We're beginning a limited preview of the GPT‑5.6 series: Sol, our flagship model; Terra, a balanced model for everyday work; and Luna, a fast and affordable model. Terra has competitive performance to GPT‑5.5 while being 2x cheaper and Luna brings strong capability at our lowest cost.
GPT‑5.6 Sol launches with our most robust safety stack to date. We strengthened protections for higher-risk activity, sensitive cyber requests, and repeated misuse, and spent multiple weeks finding weaknesses, pressure-testing our system, and hardening it against real-world attacks.
We believe in broad access, and we plan to make GPT‑5.6 Sol, Terra, and Luna generally available in the coming weeks. As part of our ongoing engagement with the U.S. government, we previewed our plans and the models’ capabilities ahead of today’s launch. At their request, we are starting with a limited preview for a small group of trusted partners whose participation has been shared with the government, before releasing more broadly. During this preview, we will continue testing and coordinating closely with partners as we work toward broader availability. We don’t believe this kind of government access process should become the long-term default. It keeps the best tools from users, developers, enterprises, cyber defenders, and global partners who need them. We are taking this short-term step because we believe it is the strongest path to broader availability in the coming weeks, while we work with the Administration to develop the cyber Executive Order framework and a repeatable process for future model releases.
GPT‑5.6 Sol is our strongest model yet. To give a preview of model performance, we share a set of evaluations highlighting improved agentic capabilities in coding, biology, and cybersecurity, with additional safety and preparedness evaluations available in our system card(新しいウィンドウで開く). We will share an expanded suite of evaluation results when we make the model broadly available.
With GPT‑5.6, we’re introducing a new max reasoning effort to give Sol the most time to reason deeply. Additionally, we’re introducing a new ultra mode that goes beyond the capabilities of a single agent by leveraging subagents to accelerate complex work.
For coding workflows, GPT‑5.6 Sol sets a new state of the art on Terminal‑Bench 2.1, which tests command-line workflows requiring planning, iteration, and tool coordination.
GPT‑5.6 Sol also shows broad improvements in biology workflows. On GeneBench v1, which evaluates long-horizon genomics and quantitative-biology analyses, it achieves stronger results than GPT‑5.5 while using fewer tokens.
GPT‑5.6 Sol is our most capable model yet for cybersecurity. It shifts the performance-efficiency frontier for long-horizon security tasks including vulnerability research and exploitation. On ExploitBench², GPT‑5.6 Sol is competitive with Mythos Preview using only ~1/3 of the output tokens. On ExploitGym(新しいウィンドウで開く)3, a benchmark created by UC Berkeley researchers in collaboration with OpenAI and other frontier labs, GPT‑5.6 Sol, Terra, and Luna models all demonstrate strong improvements in cyber capabilities as we increase reasoning.
We developed GPT‑5.6 Sol, Terra and Luna with our most robust safeguards to date, with configurations matched to each model’s capabilities. As the model becomes more capable, we design safeguards to increasingly hold up to real-world adversarial pressure while preserving access to legitimate work such as code review, vulnerability research, patch development, debugging, security education, and defensive testing. Our goal is to make prohibited offensive activity more difficult, uncertain, and detectable without unnecessarily limiting those beneficial uses. Based on our assessment of the model and safeguards, we expect substantial benefit for legitimate defensive work, while meaningfully constraining prohibited offensive use.
GPT‑5.6 Sol is better at helping people find and fix vulnerabilities than reliably carrying out end-to-end attacks. As these capabilities continue to advance, our priority is to make sure they reach and benefit defenders, who can use these tools to find weaknesses, develop patches, and strengthen systems more broadly.
GPT‑5.6 Sol does not cross the Cyber Critical threshold under our Preparedness Framework. In evaluations involving Chromium and Firefox, it identified bugs and exploitation primitives—the building blocks of an exploit—but did not autonomously produce a functional full-chain exploit under the conditions tested. Still, benchmark thresholds cannot capture every way a model may be used or combined with other tools. That uncertainty, along with the model’s broader step change in capabilities, is why we are pairing the model’s increased capabilities with stronger safeguards and a phased release. We share more details about our safeguards in the GPT‑5.6 Preview system card(新しいウィンドウで開く).
No single safeguard is sufficient against determined or adaptive misuse. Across the GPT‑5.6 preview, we use layered safeguards, with exact configurations varying across models, and pressure-test them for real-world attacks. These include protections trained into the model, real-time checks during generation, account-level signals, differentiated access, monitoring, enforcement, and continued testing.
GPT‑5.6 is trained to refuse prohibited cyber assistance, including when users attempt to disguise their intent or jailbreak the model. These model-level safeguards establish the first boundary around what the model should and should not help with.
Real-time cyber and biology misuse classifiers provide another layer by evaluating output as it is generated. For higher risk cases, if they detect a potential violation, the generation may be paused while a larger reasoning model reviews the conversation and its context. If the output is assessed as disallowed, it is withheld before it reaches the user.
Flagged activity can also trigger account-level review across relevant conversations and risk signals, consistent with our terms and policies around content retention and review. Looking beyond a single conversation helps our systems distinguish persistent malicious behavior from legitimate dual-use security work, where similar technical concepts may appear in very different contexts.
