OpenAI restricts Cyber access after criticizing Anthropic for limiting Mythos

In a surprising turn of events, OpenAI has decided to restrict access to its cybersecurity tool Cyber, despite earlier criticism of rival Anthropic for doing the same with its Mythos tool. This move has sparked debate about consistency and transparency in the AI industry.

The controversy behind OpenAI restricts Cyber access

Just weeks after OpenAI CEO Sam Altman dismissed Anthropic’s decision to limit Mythos as “fear-based marketing,” the company announced it would roll out GPT-5.5 Cyber only to “critical cyber defenders.” Altman confirmed this on X (formerly Twitter) on Thursday, revealing a stark policy reversal.

Critics quickly pointed out the irony. When Anthropic restricted Mythos, Altman called the tactic unnecessary and overblown. Now, OpenAI is following the same playbook, raising questions about double standards in the industry.

How the Cyber tool works and who gets access

OpenAI’s Cyber tool is designed for advanced cybersecurity tasks, including penetration testing, vulnerability identification, and malware reverse engineering. The application process requires users to submit credentials and planned use cases to gain access.

According to OpenAI’s website, the tool aims to help companies find security holes and test defenses. However, the company fears misuse by malicious actors, which is why access is limited.

The Trusted Access for Cyber (TAC) program

OpenAI has introduced the TAC program to verify legitimate users. A spokesperson told TechCrunch that the system has scaled to thousands of verified defenders and hundreds of teams responsible for protecting critical software. These users can access GPT-5.5 for cybersecurity tasks with fewer safeguards.

The TAC program is tiered, meaning that “critical defenders with legitimate defensive use cases” can apply for access to dedicated models like GPT-5.4-Cyber and the forthcoming GPT-5.5-Cyber.

Industry reactions and the Anthropic comparison

When Anthropic restricted Mythos, Altman called the approach fear-based. Some critics agreed, saying Anthropic’s rhetoric was overblown. Ironically, an unauthorized group reportedly gained access to Mythos anyway, undermining the security rationale.

Now, OpenAI faces similar skepticism. Critics argue that restricting access doesn’t prevent misuse but instead limits innovation. Others point out that the move could be seen as a marketing tactic, just as Altman accused Anthropic of doing.

Building on this, OpenAI says it’s working with the U.S. government to expand access. The company plans to identify more users with legitimate cybersecurity credentials, potentially making Cyber more widely available in the future.

What this means for the cybersecurity landscape

OpenAI restricts Cyber access at a time when cybersecurity threats are escalating. The decision highlights the tension between making powerful tools available for defense and preventing their misuse by attackers.

As a result, the industry is watching closely. Will OpenAI’s TAC program succeed where Anthropic’s failed? Or will restricted access lead to similar breaches and criticism?

For now, the focus remains on balancing security with accessibility. Companies like IBM Security and CrowdStrike offer similar tools but with different access models, suggesting there’s no one-size-fits-all solution.

Ultimately, the debate over OpenAI restricts Cyber access reflects broader questions about AI governance. As tools become more powerful, the challenge is to ensure they’re used responsibly without stifling innovation.

Hackers Actively Exploit Critical cPanel Vulnerability: Millions of Websites at Risk

A severe security flaw in cPanel and WebHost Manager (WHM) is now under active exploitation by malicious hackers. This cPanel bug exploit allows attackers to bypass login screens and seize full control over web servers. Security researchers warn that tens of millions of websites worldwide could be affected, especially those on shared hosting platforms.

Canada’s national cybersecurity agency has issued an urgent advisory, stating that exploitation is “highly probable.” The vulnerability, tracked as CVE-2026-41940, gives hackers remote, unrestricted access to the administration panel of the software. This means they can manipulate databases, emails, and configurations of any domain hosted on the server.

How the cPanel Vulnerability Works

The cPanel bug exploit specifically targets the authentication mechanism of cPanel and WHM. By sending specially crafted requests, an attacker can bypass the login screen entirely. Once inside, they gain the same high-level privileges as a legitimate administrator.

This is particularly dangerous because cPanel and WHM have deep access to server resources. They manage everything from email accounts to DNS settings and database servers. Consequently, a successful hack can lead to data theft, defacement, or even using the server for further attacks.

cPanel’s maker has urged all customers to apply patches immediately. The bug affects all supported versions of the software, meaning no version is safe without the update.

Web Hosting Companies Respond

Major hosting providers have moved quickly to protect their users. Namecheap, one of the largest domain registrars and hosting companies, temporarily blocked access to customer cPanel panels after learning of the flaw. This gave the company time to patch systems before attackers could exploit the vulnerability.

Similarly, HostGator confirmed it patched its infrastructure and described the bug as a “critical authentication-bypass exploit.” Both companies have advised customers to ensure their own servers are updated if they manage them directly.

KnownHost Reports Early Exploitation Attempts

One hosting provider, KnownHost, found evidence that hackers had been probing the vulnerability for weeks before the public disclosure. CEO Daniel Pearson stated on Reddit that attempts to exploit the bug date back to February 23. The company blocked access to affected systems and applied patches.

