Google dropped Sec-Gemini at Cloud Next 2026 (April 22), entering a three-way race with OpenAI's GPT-5.4-Cyber (launched April 16) and Anthropic's Claude Mythos Preview (launched April 7). For CISOs evaluating AI-powered security tools, this isn't just vendor competition—it's a fundamental shift in how enterprises find, fix, and defend against vulnerabilities at scale.
The stakes: OpenAI's Trusted Access for Cyber program has already helped defenders fix 3,000+ vulnerabilities. Anthropic's Mythos Preview found a 27-year-old OpenBSD bug that survived millions of automated security tests. Google's Sec-Gemini promises sub-5-second agent responses with on-chip memory and security-specific training data.
Here's what CISOs, CTOs, and security leaders need to know about each model—and how to decide which one belongs in your security stack.
The Three Models: What Each Vendor Claims
Google Sec-Gemini (Announced April 22, 2026)
What it is: Security-focused variant of Gemini 3.2 integrated into Google's SecOps platform (formerly Chronicle), built on the SecLM (Security Language Model) platform.
Training data: Security blogs, threat intelligence reports, YARA/YARA-L detection rules, SOAR playbooks, malware scripts, vulnerability information, product documentation.
Key claim: Sub-5-second agent responses using on-chip memory (Google's 8th-gen TPU), integrated with Google Cloud's data and security capabilities.
Availability: Part of Gemini Enterprise Agent Platform (generally available later 2026).
OpenAI GPT-5.4-Cyber (Launched April 16, 2026)
What it is: Fine-tuned variant of GPT-5.4 trained to be "cyber-permissive" for verified defenders only, delivered through Trusted Access for Cyber (TAC) program.
Training approach: Built on GPT-5.3-Codex (first model classified as "High" cyber capability under OpenAI's Preparedness Framework), expanded to thousands of verified defenders.
Key claim: Helped fix 3,000+ vulnerabilities through TAC program; democratized access to defensive capabilities while preventing misuse.
Availability: Restricted access (requires identity verification, clear KYC criteria, trusted access vetting).
Anthropic Claude Mythos Preview (Launched April 7, 2026)
What it is: General-purpose model strikingly capable at computer security tasks; part of Project Glasswing effort to secure critical software.
Capabilities demonstrated: Zero-day vulnerability discovery in every major OS and browser; 27-year-old OpenBSD bug found; 4-vulnerability chain exploits; JIT heap sprays; race condition exploits; ROP chain attacks.
Key claim: Non-experts with no formal security training used Mythos Preview to develop working exploits overnight; 181 successful exploits vs Opus 4.6's 2 attempts on same benchmark.
Availability: Highly restricted (240-page system card, coordinated vulnerability disclosure process, Project Glasswing vetted partners).
Performance Comparison: What They Can Actually Do
For CISOs evaluating these models, capabilities matter more than marketing. Here's what we know from published benchmarks and real-world deployments:
Vulnerability Discovery (Finding Zero-Days)
Anthropic Mythos Preview:
- Found zero-days in every major OS and browser (Windows, Linux, macOS, Chrome, Firefox, Safari)
- Oldest discovered: 27-year-old OpenBSD bug (patched 7.8/025_sack)
- Complexity: 4-vulnerability chains, JIT heap sprays, race conditions, KASLR bypasses
- Success rate: 181 working exploits on Firefox 147 vulnerabilities (vs Opus 4.6: 2 exploits)
OpenAI GPT-5.4-Cyber:
- TAC program helped defenders fix 3,000+ vulnerabilities (cumulative, not just GPT-5.4-Cyber)
- Cyber-specific safeguards: Automated classifier-based monitors reroute high-risk traffic to GPT-5.2 fallback
- No published benchmark on zero-day discovery rate (program prioritizes defensive use, not offense)
Google Sec-Gemini:
- No published vulnerability discovery benchmarks yet (model just announced)
- Training data includes vulnerability information, malware scripts, detection rules
- Focus appears to be SecOps workflows (threat intelligence, incident response) vs exploit development
Verdict for CISOs: If your priority is finding undiscovered vulnerabilities in legacy codebases, Mythos Preview has the strongest published track record. If you need defensive tooling integrated with existing SecOps workflows, Sec-Gemini's Google Cloud integration may offer faster deployment. If you want vetted access with built-in safeguards, GPT-5.4-Cyber's TAC program provides the clearest governance framework.