Together, these layers make the overall approach more robust than any one safeguard on its own. Model behavior reduces the likelihood of harmful responses, real-time systems can intervene during generation, account-level review can identify broader patterns, and differentiated access preserves important defensive work without making the most sensitive capabilities broadly available by default.
Especially during the preview, users may encounter safeguards that block or refuse some requests. Other requests may take longer because generation is paused for additional review. Safeguards may occasionally intervene on legitimate work, particularly in dual-use areas where defensive and offensive activity can initially look similar.
That is part of what the preview is designed to test. We want to understand not only whether the safeguards constrain misuse, but whether legitimate users can still complete normal work reliably and efficiently. Feedback during the preview will help us reduce unnecessary blocks and delays, improve how the safeguards interpret context, and create a smoother experience before wider release.
We are also working with enterprise customers on longer-term approaches—including privacy-preserving detection, customer-operated safety controls, and access calibrated to the risk of a customer, user, or workload—to advance safety while supporting enterprise privacy requirements.
攻撃者が戦術を変えても、安全対策は有効であり続ける必要があります。既知の攻撃だけに対応できる保護では、フロンティアモデルには十分な堅牢性がありません。
そのため当社は、自社モデルを使って弱点を見つけ、安全対策をより速く改善するため、これまで以上に高性能なモデルと計算資源を安全性向上に投入しています。当社は、ユニバーサルジェイルブレイク、つまり特定の狭い状況だけでなく多くのプロンプトや文脈で機能し得る攻撃を見つけることを目的に、自動レッドチーミングへ A100 換算で 70 万 GPU 時間超を投入しました。こうした、より難しく汎用的な攻撃に注目することで、既知の失敗事例だけでは捉えられない範囲まで安全対策をテストできました。また、人手によるテストだけでは網羅できないほど多くの攻撃パターンを探索し、失敗のパターンをより早く特定し、弱点の発見から対処までの時間を短縮できます。
自動レッドチーミングに加え、第三者のテスターと協力して人間の専門家による大規模なレッドチーミングも実施しており、これはプレビュー期間中も継続します。人間によるレッドチーミングは、当社システムが予期しない方法でモデルを悪用しようとする創造的な専門家に対して安全対策を試すことで、自動化された取り組みを補完します。
どの評価も、あらゆる製品構成、多段階攻撃、現実世界のワークフローを網羅することはできません。そのため当社は、新たに発見されたジェイルブレイクを再現、評価、優先順位付け、修正する迅速な対応プロセスを維持し、その後それらを継続的な評価に追加して、将来同様の失敗に対してテストできるようにしています。
プレビュー期間中、GPT‑5.6 モデルはまず、信頼できる一部のパートナーと組織に対して API と Codex 経由で提供されます。近く、ChatGPT、Codex、API を利用するより多くの人々に提供範囲を広げる予定です。
GPT‑5.6 で導入されたこの新しい命名体系では、数字がモデルの世代を示し、Sol、Terra、Luna がそれぞれ独立して進化する能力ティアを示します。このモデルファミリーにより、ユーザーと開発者は、性能、速度、コストの観点から、より分かりやすい選択肢を得られます。
GPT‑5.6 は、3 つのモデルサイズごとに 100 万トークン単位で価格が設定されています。Sol は入力 $5/出力 $30、Terra は入力 $2.50/出力 $15、Luna は入力 $1/出力 $6 です。GPT‑5.6 では、明示的なキャッシュブレークポイントと 30 分の最短キャッシュ有効期間のサポートを含む、より予測しやすいプロンプトキャッシュも導入します。GPT‑5.6 以降のモデルでは、キャッシュ書き込みはモデルの非キャッシュ入力料金の 1.25 倍で課金され、キャッシュ読み取りには引き続きキャッシュ入力の 90% 割引が適用されます。
また 7 月には、Cerebras 上で GPT‑5.6 Sol を最大毎秒 750 トークンで提供開始し、これまでにない速度で先進的な AI をお客様に届けます。容量を拡大する間、アクセスは当初、一部のお客様に限定されます。
このプレビュー期間から引き続き学び、GPT‑5.6 Sol、Terra、Luna を近くさらに多くの人々に届けられることを楽しみにしています。
1. 当社は、モデルの本番環境での挙動を調べ、オフラインでシミュレーションすることで、レイテンシと API コストを推定しています。これらの推定には、ツール呼び出しの詳細、サンプリングされたトークン、入力トークンが反映されています。現実世界の結果は大きく異なる場合があり、当社のシミュレーションでは捉えられていない多くの要因に左右されます。当社は、高速な API 速度でレイテンシを、通常の API 価格でコストをシミュレーションしています。
2. すべてのモデルは、ExploitBench API ハーネスを用い、5 つのシードと推論の連続性を有効にした状態で評価されています。
3. 当社は、公開 API より高速に応答を出力するアルファ版 API で ExploitGym を実行し、その後、公開 API に合わせて再スケーリングしました。公開 API の速度に合わせてレイテンシを補正すると、評価実行では正しく時間制限を守っていたにもかかわらず、一部の推定レイテンシが 2 時間および 6 時間の時間制限を超えます。時間に敏感な作業でより高速な処理が必要な場合は、API の優先処理と Codex の高速モードを提供しています。
4. 出力トークン、レイテンシ、コストが報告されていないモデルは、水平の点線としてプロットされています。
