CBA and Westpac Deploy GPT-5.5-Cyber to Test Defenses

Commonwealth Bank and Westpac are using OpenAI's most capable artificial intelligence model to probe their own security infrastructure. The banks are running GPT-5.5-Cyber, internally codenamed "Daybreak," as a red-team tool to surface vulnerabilities before adversaries do.

The deployment, reported by the Australian Financial Review on May 20, positions two of Australia's largest regulated lenders as early adopters of frontier AI for offensive security testing. It is a use case that carries significant governance implications for a sector under APRA oversight.

The Anthropic factor

The banks' path to OpenAI was shaped partly by what was not available. Anthropic has its own cybersecurity intelligence program, called Mythos, designed to identify threats in financial systems and critical infrastructure. Access to Mythos has been restricted to a select group of US technology companies, leaving Australian institutions without a direct route to the platform.

Anthropic is not entirely absent from Australia's regulatory picture. The company plans to brief the Reserve Bank of Australia on Mythos' threat-detection capabilities, signaling that both AI labs are cultivating relationships with financial regulators before formal requirements emerge. Whether those briefings translate into access for domestic banks is not yet clear.

For practitioners evaluating AI security tooling, the competitive dynamic carries a practical implication. OpenAI is deploying GPT-5.5-Cyber broadly to enterprise clients while Anthropic moves through controlled access via curated partnerships. Vendor selection, in this context, carries availability and access-continuity risks that go beyond raw benchmark performance.

GPT-5.5, which LLM Stats tracks as entering the market in late April 2026 alongside a Pro variant, represents a generation where specialized builds are becoming standard. A cyber-focused variant tuned for vulnerability discovery is a materially different product from a general reasoning model, even when the underlying architecture is similar.

What this means for practitioners

Red-teaming with AI introduces a feedback loop that traditional penetration testing does not. When the attacking tool is itself an AI system, the process chain from discovery to validation to remediation must be defined before deployment, not after. Neither CBA nor Westpac has disclosed technical details of their GPT-5.5-Cyber implementation, including how model outputs are reviewed or how findings are escalated.

Any serious artificial intelligence review for a regulated deployment must address those questions. APRA's oversight of financial institutions creates documentation requirements around AI decision-making that will increasingly extend to security tooling, not only customer-facing applications. Using a frontier model to probe live banking infrastructure for real vulnerabilities is operationally useful and a compliance design challenge that few teams have yet solved.

The broader ecosystem is moving in parallel. The Open Source Security Foundation added new AI security resources and sandbox projects this week, including OSS-CRS, as part of its effort to build defensive infrastructure outside enterprise access controls. That community-level work matters as AI-assisted attack tooling scales beyond what traditional detection can track.

On the hardware side, NVIDIA's open model lineup now includes Nemotron Safety variants adopted by security vendors including CrowdStrike, Cohesity, and Fortinet. Domain-specific security AI, rather than general-purpose models repurposed for threat detection, appears to be the direction the industry is converging on.

Two major Australian banks have deployed a frontier AI model in a sensitive operational context while their regulator receives competing briefings from rival AI labs. The frameworks for logging AI-assisted vulnerability discovery, validating model outputs, and managing data access in that context are still being written. The experiment is live before the rulebook is finished.

If APRA formalizes requirements for AI in security testing before the next significant incident, CBA and Westpac's early deployment will look prescient. If something goes wrong in the meantime, the absence of disclosed governance detail will be the first question asked.

FAQ

What is GPT-5.5-Cyber and why are banks using it?

GPT-5.5-Cyber, codenamed "Daybreak," is OpenAI's AI model built for cybersecurity applications. CBA and Westpac are using it to simulate attacks on their own infrastructure and identify exploitable weaknesses before external adversaries do.

What is Anthropic's Mythos program?

Mythos is Anthropic's AI-based threat-detection system designed for financial institutions and critical infrastructure. It is currently restricted to a select group of US technology companies, which is why Australian banks turned to OpenAI instead.

Why did Australian banks choose OpenAI over Anthropic?

Anthropic restricted Mythos access to US companies, making GPT-5.5-Cyber the available option for CBA and Westpac. Anthropic plans to brief the Reserve Bank of Australia on Mythos, but broader domestic access has not been announced.

What regulatory risks come with AI-assisted security testing?

Australian financial institutions operate under APRA oversight. Deploying AI for security testing will likely require documented controls over model behavior, data access, and output validation. Current frameworks are still catching up to those requirements.