Exploit Development (Turning Vulnerabilities Into Working Code)
Anthropic Mythos Preview:
- FreeBSD NFS remote code execution: 20-gadget ROP chain split across multiple packets
- Linux privilege escalation: Subtle race conditions + KASLR bypasses
- Web browser escapes: Renderer + OS sandbox bypasses with complex JIT heap sprays
- Non-expert success: Anthropic engineers with no formal security training developed working exploits overnight
OpenAI GPT-5.4-Cyber:
- Codex Security (research preview): Identifies and fixes vulnerabilities at scale
- Focus: Defensive exploitation (proof-of-concept to demonstrate risk, not weaponization)
- Built-in safeguards prevent misuse (automated rerouting to less capable model for high-risk requests)
Google Sec-Gemini:
- No published exploit development benchmarks (model announced <24 hours ago)
- SecOps focus suggests defensive workflows (detection, response) vs offensive security
Verdict for CISOs: If you need to validate that a theoretical vulnerability is actually exploitable in production, Mythos Preview has the demonstrated capability. If you're prioritizing defensive security tooling that won't be weaponized, GPT-5.4-Cyber's safeguards and Sec-Gemini's SecOps integration offer clearer risk boundaries.
Integration & Deployment (Practical Enterprise Use)
Google Sec-Gemini:
- Platform: Integrated into Google SecOps (formerly Chronicle), part of Gemini Enterprise Agent Platform
- Infrastructure: 8th-gen TPU with on-chip memory (sub-5-second agent responses)
- Data integration: Google Cloud security telemetry, Vertex AI, existing SecOps workflows
- Availability: General availability later 2026
- Deployment advantage: If you're already on Google Cloud + Chronicle, native integration = faster time-to-value
OpenAI GPT-5.4-Cyber:
- Platform: API-based access through Trusted Access for Cyber (TAC) program
- Requirements: Identity verification, KYC compliance, trusted access vetting (objective criteria, not arbitrary)
- Safeguards: Automated classifier-based monitoring, fallback to GPT-5.2 for high-risk requests
- Codex Security: Research preview for identifying/fixing vulnerabilities at scale
- Deployment advantage: API-first = integrate with any SIEM, ticketing, or SecOps platform
Anthropic Claude Mythos Preview:
- Platform: API-based access (restricted)
- Requirements: Project Glasswing vetting, coordinated vulnerability disclosure agreement
- Documentation: 240-page system card (safety evaluations, capability assessments, risk mitigation)
- Deployment advantage: Highest demonstrated capability, but most restrictive access (by design)
Verdict for CISOs: If you're on Google Cloud and need fast deployment, Sec-Gemini's native integration is the easiest path. If you need multi-platform flexibility, GPT-5.4-Cyber's API-first approach fits any stack. If you're a critical infrastructure defender or large enterprise willing to vet with Project Glasswing, Mythos Preview offers cutting-edge capability.
Cost & Access: Who Can Actually Use These Models?
