We're beginning a limited preview of the GPT‑5.6 series: Sol, our flagship model; Terra, a balanced model for everyday work; and Luna, a fast and affordable model. Terra has competitive performance to GPT‑5.5 while being 2x cheaper and Luna brings strong capability at our lowest cost.
GPT‑5.6 Sol launches with our most robust safety stack to date. We strengthened protections for higher-risk activity, sensitive cyber requests, and repeated misuse, and spent multiple weeks finding weaknesses, pressure-testing our system, and hardening it against real-world attacks.
We believe in broad access, and we plan to make GPT‑5.6 Sol, Terra, and Luna generally available in the coming weeks. As part of our ongoing engagement with the U.S. government, we previewed our plans and the models’ capabilities ahead of today’s launch. At their request, we are starting with a limited preview for a small group of trusted partners whose participation has been shared with the government, before releasing more broadly. During this preview, we will continue testing and coordinating closely with partners as we work toward broader availability. We don’t believe this kind of government access process should become the long-term default. It keeps the best tools from users, developers, enterprises, cyber defenders, and global partners who need them. We are taking this short-term step because we believe it is the strongest path to broader availability in the coming weeks, while we work with the Administration to develop the cyber Executive Order framework and a repeatable process for future model releases.
GPT‑5.6 Sol is our strongest model yet. To give a preview of model performance, we share a set of evaluations highlighting improved agentic capabilities in coding, biology, and cybersecurity, with additional safety and preparedness evaluations available in our system card(在新窗口中打开). We will share an expanded suite of evaluation results when we make the model broadly available.
With GPT‑5.6, we’re introducing a new max reasoning effort to give Sol the most time to reason deeply. Additionally, we’re introducing a new ultra mode that goes beyond the capabilities of a single agent by leveraging subagents to accelerate complex work.
For coding workflows, GPT‑5.6 Sol sets a new state of the art on Terminal‑Bench 2.1, which tests command-line workflows requiring planning, iteration, and tool coordination.
GPT‑5.6 Sol also shows broad improvements in biology workflows. On GeneBench v1, which evaluates long-horizon genomics and quantitative-biology analyses, it achieves stronger results than GPT‑5.5 while using fewer tokens.
GPT‑5.6 Sol is our most capable model yet for cybersecurity. It shifts the performance-efficiency frontier for long-horizon security tasks including vulnerability research and exploitation. On ExploitBench², GPT‑5.6 Sol is competitive with Mythos Preview using only ~1/3 of the output tokens. On ExploitGym(在新窗口中打开)3, a benchmark created by UC Berkeley researchers in collaboration with OpenAI and other frontier labs, GPT‑5.6 Sol, Terra, and Luna models all demonstrate strong improvements in cyber capabilities as we increase reasoning.
We developed GPT‑5.6 Sol, Terra and Luna with our most robust safeguards to date, with configurations matched to each model’s capabilities. As the model becomes more capable, we design safeguards to increasingly hold up to real-world adversarial pressure while preserving access to legitimate work such as code review, vulnerability research, patch development, debugging, security education, and defensive testing. Our goal is to make prohibited offensive activity more difficult, uncertain, and detectable without unnecessarily limiting those beneficial uses. Based on our assessment of the model and safeguards, we expect substantial benefit for legitimate defensive work, while meaningfully constraining prohibited offensive use.
GPT‑5.6 Sol is better at helping people find and fix vulnerabilities than reliably carrying out end-to-end attacks. As these capabilities continue to advance, our priority is to make sure they reach and benefit defenders, who can use these tools to find weaknesses, develop patches, and strengthen systems more broadly.
GPT‑5.6 Sol does not cross the Cyber Critical threshold under our Preparedness Framework. In evaluations involving Chromium and Firefox, it identified bugs and exploitation primitives—the building blocks of an exploit—but did not autonomously produce a functional full-chain exploit under the conditions tested. Still, benchmark thresholds cannot capture every way a model may be used or combined with other tools. That uncertainty, along with the model’s broader step change in capabilities, is why we are pairing the model’s increased capabilities with stronger safeguards and a phased release. We share more details about our safeguards in the GPT‑5.6 Preview system card(在新窗口中打开).
No single safeguard is sufficient against determined or adaptive misuse. Across the GPT‑5.6 preview, we use layered safeguards, with exact configurations varying across models, and pressure-test them for real-world attacks. These include protections trained into the model, real-time checks during generation, account-level signals, differentiated access, monitoring, enforcement, and continued testing.
GPT‑5.6 is trained to refuse prohibited cyber assistance, including when users attempt to disguise their intent or jailbreak the model. These model-level safeguards establish the first boundary around what the model should and should not help with.
Real-time cyber and biology misuse classifiers provide another layer by evaluating output as it is generated. For higher risk cases, if they detect a potential violation, the generation may be paused while a larger reasoning model reviews the conversation and its context. If the output is assessed as disallowed, it is withheld before it reaches the user.
