OpenAI Daybreak: CBA, Westpac test cyber defences

Commonwealth Bank and Westpac are using OpenAI’s Daybreak model to probe their own systems for cyber weaknesses, AFR reported on Tuesday. The trials place agentic AI inside two of the country’s most heavily regulated technology environments, where even modest changes to security tooling draw scrutiny from prudential and corporate regulators.

The model launch itself is less significant than where the model has landed. Australian banking operates under layered obligations — APRA resilience standards, fraud reporting, anti-money laundering controls — and the decision by CBA and Westpac to let an AI system suggest attack paths or automate parts of a defender workflow shows agentic tooling is now shipping into production security programmes, not just appearing in vendor slide decks.

OpenAI is positioning Daybreak around GPT-5.5-Cyber, which scored 82.7 per cent on Terminal-Bench 2.0 — a jump from 75.1 per cent for the earlier GPT-5.4-Cyber, BankInfoSecurity reported. The outlet noted that GPT-5.4-Cyber was designed for a human-in-the-loop defender workflow, while GPT-5.5-Cyber is built to operate more autonomously inside authorised environments.

“GPT-5.4-Cyber was built for a defender workflow, with humans in the loop. GPT-5.5-Cyber in Daybreak moves toward agentic operation.” — Pete Luban, BankInfoSecurity

For Australian banks the shift is more consequential than faster triage. A tool that chains together reasoning, testing and follow-up actions blurs the line between an assistant that advises security analysts and a system that executes pieces of a runbook. Security teams in finance already navigate the tension between resilience obligations and tight change controls; the boundary between advisory tooling and operational execution will be watched by regulators and risk committees alike.

On its Daybreak product page, OpenAI said enterprises want stronger reasoning and more automated execution within existing security workflows. Chief information security officer Dane Knecht said the company’s cyber capabilities could deliver “more agentic execution” to teams working through established controls. Separately, in a note on GPT-5.5 with trusted access for cyber, OpenAI said individual users on its most permissive cyber tier must enable Advanced Account Security from 1 June 2026.

Neither CBA nor Westpac has publicly detailed the scope of their Daybreak testing — whether the tool is confined to internal red-team exercises, sandboxed testing, or broader security operations. The distinction matters. A bank can extract value from an AI system that spots weaknesses and recommends follow-up steps without handing it direct control over production systems, customer data or incident response decisions. Cybersecurity Dive reported that analyst Jeff Pollard framed the tool as one more way for stretched security teams to handle fast-moving threats.

For CBA and Westpac the immediate signal is that experimentation with agentic cyber tooling is already underway inside Australian finance, even with limited public detail on what those tests involve. That gives the Daybreak launch a sharper local angle than a standard model release: major institutions with little tolerance for loose controls or untested processes are already trying the product.

Whether these systems stay confined to tightly supervised security tasks or extend deeper into daily defence operations will be the next test. Two of Australia’s largest banks are evaluating OpenAI’s newest cyber model inside real security workflows right now, and vendor promises about agentic defence are starting to meet demand from regulated enterprises.