For CFOs and security budget owners:
Google Sec-Gemini
- Pricing: Not yet announced (part of Gemini Enterprise Agent Platform)
- Access: General availability later 2026, likely tied to Google Cloud + SecOps subscriptions
- Expected cost model: Per-agent pricing (similar to Vertex AI), infrastructure costs (TPU compute)
- Estimated range: $200-500/agent/month + compute (based on comparable Google Cloud AI services)
OpenAI GPT-5.4-Cyber
- Pricing: Standard OpenAI API pricing (GPT-5.4: $25/million input tokens, $125/million output tokens)
- Access: Restricted (Trusted Access for Cyber program requires vetting)
- Approval timeline: Individual defenders (days-weeks), enterprise teams (weeks-months)
- Estimated cost: $500-2,000/month for typical security team (100K-500K tokens/month)
Anthropic Claude Mythos Preview
- Pricing: Standard Anthropic API pricing (Opus 4.7: $5/million input, $25/million output)
- Access: Highly restricted (Project Glasswing vetting, critical infrastructure priority)
- Approval timeline: Likely months for enterprise approval (240-page disclosure review required)
- Estimated cost: $200-1,000/month for security research (Mythos likely priced similar to or higher than Opus)
Budget reality check: Security AI models aren't cheap, but they're 17-57x cheaper than human security teams (per OpenAI). If your team spends $500K/year on penetration testing or vulnerability research, a $50K/year AI subscription that delivers 10x faster results is a no-brainer ROI.
Use Case Fit: Which Model for Which Security Workflow?
For VPs of Security and Security Architects:
✅ Choose Google Sec-Gemini if:
- You're already on Google Cloud + Chronicle SecOps
- Priority: Threat intelligence, incident response, detection engineering
- You need sub-5-second agent responses for real-time workflows
- Integration with Google Cloud security telemetry is critical
- You prefer platform-native tools vs best-of-breed APIs
✅ Choose OpenAI GPT-5.4-Cyber if:
- You need multi-platform integration (works with any SIEM/ticketing system)
- Priority: Defensive security, vulnerability remediation at scale
- You want built-in safeguards to prevent misuse
- Your team can meet identity verification requirements
- You value OpenAI's track record (3,000+ vulnerabilities fixed via TAC program)
✅ Choose Anthropic Claude Mythos Preview if:
- You're defending critical infrastructure or high-value targets
- Priority: Finding zero-days in legacy code before attackers do
- You need exploit validation to understand real-world risk
- Your security team has expertise to handle advanced capabilities responsibly
- You're willing to undergo Project Glasswing vetting process
Hybrid strategy: Many enterprises will use multiple models for different workflows. Example: Sec-Gemini for threat intelligence + incident response, GPT-5.4-Cyber for vulnerability remediation, Mythos Preview for critical asset penetration testing.
Security & Risk Considerations (CRITICAL for CISOs)
The elephant in the room: These models are dual-use. They can defend AND attack. Here's how each vendor addresses risk:
Google Sec-Gemini
- Safeguards: Security-specific training data (threat intelligence, detection rules), integrated with Google Cloud IAM
- Risk mitigation: Platform controls (who can deploy agents, what data they access), audit logging
- Unknown: No published details yet on jailbreak resistance or adversarial attack defenses
OpenAI GPT-5.4-Cyber
- Safeguards: Automated classifier-based monitors, high-risk requests rerouted to GPT-5.2 fallback model
- Access control: Identity verification (KYC), trusted access vetting, objective criteria (not arbitrary)
- Risk mitigation: Preparedness Framework (models classified by cyber capability level), iterative deployment
- Transparency: Public documentation of safeguards, deployment safety reports
Anthropic Claude Mythos Preview
- Safeguards: 240-page system card (safety evaluations, capability assessments, risk mitigation)
- Access control: Project Glasswing vetting, coordinated vulnerability disclosure agreements
- Risk mitigation: Critical infrastructure priority, responsible disclosure process (99% of discovered vulnerabilities not yet disclosed publicly)
- Transparency: Unprecedented technical detail (red team blog post, AISI UK evaluation)
CISO takeaway: All three vendors take security seriously, but approaches differ. Google relies on platform controls. OpenAI uses automated monitoring + vetting. Anthropic uses restrictive access + disclosure agreements. Choose based on your risk tolerance and compliance requirements.