Flagged activity can also trigger account-level review across relevant conversations and risk signals, consistent with our terms and policies around content retention and review. Looking beyond a single conversation helps our systems distinguish persistent malicious behavior from legitimate dual-use security work, where similar technical concepts may appear in very different contexts.
Together, these layers make the overall approach more robust than any one safeguard on its own. Model behavior reduces the likelihood of harmful responses, real-time systems can intervene during generation, account-level review can identify broader patterns, and differentiated access preserves important defensive work without making the most sensitive capabilities broadly available by default.
Especially during the preview, users may encounter safeguards that block or refuse some requests. Other requests may take longer because generation is paused for additional review. Safeguards may occasionally intervene on legitimate work, particularly in dual-use areas where defensive and offensive activity can initially look similar.
That is part of what the preview is designed to test. We want to understand not only whether the safeguards constrain misuse, but whether legitimate users can still complete normal work reliably and efficiently. Feedback during the preview will help us reduce unnecessary blocks and delays, improve how the safeguards interpret context, and create a smoother experience before wider release.
We are also working with enterprise customers on longer-term approaches—including privacy-preserving detection, customer-operated safety controls, and access calibrated to the risk of a customer, user, or workload—to advance safety while supporting enterprise privacy requirements.
当攻击者调整策略时,防护措施也需要继续有效。只对一组固定的已知攻击有效的保护措施,对于前沿模型来说还不够稳健。
因此,我们正以前所未有的智能和算力投入安全工作,利用自己的模型发现薄弱环节,并更快改进防护措施。我们投入了超过 700,000 个 A100 等效 GPU 小时,用于旨在发现通用越狱的自动化红队测试:这类攻击可跨许多提示或上下文生效,而不只是针对某个狭窄场景。聚焦这些更难、更通用的攻击,使我们能够在固定的已知故障集合之外测试防护措施。这也让我们能够探索远超单靠人工测试所能覆盖的攻击模式,更早识别故障模式,并缩短从发现弱点到解决弱点的路径。
除自动化红队测试外,我们还与第三方测试人员合作,开展了广泛的人类专家红队测试,并将在预览期继续进行。人类红队测试通过让有创造力的专家尝试以系统可能无法预见的方式滥用模型,来补充自动化工作。
没有任何评估能够涵盖每一种产品配置、多步骤攻击或真实工作流。因此,我们维持一套快速响应流程,用于复现、评估、排序并修复新发现的越狱问题,然后将其加入持续评估,以便未来测试类似故障。
预览期间,GPT‑5.6 模型最初将通过 API 和 Codex 面向部分可信合作伙伴与组织开放。我们计划很快向使用 ChatGPT、Codex 和 API 的用户更广泛开放这些模型。
在随 GPT‑5.6 引入的这套新命名体系中,数字表示模型的代际,而 Sol、Terra 和 Luna 表示可按各自节奏演进的稳定能力层级。整个系列让用户和开发者能够在智能、速度与成本之间作出更清晰的选择。
GPT‑5.6 按三种模型规模以每 100 万 Token 计价:Sol 为输入 5 美元 / 输出 30 美元;Terra 为输入 2.50 美元 / 输出 15 美元;Luna 为输入 1 美元 / 输出 6 美元。GPT‑5.6 还引入了更可预测的提示缓存,包括支持显式缓存断点和 30 分钟的最低缓存生命周期。对于 GPT‑5.6 及后续模型,缓存写入按模型未缓存输入费率的 1.25 倍计费,而缓存读取继续享受缓存输入 90% 的折扣。
我们还将于 7 月在 Cerebras 上推出 GPT‑5.6 Sol,最高可达每秒 750 个 Token,以前所未有的速度为客户提供前沿智能。随着我们扩展容量,访问权限最初将仅限于部分客户。
我们期待在预览期间继续学习,并很快将 GPT‑5.6 Sol、Terra 和 Luna 带给更多人。
1. 我们通过观察模型的生产行为并进行离线模拟来估算延迟和 API 成本。这些估算考虑了工具调用细节、采样 Token 和输入 Token。真实结果可能存在较大差异,并取决于许多未纳入模拟的因素。我们按高速 API 速度模拟延迟,并按常规 API 定价模拟成本。
2. 所有模型均使用 ExploitBench API 测试框架,在 5 个种子和推理连续性条件下进行评估。
3. 我们在 alpha API 上运行 ExploitGym,该 API 的响应输出速度快于公开 API,随后重新缩放以匹配公开 API。将延迟重新缩放到公开 API 预期速度时,部分估算延迟会超过 2 小时和 6 小时的时间限制,尽管在评估运行中实际遵守了这些限制。对于时间敏感型工作,如需更快速度,我们在 API 中提供优先处理,在 Codex 中提供快速模式。
4. 未报告输出 Token、延迟或成本的模型以水平虚线表示。
