- Authors
- Name
- 오늘의 바이브
The First-Ever 'High Risk' Rating
On February 5, 2026, OpenAI announced GPT-5.3-Codex. Its performance dominated previous models across coding benchmarks. But this release came with an unprecedented warning. Under OpenAI's internal risk assessment system, the Preparedness Framework, the cybersecurity category was rated "High".
A first in OpenAI's history. No model before this had ever received a high-risk rating in cybersecurity. Not GPT-4. Not GPT-5. GPT-5.3-Codex is the first.
OpenAI's system card states:
"This model is sufficiently skilled to enable meaningful real-world cyber harm."
The phrase "meaningful real-world harm" is the key. This is not theoretical risk. It is a real-world threat. OpenAI itself admitted that its own model could be weaponized for cyberattacks.
What Is the Preparedness Framework
The Preparedness Framework is an internal risk assessment system OpenAI introduced in late 2023. It evaluates multiple risk domains before launching a new model: cybersecurity, biological threats, persuasion, autonomy, and more.
Each domain is classified into four tiers:
| Rating | Meaning | Action |
|---|---|---|
| Low | Negligible additional risk vs. existing tools | General release |
| Medium | Some risk factors present | Release with monitoring |
| High | Real potential for substantial harm | Restricted access, extra safeguards |
| Critical | Large-scale or irreversible harm | No release |
GPT-5.3-Codex received High in cybersecurity. Not Critical, so release is possible — but with unprecedented restrictions. OpenAI acknowledged by its own standards that this model is dangerous.
Why this rating? OpenAI's explanation is straightforward. The model's coding ability is too good. Its ability to find vulnerabilities, write exploits, and generate attack tools is on a different level from anything before it.
What Changed
GPT-5.3-Codex's coding benchmark scores are staggering. OpenAI did not release all specific numbers, but what they did share reveals the scale of the leap.
SWE-bench performance improved dramatically over previous versions. In tests that involve resolving real GitHub issues, GPT-5 already surpassed the average human developer. 5.3 goes further. This is not just code generation — it is the ability to understand and modify complex codebases.
Agentic coding capabilities also took a leap. The model autonomously works in the terminal, navigates file systems, uses tools, and debugs errors. OpenAI calls these "agentic capabilities." It has moved beyond generating code from prompts to solving problems on its own.
The problem is that this ability is a double-edged sword.
When defenders use this model to find bugs and write patches, security improves. When attackers use the same model to find vulnerabilities and write exploits, attacks improve. The capability itself is neutral. The outcome depends on intent.
OpenAI is clearly aware of this. From the system card:
"There is no definitive evidence that this model can fully automate cyberattacks. However, we believe that if automated or deployed at scale, it could cause real harm."
Cannot "fully automate," but can cause "real harm." A nuanced statement. Human involvement is still required — but the amount of that involvement keeps shrinking.
Unprecedented Access Restrictions
The restrictions OpenAI placed on GPT-5.3-Codex are the tightest in its history. The contrast with previous models is stark.
General ChatGPT User Restrictions
Regular users can only access basic development features. Advanced security analysis, vulnerability detection, and exploit generation are blocked. Exactly where "basic" ends and "advanced" begins is decided internally by OpenAI.
API Access Delayed
The full API access developers have been waiting for is on hold. Previous GPT models had their APIs opened immediately after announcement. Not 5.3-Codex. OpenAI only said "further evaluation is needed." No timeline was given.
Trusted Access for Cyber Program
This is the most notable change. A new verification-based access system introduced by OpenAI. To use advanced security features, you must join this program. The requirements are strict:
- Identity verification required
- Security research track record reviewed
- Stated use case
- Consent to ongoing monitoring
OpenAI says this program will "provide advanced capabilities only to verified security professionals and block malicious users." Think of it as a licensing system. Not everyone gets to wield a powerful tool — only those who are vetted.
$10 Million Defense Investment
It is not all restrictions. OpenAI announced $10 million in API credits for cyber defense applications. Teams using the model for defensive research get free access.
Restrict offensive capability while supporting defensive capability. An attempt at balance.