Decision Framework: 5 Questions CISOs Should Ask
Before committing budget to any security AI model:
1. What's our primary security workflow need?
- Threat intelligence + incident response → Sec-Gemini (SecOps integration)
- Vulnerability remediation at scale → GPT-5.4-Cyber (Codex Security)
- Zero-day discovery in legacy code → Mythos Preview (proven track record)
2. What's our existing infrastructure?
- Google Cloud + Chronicle → Sec-Gemini (native integration, faster deployment)
- Multi-cloud or cloud-agnostic → GPT-5.4-Cyber or Mythos Preview (API-first)
- AWS or Azure → GPT-5.4-Cyber (Claude on Bedrock) or Mythos Preview (vendor-neutral)
3. What's our risk tolerance for offensive capabilities?
- Low tolerance → Sec-Gemini (detection-focused) or GPT-5.4-Cyber (built-in safeguards)
- Medium tolerance → GPT-5.4-Cyber (vetted access, automated monitoring)
- High tolerance + expertise → Mythos Preview (most capable, most restrictive access)
4. What's our security team's skill level?
- No formal security training → Sec-Gemini or GPT-5.4-Cyber (safer guardrails)
- Experienced security engineers → Any model (can leverage advanced capabilities responsibly)
- Red team / penetration testers → Mythos Preview (matches their workflow, validates exploitability)
5. What's our budget and timeline?
- Need deployment in Q2 2026 → GPT-5.4-Cyber (available now via TAC)
- Can wait until H2 2026 → Sec-Gemini (general availability later 2026)
- No timeline pressure, critical infrastructure → Mythos Preview (vetting may take months)
What Early Adopters Are Saying
Real-world feedback from security teams (limited data, all models <2 weeks old):
Google Sec-Gemini:
- Too early for production feedback (announced April 22, 2026)
- Preview access likely limited to Cloud Next 2026 attendees + Google Cloud partners
OpenAI GPT-5.4-Cyber:
- TAC program scaled to "thousands of verified defenders and hundreds of teams"
- 3,000+ vulnerabilities fixed (cumulative across TAC program, not just GPT-5.4-Cyber)
- OpenAI: "Engineers with no formal security training have asked [the model] to find remote code execution vulnerabilities overnight"
Anthropic Claude Mythos Preview:
- Anthropic engineers with no formal security training: "Woken up the following morning to a complete, working exploit"
- UK AISI evaluation: "Continued improvement in capture-the-flag challenges and significant improvement on multi-step cyber-attack simulations"
- 27-year-old OpenBSD bug discovered (survived millions of automated security tests)
Want to calculate your own AI ROI? Try our AI ROI Calculator — takes 60 seconds and shows projected savings, payback period, and 3-year ROI.
Continue Reading
Sources
- Google Cloud Next 2026: Gemini Enterprise Agent Platform announcement
- OpenAI Official Blog: Trusted Access for the Next Era of Cyber Defense
- Anthropic Red Team: Claude Mythos Preview Technical Details
- The Hacker News: OpenAI Launches GPT-5.4-Cyber with Expanded Access
- Forbes: OpenAI's New GPT-5.4-Cyber Raises The Stakes For AI And Security
- UK AISI: Our Evaluation of Claude Mythos Preview's Cyber Capabilities
The Bottom Line
For CISOs: The security AI race just became a three-way competition. Google Sec-Gemini offers platform integration for Google Cloud customers. OpenAI GPT-5.4-Cyber provides vetted access with safeguards for multi-platform use. Anthropic Mythos Preview delivers cutting-edge capability for critical infrastructure defenders.
The right choice depends on your infrastructure, risk tolerance, and security workflow priorities. Most enterprises will adopt a hybrid approach: use Sec-Gemini for threat intelligence, GPT-5.4-Cyber for vulnerability remediation, and (if vetted) Mythos Preview for critical asset penetration testing.
One thing is clear: AI-powered vulnerability discovery is no longer experimental. It's production-ready infrastructure. The question isn't whether to adopt security AI—it's which model fits your enterprise security strategy best.
Next steps:
- Evaluate existing infrastructure (Google Cloud vs multi-cloud)
- Identify primary security workflow needs (detection vs remediation vs red team)
- Request access to appropriate TAC/Glasswing/Sec-Gemini programs
- Pilot with small security team before enterprise-wide rollout
- Budget for 2027: Security AI is becoming mandatory infrastructure, not optional tooling
