PH AI Works
PH AI Works
AI Case StudyFree

What GPT-5.5's Cyber-Capability Evaluation Means for the AI Risk Defenses of Japanese Firms in the Philippines

An explanation of the UK AISI's cybersecurity evaluation of GPT-5.5 and Mythos Preview. We introduce practical risk-management steps for Japanese firms in the Philippines, including NPC notification rules and drafting an AI usage policy.

Author
AuthorAuthor

AI Engineer · 36+ years in IT · Japanese, based in Manila for 13+ years

GPT-5.5 Matched Mythos Preview on Cybersecurity Performance — An AI Risk-Management Guide for Japanese Firms in the Philippines

From the UK AISI's latest evaluation, we examine how far frontier AI (the most advanced AI models) has come in cyber-attack capability. We also explain the practical steps Japanese firms with Philippine bases should take right now.

Part 1: Why This Matters

Step 1: The Philippine Business Context (3 min)

The most advanced AI models (called "frontier AI") are rapidly growing their ability to perform work related to cyber-attacks. The point this time is not that any one company's model alone is dangerously far ahead. It is the observation that AI models across the industry have come to deliver near-human-expert accuracy on offensive work such as hacking, vulnerability discovery, and code analysis. This is by no means a distant matter for Japanese firms operating in the Philippines.

The Philippines is a BPO (business process outsourcing) powerhouse. Through call centers, accounting shared services, IT help desks, and the like, sensitive data from Japanese headquarters flows into offices in Manila and Cebu. The falling cost of AI-driven attacks means a rising risk that a Philippine base becomes an entry point for an attack. On top of that, the Philippines has the Data Privacy Act of 2012 (the Philippine personal-data protection law, Republic Act No. 10173), overseen by the National Privacy Commission (NPC). When personal information leaks, strict notification obligations apply. For Japanese firms that must comply doubly with this and with Japan's amended Act on the Protection of Personal Information, cybersecurity in the AI era is, quite simply, a management issue.

Scene: At a Makati office, a Japanese manager, coffee in hand, raises a point with the Filipino IT manager: "Apparently cases of using generative AI to write attack code are increasing. Our BPO base handles headquarters' data too—are our defenses okay as they are?" The colleague responds, "The NPC's guidelines have been updated too, so let's take inventory together." This is material to spark that kind of conversation.

Step 2: The Key Facts From the Original Article (5 min)

We have organized the facts of the original article into our own table for study purposes.

ItemDetails
Evaluating bodyUK AI Security Institute (AISI)
Models evaluatedOpenAI GPT-5.5, Anthropic Mythos Preview
Evaluation method95 Capture the Flag (CTF) style challenges, run continuously since 2023
Average pass rate at Expert levelGPT-5.5: 71.4%, Mythos Preview: 68.6% (within the margin of error)
Rust binary analysis taskGPT-5.5 solved it in 10 minutes 22 seconds at an API cost of $1.73
TLO (a 32-step data-exfiltration simulation)GPT-5.5: 3 successes out of 10, Mythos Preview: 2 out of 10
Cooling Tower (a power-plant control sabotage simulation)All models failed
OpenAI's movesLaunched the Trusted Access for Cyber pilot in February 2026, with limited availability of GPT-5.4-Cyber and GPT-5.5-Cyber
AISI's conclusion"Not a breakthrough specific to a particular model, but a byproduct of general advances in long-horizon autonomy, reasoning, and coding"
Date reportedMay 2, 2026

Source: Ars Technica — "GPT-5.5 matches heavily hyped Mythos Preview in new cybersecurity tests" (May 2, 2026)

This table was created for study purposes based on facts from publicly available information. Please refer to the original article linked above for details.

Related: see How IT Infrastructure Determines AI Success for Philippine Businesses.

Step 3: Comprehension Check (5 min)

Q1. How many types of challenges does the UK AISI use to evaluate frontier AI? Hint: It's the cumulative total since 2023. The figure is near the start of the article.

Q2. On Expert-level tasks, what were the pass rates of GPT-5.5 and Mythos Preview, respectively? Hint: The difference is said to be within the margin of error.

Q3. How long did GPT-5.5 take to solve the task of building a disassembler for a Rust binary, and at what API cost? Hint: Remember it as a combination of "minutes" and "U.S. dollars."

