OpenAI targets AI that fixes security flaws, not just finds them

OpenAI has taken its Daybreak cybersecurity initiative to the next level by integrating AI models, Codex Security, security researchers, maintainers, industry partners, and access controls to not only find but also fix software vulnerabilities. This expanded platform enables organizations to identify, validate, and remediate security flaws, while developers, maintainers, and security teams can leverage its tools to bolster their defensive capabilities.

Codex Security targets remediation bottlenecks by addressing the growing pressure on teams as vulnerability discovery advances. Since its cloud research preview launched in March, Codex Security has scanned over 30 million commits across 30,000 codebases, automatically identifying more than 500,000 findings as fixed.

The platform adapts to a team’s codebase and threat model, or builds one if necessary. It identifies plausible vulnerabilities, checks whether affected code is reachable, collects evidence for validation, creates targeted patches, and verifies results. Human operators maintain control over which findings to investigate, which changes to implement, and what data to share.

With the updated Codex Security plugin, developers can run deep scans or review recent changes in repositories, pull requests, and local code. They can generate reports with severity ratings, affected code locations, validation evidence, and remediation guidance. The plugin also traces attack paths, builds threat models, validates findings, and produces codebase-specific patches for review.

“The plugin can also triage and validate existing findings from scanners, advisories, bug bounty reports, or ticketing systems, then automate patch generation at scale to help reduce vulnerability backlogs,” OpenAI stated. “When Codex Security completes a scan, it can export findings to an existing vulnerability management system or integrate with other tools through SARIF files, CodeQL queries, and more. The plugin makes these capabilities more accessible for automated pipelines using Codex CLI and for developer workflows in the Codex app.”

GPT-5.5-Cyber gains new security capabilities as well. This model, still available to verified defenders performing authorized work requiring OpenAI’s most advanced cyber tools, focuses on reducing unnecessary refusals in specialized workflows. It can identify security-relevant components, determine if code is reachable, validate likely issues in controlled environments, develop and test patches, and prepare evidence for human review.

GPT-5.5-Cyber outperformed GPT-5.5 on key security benchmarks, achieving 85.6% on CyberGym, 39.5% on ExploitGym, and 69.8% on SEC-bench Pro. “We are continuing to evaluate the model’s performance on complex repositories and real remediation workflows as coordinated disclosures conclude,” OpenAI added.

OpenAI also launched the OpenAI Daybreak Cyber Partner Program, allowing participating security vendors to integrate GPT-5.5 with Trusted Access for Cyber into customer-facing products and services. Trusted Access for Cyber provides advanced cyber capabilities along with additional safeguards, monitoring, and verification measures. The company plans to expand this program to more organizations in the coming months.

The Patch the Planet initiative, launched with Trail of Bits and in collaboration with HackerOne and CALIF, supports open-source security by funding researchers and equipping them with Codex Security and advanced AI models. This initiative combines AI-assisted vulnerability discovery with expert human review to reduce false positives and ease the burden on software maintainers.

OpenAI security researchers work with open-source maintainers to validate vulnerabilities, remove duplicate reports, and verify patches before submission. Participating projects receive ChatGPT Pro, API credits, and conditional access to Codex Security. According to OpenAI, an initial five-day sprint identified hundreds of potential issues, led to dozens of merged fixes, and produced reusable testing workflows for future vulnerability discovery and remediation.

The company is collaborating with governments and institutions worldwide to strengthen cybersecurity defenses and protect critical infrastructure. “We plan to work directly with eligible operators of critical infrastructure, including government networks, to develop safeguards tailored to the systems they operate,” OpenAI said. “The focus of this work is to make advanced AI more useful to defenders while making it harder for malicious actors to cause real-world harm.”

OpenAI intends to work with enterprise customers and partners to enhance cybersecurity safeguards and help prevent attacks targeting critical services.