The Difference from Anthropic
Around the same time, Anthropic released Claude Opus 4.6. The two companies' approaches stand in contrast.
| Category | OpenAI (GPT-5.3-Codex) | Anthropic (Claude Opus 4.6) |
|---|---|---|
| Risk disclosure | "High risk" stated in system card | Published finding of 500+ zero-days |
| Access policy | Restricted access, verification required | General API access |
| Vulnerability data | Specific numbers not disclosed | Detailed report of 500+ findings |
| Security program | Trusted Access for Cyber | Public red team reports |
| Investment focus | $10M for defense research | Security layer technology development |
Anthropic chose transparency. "Our AI found 500 zero-days in open source" — they announced it publicly. Specific vulnerabilities, discovery processes, and technical details were published in red team reports. Show the risk instead of hiding it.
OpenAI chose control. Acknowledge the risk, but restrict access. They do not disclose exactly what attacks are possible or how far automation goes. Instead, only verified users get access to advanced features.
Which is right? There is no clear answer. Anthropic's approach lets the community recognize and prepare for risks. But it also gives information to attackers. OpenAI's approach prevents misuse, but defenders also struggle to understand the model's real capabilities.
Both companies are trying to answer the same question: "How do you responsibly deploy powerful AI?" They just arrived at different answers.
Why 'High Risk' Now
GPT-5.3-Codex getting the first "high risk" rating is no accident. Multiple factors converged at once.
The Leap in Agentic Capability
Previous models focused mainly on "code generation." Give them a prompt, they spit out code. GPT-5.3-Codex is different. It navigates file systems, executes terminal commands, analyzes errors, and fixes them on its own. It is closer to an autonomous agent.
In a cyberattack scenario, this difference is massive. Before, an attacker would ask the AI for exploit code and execute it manually. Now, the AI can explore on its own, find vulnerabilities, test them, and produce working exploits. Human involvement decreases.
Expanded Context Window
GPT-5.3-Codex handles a far longer context than its predecessors. Why does this matter for security? Because it can analyze large codebases in one pass.
To find a vulnerability, you need to understand the entire flow of the code. If function A calls function B, B calls C, and a buffer overflow occurs in C, you need to grasp the context from A to C. A short context makes this analysis impossible. A long context makes it possible.
Tool Use Capability
GPT-5.3-Codex is proficient at using external tools. It invokes debuggers, fuzzers, network scanners — security tools — interprets results, and decides next steps. The tools have existed for a long time. An AI that autonomously combines and uses them is new.
Depth of Code Comprehension
This goes beyond knowing syntax. It grasps the intent behind algorithms, identifies design flaws, and pinpoints logical errors. Just as Anthropic's Claude understood a conceptual flaw in the LZW compression algorithm and found the bug, GPT-5.3-Codex has reached a similar level.
All these factors combined mean that AI has reached a level where it is practically useful for cyberattacks. OpenAI's "high risk" rating is an acknowledgment of this reality.
Attack Scenarios
What could happen if GPT-5.3-Codex is misused? OpenAI did not publish specific scenarios, but security experts point to several possibilities.
Automated Zero-Day Discovery
An attacker feeds the model the source code of specific software and says "find vulnerabilities." The model generates a candidate list. This used to require specialized knowledge — reading assembly, understanding memory structures, running fuzzers. Now the AI handles it.
Exploit Code Generation
Finding a vulnerability and building an exploit are different tasks. Even with a known vulnerability, exploiting it requires precise code. GPT-5.3-Codex can generate that code. From proof of concept to functional attack code.
Social Engineering Automation
Phishing emails, malicious websites, convincing fake messages. AI is already used to generate this content. GPT-5.3-Codex adds technical sophistication. It analyzes a target's technical environment and designs tailored attack vectors.
Scale Attacks
The biggest threat is scale. A human hacker can analyze a handful of targets per day. AI can analyze thousands. Even if individual attack sophistication is low, scale compensates. Hacking ten thousand people poorly can be more profitable than hacking one person perfectly.
OpenAI imposed restrictions to prevent these scenarios. But can they block all misuse? Jailbreaks, bypasses, proxies — there are many evasion techniques. Perfect prevention is impossible.
Defense Scenarios
The same capabilities serve defense. That is exactly why OpenAI is investing $10 million.
Automated Code Auditing
Run AI code reviews before release. Catch patterns that human reviewers miss. Especially effective in large codebases. Reviewing millions of lines of code manually is impractical. AI does it in hours.
Existing static analysis tools do similar work. Semgrep, SonarQube, CodeQL. But they rely on predefined rules. "Flag this pattern when it appears." Novel vulnerability classes, bugs not in the rule set — they slip through.
