OpenAI has introduced the launch of an “agentic security researcher” that is powered by its GPT-5 massive language mannequin (LLM) and is programmed to emulate a human professional able to scanning, understanding, and patching code.
Referred to as Aardvark, the bogus intelligence (AI) firm stated the autonomous agent is designed to assist builders and security groups flag and repair security vulnerabilities at scale. It is presently accessible in personal beta.
“Aardvark repeatedly analyzes supply code repositories to determine vulnerabilities, assess exploitability, prioritize severity, and suggest focused patches,” OpenAI famous.
It really works by embedding itself into the software program improvement pipeline, monitoring commits and modifications to codebases, detecting security points and the way they is perhaps exploited, and proposing fixes to deal with them utilizing LLM-based reasoning and tool-use.
Powering the agent is GPT‑5, which OpenAI launched in August 2025. The corporate describes it as a “good, environment friendly mannequin” that options deeper reasoning capabilities, courtesy of GPT‑5 considering, and a “actual‑time router” to resolve the correct mannequin to make use of primarily based on dialog sort, complexity, and consumer intent.
Aardvark, OpenAI added, analyses a mission’s codebase to provide a risk mannequin that it thinks greatest represents its security goals and design. With this contextual basis, the agent then scans its historical past to determine current points, in addition to detect new ones by scrutinizing incoming modifications to the repository.
As soon as a possible security defect is discovered, it makes an attempt to set off it in an remoted, sandboxed surroundings to substantiate its exploitability and leverages OpenAI Codex, its coding agent, to provide a patch that may be reviewed by a human analyst.
OpenAI stated it has been working the agent throughout OpenAI’s inner codebases and a few of its exterior alpha companions, and that it has helped determine no less than 10 CVEs in open-source tasks.
The AI upstart is much from the one firm to trial AI brokers to deal with automated vulnerability discovery and patching. Earlier this month, Google introduced CodeMender that it stated detects, patches, and rewrites weak code to forestall future exploits. The tech big additionally famous that it intends to work with maintainers of essential open-source tasks to combine CodeMender-generated patches to assist maintain tasks safe.
Seen in that gentle, Aardvark, CodeMender, and XBOW are being positioned as instruments for steady code evaluation, exploit validation, and patch era. It additionally comes shut on the heels of OpenAI’s launch of the gpt-oss-safeguard fashions which might be fine-tuned for security classification duties.
“Aardvark represents a brand new defender-first mannequin: an agentic security researcher that companions with groups by delivering steady safety as code evolves,” OpenAI stated. “By catching vulnerabilities early, validating real-world exploitability, and providing clear fixes, Aardvark can strengthen security with out slowing innovation. We consider in increasing entry to security experience.”
