Trusted access for the next era of cyber defense

We are scaling up our Trusted Access for Cyber (TAC) program to thousands of verified individual defenders and hundreds of teams responsible for defending critical software. For years, we’ve been building a cyber defense program on the principles of democratized access, iterative deployment, and ecosystem resilience. In preparation for increasingly more capable models from OpenAI over the next few months, we are fine-tuning our models specifically to enable defensive cybersecurity use cases, starting today with a variant of GPT‑5.4 trained to be cyber-permissive: GPT‑5.4‑Cyber. In this post, we share how we expect our approach of scaling cyber defense in lockstep with increasing model capabilities to guide the testing and deployment of future releases. The progressive use of AI accelerates defenders – those responsible for keeping systems, data, and users safe – enabling them to find and fix problems faster in the digital infrastructure everyone relies on. Similarly, AI is being used by attackers looking to cause harm. We've been preparing for this. Since 2023, we've supported defenders through our Cybersecurity Grant Program and strengthened safeguards through our Preparedness Framework. The same year, we started evaluating our models' cyber capabilities, and in 2025, we began including cyber-specific safeguards(opens in a new window) in our model deployments. Earlier this year, we furthered our support for defenders with the launch of Codex Security to identify and fix vulnerabilities at scale. Our approach to this continuous advancement of capabilities is guided by three principles: - Democratized access: Our goal is to make these tools as widely available as possible while preventing misuse. We design mechanisms which avoid arbitrarily deciding who gets access for legitimate use and who doesn’t. That means using clear, objective criteria and methods – such as strong KYC and identity verification – to guide who can access more advanced capabilities and automating these processes over time. Ultimately, we aim to make advanced defensive capabilities available to legitimate actors large and small, including those responsible for protecting critical infrastructure, public services, and the digital systems people depend on every day. - Iterative deployment: We learn the most by putting these systems into the world carefully and improving them over time. As we better understand both their capabilities and risks, we update our models and safety systems accordingly. This includes understanding the differentiated benefits and risks of specific models, improving resilience to jailbreaks and other adversarial attacks, and improving defensive capabilities — while mitigating harms. - Investing in ecosystem resilience: We support and accelerate the community of defenders through trusted access pathways, targeted grants, contributions to open-source security initiatives(opens in a new window), and technologies like Codex Security that help defenders more rapidly find and patch vulnerabilities. Our strategy for cybersecurity resilience and defensive acceleration For years, our cybersecurity strategy has been to invest in research, prevent misuse, and accelerate defenders. As model capabilities have advanced, we have expanded our programs toward these goals, which are grounded in the following convictions: - Cyber risk is already here and accelerating, but we can act.…