Q4. In the TLO test, from which model did the first success among all models appear, and how many times out of how many did GPT-5.5 succeed? Hint: It's a test that simulates a 32-step data exfiltration.

Q5. From these results, how does the AISI conclude the improvement in cyber capability arose—is it "specific to a particular model," or due to another factor? Hint: The keywords are "long-horizon autonomy," "reasoning," and "coding."

Related: see How AI Strategy Helps Philippine SMEs Avoid Costly Adoption Failures.

Part 2: Putting It Into Practice

Step 4: Implementation Steps in the Philippines (10 min)

We lay out the concrete steps for building a cybersecurity posture for the AI era at your Philippine base, in five stages.

StepDetailsPhilippine-specific points to watch
1. Asset inventory and risk mapCatalog the scope of headquarters' data that the Philippine base touches, plus the SaaS and generative-AI tools in useClarify the location of personal information subject to registration with the NPC (National Privacy Commission). Sort out whether the BPO base is a "Personal Information Controller" or a "Processor"
2. Prepare an AI usage policyDocument the rules for using generative AI at work, the scope of sensitive information prohibited from input, and the approval flowCreate it bilingually in English and Japanese. Communicating to Filipino staff requires not just documents but also a verbal briefing (because verbal agreement is valued in the culture)
3. Enforce access management and multi-factor authenticationMake MFA mandatory for privileged accounts and build a flow to immediately disable departed employees' accountsA budget benchmark for monthly tool fees is 300 to 800 pesos per user. Include the accounts of SEC-registered agents and officers as well
4. Prepare an incident-response playbookCreate a procedure that reconciles NPC notification (within 72 hours) with reporting to Japanese headquartersIn line with the NPC's Breach Notification Rules (NPC Circular 16-03), notification to affected individuals is also required. Prepare notification-letter templates in Tagalog or English
5. Regular red-team exercises and validation of AI useConduct a tabletop exercise with outside experts at least once every half yearPrioritize vendors accredited by the Philippine DICT (Department of Information and Communications Technology). The cost runs from roughly 150,000 to 800,000 pesos depending on scale

Step 5: Common Mistakes and How to Avoid Them (5 min)

Failure pattern 1: "Distributing a straight English translation of the Tokyo headquarters' policy"

Bad example: You circulate an English version that's merely a machine translation of the Japanese policy and just collect signatures.

Good example: Together with the Manila IT lead, you create a version adapted to the local operational flow. In team meetings, explain using concrete examples, and always set aside time at the end to take questions.

Failure pattern 2: "Letting people use free generative AI freely for work"

Bad example: It's tacitly allowed for staff to paste customer lists and financial data into a personal-account chat tool to have it summarized.

Good example: You introduce an enterprise version under a corporate contract, use settings that keep your data out of training, and ensure you can retain audit logs. At the same time, make clear the "three categories of data prohibited from input" (personal information, contract information, source code).

Failure pattern 3: "Reporting a security incident only to headquarters and delaying NPC notification"

Bad example: While waiting on headquarters' decision, 72 hours elapse and the NPC makes you subject to a fine.

Good example: You agree in advance on a procedure that advances headquarters reporting and NPC notification in parallel. Also note the contact for local legal counsel or a Philippine lawyer in the response procedure.

Part 3: Going Deeper

Step 6: Related Technical Terms (5 min)

Capture the Flag / CTF (a flag-capturing competition, a cybersecurity exercise) is a competition-style exercise in which you analyze and break into a system to find a hidden string called a "flag." Even a Manila IT department would find it effective to incorporate CTFs into new-engineer training and quarterly skill assessments. It builds a practical, hands-on defensive instinct that classroom study alone can't instill.

Reverse Engineering is the work of taking apart finished software to infer how its internals work. It's similar to eating a dish and guessing the recipe. It's put to use at a Philippine base when safely analyzing an executable file of unknown origin, or when considering how to modify a legacy system that has no specification document.

Long-horizon Autonomy refers to the ability of AI to keep performing work spanning dozens of steps on its own, without receiving instructions from a human at each step. It's a concept worth understanding as a premise for considering embedding AI agents into operations—for instance, when you want to automate invoice processing from start to finish at a Cebu shared-services center.

