OpenAI has announced the launch of Aardvark, an autonomous AI security agent powered by GPT-5 and aims to revolutionize how organizations discover and remediate software vulnerabilities.

The new tool, currently available in private beta version, marks a major advance in automated security research and strengthens the capabilities of cyber defenders worldwide.

Automated vulnerability discovery at scale

Aardvark acts as an autonomous security researcher that continuously monitors source code databases to identify vulnerabilities, assess their exploitability, and suggest targeted patches.

Advertisement

Unlike traditional tools that rely on fuzzing or Software Composition Analysis (SCA), Aardvark uses reasoning AI models to understand the behavior of the code like a human security researcher — by reading code, analyzing it, and generating tests.

How Aardvark works

The system follows a multi-step process that begins by analyzing the entire the codebase and create a threat model based on the project's safety objectives.

It then scans commits to detect vulnerabilities and attempts to exploit them in insulated sandboxes to verify real risks.
When vulnerabilities are confirmed, Aardvark automatically generates patches via OpenAI Codex, which developers can review and apply with one click.

Proven in practice

Aardvark has already been used in OpenAI's internal codebases as well as with external alpha partners and has revealed several critical vulnerabilities.
In tests on databases with known vulnerabilities, the system reached a detection rate of 92 %, demonstrating its strength in real-world environments.

OpenAI has also contributed to safety in open source by responsibly reporting discovered vulnerabilities – ten of which have already been assigned official CVE identifiers.

For a safer development cycle

With over 40,000 reported CVEs in 2024 and approximately 1.2 % of commits introducing bugs, software vulnerabilities pose a global system threat.

Aardvark mitigates this risk by detecting deficiencies early, validating true utilization rates, and providing clear corrections – without slowing down innovation.

OpenAI has also updated its coordinated disclosure policy, to promote collaboration and developer-friendly processes instead of rigid timelines.

The future of AI-powered cybersecurity

As availability expands beyond the beta phase, Aardvark can democratize security expertise and help more organizations strengthen their defenses against growing cyber threats.

The tool represents the next step in OpenAI's vision – where autonomous intelligence not only creates innovation, but also protects it.