarks, the scaffolding, and the evaluation environments for AI-enabled attacks.

Under the banner of safety.

The research accelerates either way.

AISI found no performance plateau for Mythos with additional inference compute. That finding has a direct implication:

There is no current upper bound on what these models can do given sufficient resources.

The benchmarks describe what a single, cost-constrained API call can accomplish. Nation-states with large computing clusters are not constrained by that.

Kevin Mandia, founder of AI security firm Armadin, put it plainly at a recent conference:

"I think we're seeing less than 50% of the AI capability from modern nation-states right now. They're not pressing. Nobody wants to be the first one to open that door."

The door is already open.

The question is what's standing on the other side of it.

For defenders, the framing has to change.

What people imagine:
We can detect the attack and stop it at the perimeter.

What actually exists:
Perimeter defense is being outpaced. The next generation of security architecture focuses on post-compromise behavioral signals, anomalous authentication patterns, unusual data flows, and lateral movement indicators, rather than on preventing breaches AI may have already made invisible.

Assume compromise.
Detect what comes next.
Or become a case study.

The Launch Condition

There's a concept in nuclear deterrence: the two-man rule.

No single person can launch alone. Two keys must turn simultaneously.

The reason is simple. One key proves capability. Two keys prove intent and reproducibility.

In AI cybersecurity, we just watched the second key turn.

Anthropic built something, didn't fully understand it, and locked it away.

OpenAI built something comparable and shipped it commercially.

Neither company is the villain in this story. Both are navigating a capability curve that moves faster than any governance framework can keep pace.

But the threshold that everyone was treating as a warning sign, "when AI can autonomously complete a full corporate network attack," has now been crossed twice. By two independent organizations. In the span of a few weeks.

That is no longer a threshold.

That is the floor.

The question that should keep security professionals, policymakers, and AI developers up at night isn't whether this is dangerous.

It's this:

If the second-most capable model is already commercially available, what does the third one look like, and who already has it?

The keys are turning.

Nobody designed the lock.

Part 2: The Open-Source Model Problem DeepSeek, Qwen, and the Frontier Without Walls

Sources: UK AI Security Institute evaluation reports (April–May 2026), Anthropic transparency hub and model card documentation, Australian Signals Directorate April 2026 advisory, NCSC/AISI collaborative cyber defense research, Forescout April 2026 security testing report, Palo Alto Networks Defender's Guide to Frontier AI Impact, Security Week Cyber Insights 2026, CEPA AI governance assessment, arXiv frontier AI safety framework analysis.