The latest frontier language models promise a significant increase in reasoning, coding, tool use, and the ability to remain engaged with complex projects.
OpenAI’s GPT-5.6 family—including models identified as Sol, Terra, and Luna—has been introduced alongside ChatGPT Work, an agent designed to perform multi-step tasks across applications, files, and workflows. Anthropic’s Claude Fable 5 has similarly been described as the company’s most powerful model, with expanded access offered to paid subscribers.
For cybersecurity professionals, these capabilities should be transformational.
A sufficiently advanced model could help analyze malware, examine authentication failures, review exploitability, develop detection logic, reconstruct attack paths, investigate suspicious scripts, validate security controls, and reason across large amounts of telemetry. It could give an independent consultant capabilities that were previously available only to large security teams.
But there is a fundamental problem.
The model may possess the technical ability to perform the work, yet the guardrails surrounding it frequently prevent that ability from being used.
A request that contains language associated with exploitation, credential access, evasion, persistence, malware, phishing, or bypassing controls may trigger a refusal even when the activity is taking place inside an isolated lab, under a signed statement of work, against a system owned by the requester, or as part of a fully authorized client engagement.
The model cannot reliably verify that authorization. The safety system therefore evaluates the apparent risk of the requested action rather than the legitimacy of the professional performing it.
For the individual cybersecurity professional, this can make frontier models effectively unusable for the hands-on work where their advanced capabilities would matter most.
Capability Does Not Matter if the Professional Cannot Use It
Model evaluations often focus on capability. Can the model find vulnerabilities? Can it reason through unfamiliar code? Can it understand an attack chain? Can it operate tools? Can it remain engaged with a complex investigation?
Those measurements are important, but they do not describe the experience of the person using the deployed product.
A model can perform extremely well on a controlled cybersecurity benchmark while refusing comparable work when an individual professional requests it through a production interface.
That creates a growing difference between theoretical capability and available capability.
The model may understand exactly how a vulnerability works. It may be capable of developing a safe proof of concept. It may be able to explain which endpoint telemetry would identify an attack. But if a policy layer, classifier, system instruction, or behavioral monitor blocks the response, that capability is unavailable to the practitioner.
An unusable capability has little operational value.
The security professional does not benefit from knowing that the underlying model could have completed the task under different conditions. What matters is whether the tool can support the authorized investigation taking place now.
Authorized Security Work Often Resembles an Attack
The difficulty is not that legitimate cybersecurity professionals are asking harmless questions that are accidentally misunderstood. Much of legitimate cybersecurity work is intentionally adversarial.
A penetration tester is paid to identify and exploit weaknesses before a real attacker does. A red team may need to establish persistence, move laterally, access credentials, evade selected controls, and demonstrate business impact. A malware analyst needs to understand how malicious code behaves. A detection engineer may need to reproduce attacker techniques to determine whether monitoring systems recognize them.
An incident responder may need to deobfuscate a script, reconstruct command-and-control behavior, or identify what a credential-stealing tool attempted to collect. A product security engineer may need to develop a controlled proof of concept to determine whether a reported vulnerability is real.
The language of this work is inherently sensitive.
Terms such as “exploit,” “bypass,” “persistence,” “payload,” “credential dumping,” “evasion,” “phishing,” and “ransomware” are not optional terminology invented to provoke a model. They are part of the professional vocabulary of cybersecurity.
When safety systems react to these terms or to behavioral patterns associated with harmful activity, they inevitably encounter legitimate defensive requests.
The central problem is that an authorized attack and an unauthorized attack may use the same command, exploit the same vulnerability, or reproduce the same behavior. The difference is legal permission and scope—not syntax.
A prompt classifier cannot inspect a signed authorization document and independently determine that the requester is allowed to test a client environment. It cannot know whether an IP address belongs to the professional’s lab. It cannot confirm that a malware sample is being analyzed rather than deployed.
As a result, the system frequently chooses the safest response for the provider: refuse the request. That may reduce provider risk. It does not necessarily support the defender.