Trusted Access Program is a mechanism in which an AI provider opens its high-capability models "only to identity-verified users." It appears as the registration procedure for when a Japanese security vendor in the Philippines uses advanced models such as OpenAI's through legitimate channels. It's a name procurement staff would do well to remember.

Data Privacy Act of 2012 (the Philippine personal-data protection law, Republic Act No. 10173) is a law that regulates every organization handling personal information within the Philippines. It's a strong law, with fines and even imprisonment on violation. When a Japanese firm in the Philippines adopts an AI tool, confirming compliance with this law—on top of the headquarters' compliance with Japan's amended personal-data protection law—is essential. It's also frequently referenced when checking the data-processing clauses of a contract.

Step 7: Applying This to Your Own Company (10 min)

At your Philippine base, which operations are most likely to be targeted by a generative-AI attack?

A prompt to consider: Identify them from three angles—the departments that handle a lot of customer data, the departments with a lot of back-and-forth email with outsiders, and the departments with a large number of endpoints.

How should you design the division of roles between headquarters (Japan) and the local base (the Philippines)?

A prompt to consider: Lay out the four functions—24/7 monitoring, local-law compliance, technical procurement, and education and training—in a table. Discuss whether each should be headquarters-led, locally led, or joint.

How should you decide the budget allocation for adopting AI tools?

A prompt to consider: Estimate the assumed damages if you're attacked (NPC fines, downtime losses, reputational damage). On that basis, consider what share of your annual security budget to direct toward AI-related detection and defense tools.

Next action: Within next week, create a list of the generative-AI tools and SaaS services in use at your Philippine base. In a 30-minute interview, confirm with the local IT manager what kinds of operational data are being input into each tool.

Part 4: FAQ

Q1. When AI is used in cyber-attacks, what tends to happen specifically at a Philippine base?

The biggest expected increase is sophisticated phishing emails targeting Filipino staff. Another is automated attacks that rapidly discover and exploit vulnerabilities in public web applications. Because English is standard for work in the Philippines, the danger of failing to notice an AI-generated, natural-sounding English business email and opening an attachment tends to be higher than at a Japanese base.

Q2. Is the breach notification to the NPC the same procedure even for an AI-caused incident?

Yes, the procedure is the same whether or not the cause is an AI-driven attack. The obligation to notify the NPC and the affected individuals within 72 hours, from the point you can reasonably judge that personal information has been leaked, altered, or lost, does not change. If anything, AI attacks tend to make it more complex to identify the scope of impact. It's important to secure in advance a route to engage forensic experts.

Q3. When using generative AI for work at a Philippine base, how should I align it with headquarters' amended personal-data protection law?

The basic principle of dual compliance is "align to the stricter one." Compare Japan's cross-border transfer regulations with the Philippine Data Privacy Act, and create a data-processing agreement (DPA) that satisfies both countries' requirements. In practice, it's common to advance the Philippine-side NPC registration and the Japan-side privacy-policy update concurrently.

Q4. What's the going rate for hiring AI security talent in the Philippines?

As of 2026, a benchmark is roughly 50,000 to 80,000 pesos per month for a junior SOC analyst, and 120,000 to 250,000 pesos per month for a senior security engineer. Those with experience specialized in AI security are still scarce, and offers exceeding 300,000 pesos a month are not unusual. A hybrid strategy of in-house development and outsourcing is realistic.

Q5. Is it a problem to have AI automatically process BIR- or SEC-related filing documents?

It's technically possible, but the final signature and submission must be done after an authorized person has confirmed the contents. Tax filings to the BIR (Bureau of Internal Revenue) and periodic reports to the SEC (Securities and Exchange Commission) can be subject to back taxes or penalties if there are errors. Keep AI limited to drafting and assisting with numerical checks, and run things so that a human always confirms before submission.

Tips for Putting This to Use (3 Tips)

Tip 1: Make the "AI-use inventory" a monthly routine At Philippine bases, new SaaS and AI tools tend to be adopted by front-line decision. Once a month, even just for five minutes, interview each department on its AI usage. Building a habit of catching shadow IT before it takes root gives you peace of mind. Early detection is the key to preventing information leaks.

