OpenAI announced a significant expansion of its Trusted Access for Cyber (TAC) program, scaling it to thousands of verified individual defenders and hundreds of teams responsible for defending critical software infrastructure. The expansion coincides with the release of GPT-5.4-Cyber, a specialized model variant trained specifically to enable defensive cybersecurity use cases.
The company has been building its cyber defense strategy since 2023, when it began evaluating models' cyber capabilities. By 2025, OpenAI incorporated cyber-specific safeguards into model deployments. GPT-5.4-Cyber represents the latest iteration of this approach, following cyber-specific safety training introduced in GPT-5.2 and expanded through GPT-5.3-Codex and GPT-5.4, which OpenAI classified as having high cyber capability under its Preparedness Framework.
OpenAI's approach to scaling cyber defense is built on three core principles. First, democratized access aims to make advanced defensive tools widely available while preventing misuse, using clear, objective criteria such as strong know-your-customer (KYC) and identity verification to determine access levels. The company states its goal is to avoid arbitrarily deciding who can access capabilities and instead to enable advanced defensive abilities for legitimate actors of all sizes, including those protecting critical infrastructure and public services.
Second, iterative deployment prioritizes learning by carefully introducing systems into the world and improving them over time. OpenAI notes that as it better understands both capabilities and risks, it updates models and safety systems accordingly, including improvements to resilience against jailbreaks and adversarial attacks.
Third, ecosystem resilience involves supporting the defender community through trusted access pathways, targeted grants, contributions to open-source security initiatives, and tools like Codex Security to help defenders identify and patch vulnerabilities more rapidly.
OpenAI's underlying conviction is that cyber risk is already present and accelerating. The company notes that digital infrastructure has been vulnerable for years, and existing models can now help find vulnerabilities, reason across codebases, and support meaningful parts of the cyber workflow. Threat actors are experimenting with novel AI-driven approaches, and OpenAI has observed sophisticated techniques that elicit stronger capabilities through increased test-time compute.
To operationalize this approach, OpenAI treats cyber capabilities as inherently dual-use, meaning risk is not defined by the model alone but also by the user, their trust signals, and the level of access granted. The company has invested in systems to validate trustworthy users and use cases in more automated and objective ways, enabling access expansion based on evidence and trust signals rather than manual decisions.
OpenAI's recent investments in the cyber defense ecosystem include a $10M Cybersecurity Grant Program, reaching over 1,000 open-source projects with Codex for Open Source, which provides free security scanning. Codex Security, launched six months prior in private beta, continues to receive improvements as part of this expansion effort.