We're beginning a limited preview of the GPT‑5.6 series: Sol, our flagship model; Terra, a balanced model for everyday work; and Luna, a fast and affordable model. Terra has competitive performance to GPT‑5.5 while being 2x cheaper and Luna brings strong capability at our lowest cost.
GPT‑5.6 Sol launches with our most robust safety stack to date. We strengthened protections for higher-risk activity, sensitive cyber requests, and repeated misuse, and spent multiple weeks finding weaknesses, pressure-testing our system, and hardening it against real-world attacks.
We believe in broad access, and we plan to make GPT‑5.6 Sol, Terra, and Luna generally available in the coming weeks. As part of our ongoing engagement with the U.S. government, we previewed our plans and the models’ capabilities ahead of today’s launch. At their request, we are starting with a limited preview for a small group of trusted partners whose participation has been shared with the government, before releasing more broadly. During this preview, we will continue testing and coordinating closely with partners as we work toward broader availability. We don’t believe this kind of government access process should become the long-term default. It keeps the best tools from users, developers, enterprises, cyber defenders, and global partners who need them. We are taking this short-term step because we believe it is the strongest path to broader availability in the coming weeks, while we work with the Administration to develop the cyber Executive Order framework and a repeatable process for future model releases.
GPT‑5.6 Sol is our strongest model yet. To give a preview of model performance, we share a set of evaluations highlighting improved agentic capabilities in coding, biology, and cybersecurity, with additional safety and preparedness evaluations available in our system card(在新視窗中開啟). We will share an expanded suite of evaluation results when we make the model broadly available.
With GPT‑5.6, we’re introducing a new max reasoning effort to give Sol the most time to reason deeply. Additionally, we’re introducing a new ultra mode that goes beyond the capabilities of a single agent by leveraging subagents to accelerate complex work.
For coding workflows, GPT‑5.6 Sol sets a new state of the art on Terminal‑Bench 2.1, which tests command-line workflows requiring planning, iteration, and tool coordination.
GPT‑5.6 Sol also shows broad improvements in biology workflows. On GeneBench v1, which evaluates long-horizon genomics and quantitative-biology analyses, it achieves stronger results than GPT‑5.5 while using fewer tokens.
GPT‑5.6 Sol is our most capable model yet for cybersecurity. It shifts the performance-efficiency frontier for long-horizon security tasks including vulnerability research and exploitation. On ExploitBench², GPT‑5.6 Sol is competitive with Mythos Preview using only ~1/3 of the output tokens. On ExploitGym(在新視窗中開啟)3, a benchmark created by UC Berkeley researchers in collaboration with OpenAI and other frontier labs, GPT‑5.6 Sol, Terra, and Luna models all demonstrate strong improvements in cyber capabilities as we increase reasoning.
We developed GPT‑5.6 Sol, Terra and Luna with our most robust safeguards to date, with configurations matched to each model’s capabilities. As the model becomes more capable, we design safeguards to increasingly hold up to real-world adversarial pressure while preserving access to legitimate work such as code review, vulnerability research, patch development, debugging, security education, and defensive testing. Our goal is to make prohibited offensive activity more difficult, uncertain, and detectable without unnecessarily limiting those beneficial uses. Based on our assessment of the model and safeguards, we expect substantial benefit for legitimate defensive work, while meaningfully constraining prohibited offensive use.
GPT‑5.6 Sol is better at helping people find and fix vulnerabilities than reliably carrying out end-to-end attacks. As these capabilities continue to advance, our priority is to make sure they reach and benefit defenders, who can use these tools to find weaknesses, develop patches, and strengthen systems more broadly.
GPT‑5.6 Sol does not cross the Cyber Critical threshold under our Preparedness Framework. In evaluations involving Chromium and Firefox, it identified bugs and exploitation primitives—the building blocks of an exploit—but did not autonomously produce a functional full-chain exploit under the conditions tested. Still, benchmark thresholds cannot capture every way a model may be used or combined with other tools. That uncertainty, along with the model’s broader step change in capabilities, is why we are pairing the model’s increased capabilities with stronger safeguards and a phased release. We share more details about our safeguards in the GPT‑5.6 Preview system card(在新視窗中開啟).
No single safeguard is sufficient against determined or adaptive misuse. Across the GPT‑5.6 preview, we use layered safeguards, with exact configurations varying across models, and pressure-test them for real-world attacks. These include protections trained into the model, real-time checks during generation, account-level signals, differentiated access, monitoring, enforcement, and continued testing.
GPT‑5.6 is trained to refuse prohibited cyber assistance, including when users attempt to disguise their intent or jailbreak the model. These model-level safeguards establish the first boundary around what the model should and should not help with.
Real-time cyber and biology misuse classifiers provide another layer by evaluating output as it is generated. For higher risk cases, if they detect a potential violation, the generation may be paused while a larger reasoning model reviews the conversation and its context. If the output is assessed as disallowed, it is withheld before it reaches the user.