Explaining the Authorization Often Does Not Solve the Problem
Cybersecurity professionals are frequently advised to add context. They may explain that the system is owned by them, the assessment is authorized, the environment is isolated, the activity is educational, or the output will be used only for defensive purposes.
Sometimes this works. Often it does not.
The reason is understandable: a malicious user can provide exactly the same explanation. Anyone can begin a prompt with “I am an authorized security researcher.” Anyone can claim that a target is a lab. Anyone can say that a payload will be used only for defensive testing.
If a provider accepted those statements without verification, the guardrail would be trivial to evade. The model therefore cannot treat self-declared authorization as reliable evidence.
This leaves the legitimate professional in a circular problem.
The model refuses because it cannot verify authorization. The user has no mechanism through which authorization can be verified. Additional explanation may itself look like an attempt to persuade the model to cross a safety boundary.
The refusal remains even though the assessment is authorized and the use is ethical.
This is why prompt wording is not a real solution. The professional should describe the work truthfully and precisely, but no amount of careful phrasing can replace an actual authorization system.
Refusals Occur Where the Model Becomes Most Valuable
Frontier models remain useful for many general security tasks. They can summarize policies, explain common vulnerabilities, draft executive reports, review high-level architecture, suggest secure-development practices, and help organize findings.
The problem appears when the work becomes operationally specific.
A model may explain what an authentication bypass is but refuse to help validate one in a client application. It may describe command-and-control behavior but refuse to analyze or reproduce a relevant component. It may recommend testing endpoint detections but decline to produce the controlled behavior needed to trigger the alert.
It may explain phishing defense while refusing to help create a simulation for an approved awareness exercise. It may discuss credential theft at a high level while withholding the detail needed to determine whether a security product detects a specific technique.
This creates a tool that remains available for the least controversial portions of cybersecurity while becoming unreliable for the work requiring the most technical precision.
The independent practitioner does not need another system that can provide generic security advice. The internet already contains security checklists, framework summaries, vendor documentation, and vulnerability descriptions.
The value of a frontier model is supposed to come from applying advanced reasoning to a specific environment and problem. If that ability disappears whenever the problem resembles real adversary behavior, the model cannot fulfill its promise as professional cybersecurity infrastructure.
Enterprise Pathways Expose the Individual-Access Gap
Some providers offer enterprise products, managed organizational accounts, private deployments, contractual support, administrative controls, and specialized access arrangements.
These options do not necessarily remove every safety control. They do, however, give a large organization mechanisms that an individual subscriber may not have.
An enterprise can connect model access to corporate identity. It can enforce multi-factor authentication, retain centralized logs, configure data controls, negotiate contract terms, restrict tools, and contact a provider when a legitimate workflow is blocked.
A large organization can also build its own control layer around the model. It may validate users, restrict execution to owned environments, require human approval, and maintain evidence of every action.
The individual cybersecurity professional is placed in a different position.
An independent consultant may hold recognized certifications, carry professional insurance, operate a registered business, possess a signed statement of work, and have years of ethical security experience. None of that necessarily changes how a consumer-facing model evaluates a sensitive request.
The practitioner may be indistinguishable from an anonymous user.
This creates a two-tier model of AI-assisted cybersecurity. Large organizations can pursue managed and customized access, while independent professionals receive a broadly restricted product that cannot evaluate their authorization.
That gap matters because independent professionals protect a substantial part of the economy. Small businesses often rely on consultants, boutique security firms, freelance researchers, and external penetration testers precisely because they cannot maintain a large internal security team.
If advanced AI capabilities are available only through enterprise arrangements, frontier AI could widen the security gap rather than close it.
The Individual Is Left With Inadequate Alternatives
When a hosted frontier model refuses authorized work, the practitioner has several options, but none fully solves the problem.
The professional can reformulate the request, remove sensitive terminology, or divide the work into smaller questions. That may occasionally produce a useful answer, but it is inefficient and unpredictable. It can also begin to resemble an attempt to evade provider controls, which an ethical professional should avoid.
The practitioner can move the work to conventional security tools. Those tools remain necessary and often perform operational tasks better than a general language model. But this forfeits the advanced reasoning and cross-domain assistance that motivated the AI adoption.