Tip 2: Post the "72 hours from incident" timeline on the wall on paper The NPC's 72-hour notification rule tends to cause confusion when the moment comes. Physically post a flowchart at the Manila base's IT department that states who does what within how many hours. Even if an incident occurs in the middle of the night, no one panics. Noting the contact-priority order between Japanese expatriates and local staff gives further peace of mind.

Tip 3: Each half year, take time to review your company from "the attacker's perspective" AI attack tools evolve quickly, and the assumptions of six months ago can be outdated. Once every half year, take even 30 minutes to examine your Philippine base from the perspective of "if I were the attacker, where would I aim?" We recommend building this into your management meeting to institutionalize the chance to review your measures.

Bonus: How to Make Use of PH AI Works

PH AI Works provides consulting on the use of AI and technology for Japanese firms based in the Philippines and for Japanese businesspeople in the Philippines. In connection with this theme, you can consult us in areas such as the following:

  • Support for drafting a generative-AI usage policy at your Philippine base, and a review of its consistency with the Japanese headquarters' policy
  • Risk assessment when adopting AI tools, in compliance with the Data Privacy Act of 2012
  • Designing AI-skills and security training programs for Filipino staff

We offer free consultations, so please feel free to get in touch.

Citations and References

References and Sources

About the author

Author
Author

Founder / AI Engineer (36+ years in IT)

  • From Tokyo · based in Manila for 13+ years
  • 36+ years in IT (development, SEO, AI)
  • IBM Certified Generative AI Engineer
  • AI chatbots, RAG & AI agent development

A Japanese AI engineer with 36+ years in IT and 13+ years on the ground in the Philippines. I write from hands-on experience to help Japanese companies adopt AI that actually delivers results — chatbots, workflow automation, AI agents, and AI-driven marketing. Feel free to reach out in Japanese or English.

View full profile →Book a free consultation

Free AI Consultation

Tell us your challenges and we'll propose the right AI adoption plan for your business.

Book a Free 30-Minute Consultation

Related Articles

AI Case Study

Spotting GEO Scams in the AI Search Era: A Guide to Fake Brand-Mention Services for Japanese Companies in the Philippines

A practical guide to protecting your company from GEO scams in the AI search era. Learn how to spot dubious tactics like PBN placements and fake posts, with contract and procurement tips for Japanese companies operating in the Philippines and Japanese residents on the ground.

6/27/2026

AI Case Study

Yen at a 40-Year Low: An FX-Risk and AI Guide for Japanese Companies in the Philippines

With the yen near a 40-year low, this guide explains the FX-risk measures Japanese companies in the Philippines should take. It covers peso-denominated remittances, budget management, how to set up AI-based exchange-rate monitoring, and the BSP regulations to watch for, all framed around the realities of doing business in the Philippines.

6/26/2026

AI Case Study

AI Didn't Kill Engineering Jobs: What the Latest Data Means for IT Talent Strategy at Japanese Firms in the Philippines

Far from replacing engineers, AI is expanding demand for them. For Japanese companies considering the Philippines and those already operating there, this guide explains how to build IT talent strategy and roll out AI, grounded in the latest hiring data and local regulations.

6/25/2026

AI Case Study

Claude Tag in Depth: Putting a Slack-Based Virtual Employee to Work at Your Philippine Operation

A practical walkthrough of using Claude Tag, an AI virtual employee that works inside Slack, at a Philippine operation. Written for Japanese companies on the ground, it covers data-privacy compliance, building a peso budget, and tips for rolling it out to local staff.

6/24/2026

AI Case Study

GM Installs 50 FANUC Robots: Balancing Automation and Jobs, Seen From the Philippines

Using GM's adoption of FANUC robots as a case study, this guide explains, in practical terms, how Japanese companies operating in the Philippines can advance workplace automation. It covers consideration for jobs, DOLE procedures, and how to work with local staff.

6/23/2026

AI Case Study

What Is Loop Engineering? A Business-Automation Primer for Japanese Companies in the Philippines

A Philippines-focused look at "loop engineering" — the practice of letting AI do the work. Covers automating call centers, accounting outsourcing and other functions, managing costs, and complying with NPC data-protection rules — the adoption steps Japanese companies in the Philippines need to know.

6/22/2026

Free Consultation Available! Book Free Consultation