Flagged activity can also trigger account-level review across relevant conversations and risk signals, consistent with our terms and policies around content retention and review. Looking beyond a single conversation helps our systems distinguish persistent malicious behavior from legitimate dual-use security work, where similar technical concepts may appear in very different contexts.
Together, these layers make the overall approach more robust than any one safeguard on its own. Model behavior reduces the likelihood of harmful responses, real-time systems can intervene during generation, account-level review can identify broader patterns, and differentiated access preserves important defensive work without making the most sensitive capabilities broadly available by default.
Especially during the preview, users may encounter safeguards that block or refuse some requests. Other requests may take longer because generation is paused for additional review. Safeguards may occasionally intervene on legitimate work, particularly in dual-use areas where defensive and offensive activity can initially look similar.
That is part of what the preview is designed to test. We want to understand not only whether the safeguards constrain misuse, but whether legitimate users can still complete normal work reliably and efficiently. Feedback during the preview will help us reduce unnecessary blocks and delays, improve how the safeguards interpret context, and create a smoother experience before wider release.
We are also working with enterprise customers on longer-term approaches—including privacy-preserving detection, customer-operated safety controls, and access calibrated to the risk of a customer, user, or workload—to advance safety while supporting enterprise privacy requirements.
即使攻擊者改變策略,防護措施也需要保持有效。對於前沿模型而言,只能應對一組固定已知攻擊的保護並不足夠穩健。
因此,我們正以前所未有的智能與運算能力投入安全與防護工作,利用自己的模型更快找出弱點並改進防護措施。我們投入超過 700,000 小時 A100 等效 GPU 時間進行自動化紅隊演練,目標是找出通用越獄攻擊:這類攻擊可在多種提示詞或情境中奏效,而不只適用於某個狹窄設定。聚焦於這些更困難、更具通用性的攻擊,讓我們能夠在一組固定已知失效情況以外測試防護措施。這亦讓我們能探索遠超單靠人工測試可涵蓋的攻擊模式,更早識別失效模式,並縮短從發現弱點到處理弱點的流程。
除了自動化紅隊演練,我們亦與第三方測試人員合作,由真人專家進行大規模紅隊演練;這項工作將在預覽期間持續進行。真人紅隊演練讓具創意的專家嘗試以我們系統未必能預見的方式濫用模型,藉此補足自動化工作對防護措施的測試。
沒有任何評估能涵蓋所有產品配置、多步驟攻擊或真實世界工作流程。因此,我們維持快速應對流程,用於重現、評估、排定優先次序並修補新發現的越獄攻擊,然後將其加入持續評估,讓我們日後可針對類似失效情況進行測試。
預覽期間,GPT‑5.6 模型初期將透過 API 和 Codex,向一小組受信任的合作夥伴及機構開放。我們計劃很快向使用 ChatGPT、Codex 和 API 的用戶更廣泛開放這些模型。
在 GPT‑5.6 引入的全新命名系統中,數字代表模型世代,而 Sol、Terra 和 Luna 則代表可按各自節奏演進的持久能力層級。整個系列讓用戶和開發人員在智能、速度與成本之間有更清晰的選擇。
GPT‑5.6 按三種模型大小以每 100 萬個 Token 收費:Sol 為輸入 $5/輸出 $30;Terra 為輸入 $2.50/輸出 $15;Luna 為輸入 $1/輸出 $6。GPT‑5.6 亦引入更可預測的提示詞快取,包括支援明確的快取斷點,以及 30 分鐘最低快取有效期。對於 GPT‑5.6 及其後模型,快取寫入按模型未快取輸入費率的 1.25 倍收費,而快取讀取則繼續享有快取輸入 90% 折扣。
我們亦將於 7 月在 Cerebras 上推出 GPT‑5.6 Sol,速度最高可達每秒 750 個 Token,以前所未有的速度為客戶帶來前沿智能。在我們擴充容量期間,初期只會向經篩選的客戶開放使用權限。
我們期待在這段預覽期間繼續學習,並很快將 GPT‑5.6 Sol、Terra 和 Luna 帶給更多人。
1. 我們透過觀察模型在正式服務環境中的行為並進行離線模擬,估算延遲和 API 成本。這些估算會計入工具調用詳情、抽樣 Token 和輸入 Token。真實世界結果可能有很大差異,並取決於許多未納入模擬的因素。我們以高速 API 速度模擬延遲,並以一般 API 定價模擬成本。
2. 所有模型均在 ExploitBench API 評估框架下進行評估,採用 5 個種子,並啟用推理延續性。
3. 我們在 alpha API 上執行 ExploitGym;該 API 的回應輸出速度比公開 API 更快,之後再按公開 API 的速度換算。將延遲換算至公開 API 預期速度後,即使評估執行時實際上已正確遵守時限,部分估算延遲仍會超過 2 小時及 6 小時時限。對於對時間敏感的工作,如需更快速度,我們在 API 提供優先處理,並在 Codex 提供快速模式。
4. 未報告輸出 Token、延遲或成本的模型會以水平虛線表示。
