UK Institute: AI cyber skills doubling every 4.7 months

The UK AI Security Institute (AISI) reported in a February 2026 update that AI models’ ability to complete cyber tasks doubled every 4.7 months from late 2024. The institute said an earlier internal estimate from November 2025 had put the doubling period at eight months. Two recent models, Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5, “substantially exceeded both doubling rate trends,” AISI wrote, while adding it is unclear whether that marks a faster long-term trajectory.

AISI based its finding on a time-horizon benchmark that measures how often models complete cyber tasks of different lengths relative to the time a human expert would take. The tests include activities such as reverse engineering and web exploits carried out in self-contained environments. A model must succeed at least 80% of the time to be counted as capable of completing a task of a given length.

To keep results comparable across versions, AISI limited model inputs to 2.5 million tokens. The institute noted the token cap lowers measured success rates; without the cap, success rates become so high that calculating time horizons is not possible. The longest tests currently run to 12 hours, and AISI said those experiments are already too short to identify when model reliability would decline on much longer tasks. The institute is developing new evaluation methods to address those gaps.

The recent model releases have raised concern within the security community. The launch of Claude Mythos prompted questions about whether defenders can keep pace, and OpenAI released a security-focused GPT-5.5 Cyber in a limited preview restricted to security professionals. Rik Ferguson, vice president of security intelligence at Forescout, described AI tools as “a standard part of the attacker toolkit.”

AISI urged faster investment in defensive measures, writing, “The time to invest in strong security baselines is now.” Lee Klarich, chief technology officer at Palo Alto Networks, wrote that AI-driven cyberattacks are likely to become routine in the coming months and called for urgent action to prepare for a surge in vulnerabilities.

The institute said it remains uncertain how the pace of AI improvement will continue or how model capabilities will translate against real-world systems, since the benchmark does not include all capabilities an attacker might need. AISI emphasized that rapid growth was consistent across models, methodological choices and independent data, and recommended organizations accelerate investment in security controls and testing as the tools change.