The AISI State of AI report May, 2026: offensive cyber capability doubling every 4 months. What the numbers actually mean

[Louise84]

The UK AI Security Institute published its State of AI report for May 2026 with a finding that has circulated heavily this week: AI offensive cyber capability, as measured by benchmark progression, is doubling approximately every 4 months.

Claude Mythos Preview completed 3 of 10 end-to-end corporate network simulations. GPT-5.5 completed 2 of 10. The simulations use no active defenders. The AISI noted current benchmarks cannot discriminate between frontier models without adding adversarial defensive layers.

State of AI: May 2026

https://press.airstreet.com/p/state-of-ai-may-2026

[Compass]

4 months doubling on offensive cyber means the capability landscape from 8 months ago is already 4x less relevant as a reference point. Security assumptions built on last year's AI are broken

[Sparrow]

The no-active-defenders caveat is important but limited comfort. The benchmark establishes what is possible. Real attacks include defenders who are also increasingly using AI

[Tara_66]

3 of 10 end-to-end corporate network compromises without defenders is the proof-of-concept level, not the operational deployment level. Both matter for different threat modelling purposes

[ReacherBadger]

Current benchmarks not discriminating between frontier models at this task means the field does not yet have the measurement tools to track the capability precisely. That is a research gap with policy implications

[Pete14]

The defensive side needs the same investment urgency as the offensive side is demonstrating. Project Glasswing finding 10,000 vulnerabilities defensively is the right response but the scale needs to match the threat