The practitioner can operate an open-weight model locally. This provides more control, but local models may lack the capability, context length, tool integration, or reliability of the newest frontier systems. Running them securely also requires hardware, maintenance, isolation, access controls, and careful handling of client data.
The professional can complete the task manually. That remains the ultimate fallback, but it eliminates the promised productivity benefit.
None of these options answers the central question: why should an ethical professional pay for a frontier model whose most relevant capabilities become inaccessible whenever the engagement resembles real cybersecurity work?
This Is Not an Argument for Unrestricted Models
The solution is not to remove all safeguards.
An unrestricted frontier model capable of generating malware, automating exploitation, and operating tools against arbitrary targets could create serious risk. Providers are justified in preventing unauthorized access, mass compromise, destructive activity, privacy violations, and attacks on critical infrastructure.
Anthropic’s Usage Policy explicitly prohibits discovering or exploiting vulnerabilities without the system owner’s authorization, gaining unauthorized access, creating malware, developing denial-of-service or botnet tools, creating unauthorized interception systems, building persistent-access tooling, compromising systems at scale, and bypassing security controls.
The important phrase is without authorization.
The policy recognizes the conceptual distinction. The deployed access mechanism may still be unable to verify it.
The current guardrail model attempts to compensate for missing authorization data by making inferences from the prompt and requested behavior. That is safer than trusting unsupported claims, but it produces false refusals for legitimate professionals.
The industry should not choose between indiscriminate access and indiscriminate refusal. It should build a mechanism through which professional authorization can be demonstrated.
Providers Need a Verified Cybersecurity Professional Tier
Frontier-model providers should create an access category between anonymous consumer use and large enterprise contracting.
A verified professional tier should begin with legal identity. The provider should know who is requesting sensitive capability and maintain a durable account that cannot be discarded easily after misuse.
Professional evidence could include employment history, a registered consultancy, recognized certifications, professional references, insurance, or participation in an established vulnerability-disclosure program. None of those elements should be sufficient by itself, but together they can establish accountability.
The professional should accept specialized terms governing cybersecurity use. Those terms should clearly prohibit unauthorized testing, mass exploitation, destructive activity, use outside an agreed scope, and attempts to conceal model-assisted actions from clients.
For higher-risk work, the provider could require engagement-level authorization. The professional might register a client domain, cloud account, application, repository, lab, cyber range, or bug-bounty scope.
Domain control could be verified through DNS or a file placed on the target website. Cloud ownership could be demonstrated through an account-level verification process. Client engagements could include an authorization attestation and a contact capable of confirming the work.
Additional capability could be temporary and tied to that scope.
The provider could restrict tool execution to verified assets, enforce rate limits, block unrelated targets, retain complete logs, and require human approval for high-impact actions. Suspicious activity could result in immediate review or suspension.
This would not make abuse impossible. No professional licensing or verification process can guarantee intent. It would, however, create considerably more accountability than the current practice of asking a model to infer legitimacy from words in a prompt.
Authorization-Aware Guardrails Would Be Safer Than Context-Blind Refusal
A more mature system would consider several factors before allowing or refusing a request.
It would know the authenticated user, professional account status, registered engagement, authorized targets, permitted techniques, environment, requested action, and applicable rate limits.
A request involving a public target outside the registered scope would be refused. The same technique against a verified lab or client asset could be permitted inside a controlled environment.
A model might be allowed to generate a non-destructive validation method but prohibited from deploying it automatically. It might analyze malware inside an isolated sandbox with no external network access. It might develop a phishing simulation only for verified organizational domains and require approval before delivery.
Every sensitive request and tool action could be logged. The provider and professional would have evidence of who requested the activity, which target was involved, what the model produced, and whether a human approved execution.
This is more technically and operationally demanding than a refusal classifier. It is also closer to how cybersecurity already manages risk.
Penetration-testing platforms, vulnerability scanners, cloud services, and security tools do not rely entirely on the words an operator types. They use accounts, permissions, scopes, ownership, contracts, rate limits, logs, and enforceable policies.
Frontier AI should do the same.
False Refusals Should Be Treated as a Product Defect
Providers measure whether models comply with malicious requests. They should also measure whether models refuse legitimate authorized work.