GPT-5.3-Codex is different. It works from understanding, not rules. "What is this code trying to do? Does it behave as intended? What happens in edge cases?" It can answer these questions. It finds vulnerabilities that have not been defined yet.
Legacy Code Review
Old code is a treasure trove of vulnerabilities. Code written twenty years ago. Code whose author left the company. Code with no documentation. AI can analyze it and surface potential issues.
The problem with legacy code is missing context. Nobody knows why it was written that way. No comments, no docs. To modify it, you have to understand it from scratch. That takes time.
AI reads the code and infers context. "This function probably serves this purpose, and this variable likely means this." It might be wrong, but it provides a starting point. It lightens the burden on human reviewers.
Threat Intelligence
When a new vulnerability is disclosed, AI searches your codebase for similar patterns. "Does our code have a problem like this CVE?" Work that takes humans days takes AI minutes.
Remember the Log4Shell incident. When the Log4j JNDI injection vulnerability was disclosed, companies worldwide scrambled to determine whether they were using Log4j. Not just direct usage — dependencies of dependencies had to be checked. It took weeks.
AI shortens this process. It understands vulnerability patterns and searches the entire codebase for similar ones. Direct calls, indirect calls, variations — it finds them all.
Enhanced Penetration Testing
Test systems from an attacker's perspective. AI tries various attack vectors and reports successful paths. Combined with human pentesters, effectiveness multiplies.
Penetration testing is expensive. It requires specialized personnel and takes time. So most companies run it only once or twice a year. New vulnerabilities that emerge in between go unnoticed.
AI makes continuous penetration testing possible. Test automatically with every deployment, every code change. Lower cost means higher frequency. Security posture improves.
In the end, it is the same tool. Whether it becomes a shield or a sword depends on who wields it and with what intent.
The Shadow of Regulation
GPT-5.3-Codex's "high risk" rating will likely ignite regulatory discussions.
The EU AI Act already enforces regulations on high-risk AI systems. AI used in healthcare, finance, and law enforcement must meet strict requirements. How should AI with cyberattack capabilities be classified?
Currently, the AI Act does not explicitly classify cybersecurity as a high-risk domain. But the emergence of models like GPT-5.3-Codex could change that. The developer itself admitted that "this AI can be exploited for cyberattacks."
Discussions have started in the United States too. The Biden administration's AI executive order imposes reporting obligations on dual-use technologies. Cyberattack capability is a textbook dual-use case. It serves both defense and offense.
OpenAI's preemptive response might be a move to avoid regulation. The message: "We imposed restrictions first, so the government does not need to step in." Whether it works remains to be seen.
China is another variable. While US companies self-impose restrictions, Chinese AI firms may not follow suit. Pressure builds to relax restrictions to avoid falling behind in the technology race.
The tension between AI safety and AI competitiveness. GPT-5.3-Codex's "high risk" rating has brought this tension to the surface.
Conclusion: The Rubicon Has Been Crossed
GPT-5.3-Codex receiving a "high risk" rating is not a technical achievement. It is a declaration that a line has been crossed.
AI has reached a level where it is practically useful for cyberattacks. This is OpenAI's own assessment. Not a third party's claim — the developer's admission. It is no longer the hypothetical "AI could be used for hacking." It is the reality of "it can be, so we are restricting it."
How do we live with this reality?
OpenAI chose controlled access. Only verified users get advanced capabilities. Invest in defense research. Strengthen monitoring. It might work. It might fail. Jailbreaks and bypasses are always possible.
Anthropic chose transparency. Disclose the risks and let the community prepare. That might work too. Or it might backfire. You are handing attackers a roadmap.
Time will tell which approach is right. What is certain is that both face the same problem. How to responsibly deploy powerful AI. A question with no clear answer.
GPT-5.3-Codex's "high risk" rating is a warning. As AI capability grows, so does the risk. The two cannot be separated. An AI that is great at coding can also be great at hacking. An AI that finds bugs can also exploit them.
The Rubicon has been crossed. Now we must decide how to live on the other side.
Sources:
- OpenAI GPT-5.3-Codex warns unprecedented cybersecurity risks — Fortune
- Introducing GPT-5.3-Codex — OpenAI
- Introducing Trusted Access for Cyber — OpenAI
- Preparedness Framework — OpenAI
- Anthropic's Claude Opus 4.6 uncovers 500 zero-day flaws — Axios
- EU AI Act: High-Risk AI Systems — European Commission
- Unsplash — Image sources