Pearson noted that around 30 servers showed signs of unauthorized access attempts out of thousands on the network. However, he emphasized that these were attempts, not full compromises. This indicates that while the cPanel bug exploit is dangerous, swift action can prevent damage.

What You Should Do Now

If you use cPanel or WHM to manage your website, immediate action is critical. First, check with your web hosting provider to confirm they have applied the latest security patches. Many commercial hosts have already done this, but it’s worth verifying.

For those who self-host, update cPanel and WHM to the latest version immediately. The patch addresses CVE-2026-41940 and other related security issues. Additionally, consider enabling two-factor authentication (2FA) for an extra layer of security.

It’s also wise to review server logs for any suspicious activity, especially from February 23 onward. Look for unexpected login attempts or changes to administrative accounts. If you find anything unusual, contact your hosting provider or a security professional.

For more on securing your web server, check out our guide on hardening your cPanel server. You might also find useful information about common web hosting vulnerabilities to stay ahead of threats.

The Bigger Picture: Shared Hosting Risks

This incident highlights a persistent risk in shared hosting environments. When a vulnerability like this cPanel bug exploit is discovered, it can affect thousands of websites on the same server. Hackers can potentially move laterally between accounts, compromising multiple domains at once.

Therefore, website owners should consider isolating their sites with virtual private servers (VPS) or dedicated hosting if security is a top priority. For now, patching remains the most effective defense.

Stay vigilant. The cybersecurity landscape changes rapidly, and proactive measures are your best bet against exploitation.

Commercial AI Models Show Rapid Gains in Vulnerability Research

The landscape of cybersecurity is shifting at an unprecedented pace. While much attention has focused on elite, non-public frontier AI systems like Anthropic’s Claude Mythos, commercial AI models are quietly making remarkable strides in vulnerability research. According to new findings from Forescout‘s Verde Labs, these widely available tools are now capable of identifying and exploiting security flaws that once required deep human expertise.

Just a year ago, the picture looked very different. Verde Labs reported that 55% of AI models failed basic vulnerability research tasks, and a staggering 93% could not generate working exploits. Fast forward to 2026, and the situation has transformed dramatically. Today, all tested models can complete vulnerability research assignments, and half can autonomously produce functional exploits.

The Rise of Autonomous Exploit Generation

This rapid progress is not just incremental—it represents a fundamental shift in what commercial AI can achieve. Forescout evaluated 50 different AI models, spanning commercial, open-source, and even underground variants. The standout performers were Claude Opus 4.6 and Kimi K2.5, both of which can now find and exploit vulnerabilities without requiring complex prompts. This ease of use makes them accessible to inexperienced attackers, lowering the barrier to entry for cybercrime.

“These are widely available AI models exceeding human capability,” said Rik Ferguson, VP of Security Intelligence at Forescout. However, he cautioned that their performance may not yet match the scale, speed, and quality of Anthropic’s Claude Mythos, which remains in a class of its own.

Real-World Discovery: New Zero-Day Vulnerabilities

During testing, Forescout’s team used single prompts combined with the RAPTOR agentic framework—an open-source AI system designed for cybersecurity research—alongside the firm’s own extensions. This approach led to the discovery of four new zero-day vulnerabilities in OpenNDS, a widely deployed network management system. Notably, one of these flaws existed in code that Verde Labs had already manually analyzed and missed entirely.

This finding underscores a critical point: AI can spot weaknesses that even experienced human researchers overlook. As a result, organizations must rethink their assumptions about software security.

Cost Dynamics: Commercial vs. Open-Source AI

Commercial AI models delivered the best results in Forescout’s testing, but they come with a hefty price tag. Claude Opus 4.6, for instance, costs up to $25 per million output tokens. On the other hand, open-source alternatives like DeepSeek 3.2 handle basic tasks at a fraction of the cost—with all test tasks costing less than $0.70. Meanwhile, access to Claude Mythos will be priced at $25 per million input tokens and $125 per million output tokens for participants.

Therefore, a practical strategy is emerging: using different models based on task complexity and budget. Both defenders and attackers can now mix and match AI tools to optimize cost and capability.

Implications for Cybersecurity Defenders

Building on these findings, Forescout warned that if its research can uncover new vulnerabilities with open models—and if larger initiatives like Project Glasswing can surface thousands of zero-days in critical software—then organizations should assume their environments already contain unknown vulnerabilities. AI will inevitably find them, whether used by ethical researchers or malicious actors.

This means that proactive vulnerability research is no longer optional. Companies must invest in AI-driven security tools and continuous monitoring to stay ahead. For more on securing your infrastructure, check out our guide on AI security best practices.

What This Means for the Future

The democratization of vulnerability research through commercial AI models presents both an opportunity and a threat. On one hand, it empowers defenders to find and fix flaws faster than ever before. On the other hand, it equips attackers with powerful capabilities that require minimal expertise.

As Ferguson noted, the genie is out of the bottle. The key question is not whether AI will find vulnerabilities, but who will find them first. To learn about the latest trends, read our analysis on emerging cyber threats in 2026.

In conclusion, the rapid gains in commercial AI for vulnerability research signal a new era in cybersecurity. Organizations must adapt quickly, leveraging AI for defense while preparing for a world where software flaws are discovered at machine speed.