These are different failure modes. Unsafe compliance creates security risk. False refusal destroys professional usefulness.
A meaningful cybersecurity evaluation should include realistic authorized tasks: exploitability analysis in a lab, malware deobfuscation, detection-rule development, phishing simulation, authentication testing, cloud attack-path validation, incident reconstruction, and analysis of persistence or evasion techniques.
The evaluation should determine whether the model provides safe, accurate, and operationally useful assistance when authorization and isolation are established.
A model that refuses every request containing dangerous concepts may appear safe under one measurement while being unusable under another. Safe usefulness must become a first-class benchmark.
Providers should also offer a clear appeals process. When an authorized practitioner encounters a refusal, the professional should be able to submit the request, authorization context, intended use, and expected safe outcome for review.
Without such a process, false refusals disappear into generic feedback channels and the same failures continue.
What the Individual Professional Can Do Now
The options available today are limited.
An individual should maintain written authorization for every engagement, use isolated labs, protect client data, preserve activity logs, and describe requests truthfully and precisely.
When possible, the professional should use an employer or client-managed account. Operational testing should remain inside approved security tools and controlled environments, with the model used for analysis where it remains useful.
A local model may be appropriate for certain authorized lab tasks, but it should be operated with authentication, network restrictions, encryption, tool controls, and complete professional accountability.
The individual should report false refusals to the provider with enough detail to demonstrate the legitimate use case.
What the professional should not do is attempt to jailbreak the model, lie about authorization, disguise the request, rotate accounts, or fragment a prohibited request to evade detection. Those actions undermine the ethical and legal basis of the engagement.
These practices can reduce risk, but they do not solve the access problem. They are workarounds for a market that has not yet built an adequate professional-access model.
Frontier AI Is Failing an Important Class of Defender
GPT-5.6 and Claude Fable 5 may represent major technical progress. They may reason more effectively, work across more tools, and remain engaged with more complex projects than prior generations.
For the individual cybersecurity professional, that progress can be largely theoretical.
The model can be capable of advanced cybersecurity work while the surrounding product refuses to perform it. A request can be authorized, ethical, isolated, and professionally necessary, yet still trigger restrictions because it resembles harmful activity.
That makes the product unreliable precisely where the frontier capability matters.
The issue is not that guardrails exist. The issue is that the current guardrails often lack a meaningful way to recognize legitimate professional authorization.
Independent security professionals should not receive unrestricted access merely because they claim to be ethical. But they should have a path to prove identity, document authorization, register scope, accept monitoring, and operate advanced capabilities inside controlled environments.
Until that path exists, the industry will continue producing frontier models that can perform sophisticated cybersecurity work in principle but are effectively unusable by many of the professionals who need them.
That is not a minor inconvenience. It is a failure to deliver the capability the product appears to promise.
How WCS Can Help
Walden Cybersecurity Solutions helps organizations and security professionals evaluate AI security tools, document acceptable-use boundaries, define authorization requirements, design human-approval workflows, and build practical controls around AI-assisted cybersecurity.
Frontier AI should improve the defender’s ability to protect systems—not become another tool that stops working when an investigation becomes technically difficult.
Explore WCS AI Security and Governance services or request a Security Snapshot.
References
- The Hindu, “OpenAI launches ChatGPT Work, introduces GPT-5.6 model family,” July 13, 2026.
- The Indian Express, “Anthropic extends Claude Fable 5 access to paid subscribers until July 19: Here’s what changes later,” updated July 13, 2026.
- OpenAI, “Model Spec,” December 18, 2025 version.
- Anthropic, “Usage Policy,” effective September 15, 2025.
- Anthropic, “Responsible Scaling Policy,” updated July 8, 2026.
- National Institute of Standards and Technology, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, NIST AI 600-1.
Editorial note: This article advances an industry argument rather than reporting a measured refusal rate across every deployment. Guardrail behavior varies by model, product, account type, system prompt, tools, and policy configuration. The central issue is that individual professionals currently lack a dependable mechanism to prove authorization when a legitimate request resembles harmful activity.