OpenAI started rolling out on Friday codec protectionAn artificial intelligence (AI)-powered security agent designed to find, validate vulnerabilities, and propose solutions.
This feature is available in a research preview for ChatGPT Pro, Enterprise, Business, and Edu customers through Codex Web with free usage for the next month.
“It builds deep context around your project to identify complex vulnerabilities that other agentive tools miss, uncovering high-confidence findings with fixes that meaningfully improve the security of your systems while protecting you from the noise of unimportant bugs,” the company said.
Codex Security represents the evolution of Aardvark, which OpenAI unveiled in private beta in October 2025 as a way for developers and security teams to detect and fix security vulnerabilities at scale.
Over the past 30 days, Codex Security has scanned more than 1.2 million commits in external repositories during the beta, identifying 792 critical findings and 10,561 high-severity findings. These include vulnerabilities in various open-source projects such as OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP and Chromium. Some of them are listed below –
- GnuPG – CVE-2026-24881, CVE-2026-24882
- GNUTLS – CVE-2025-32988, CVE-2025-32989
- GOGS – CVE-2025-64175, CVE-2026-25242
- Thorium – CVE-2025-35430, CVE-2025-35431, CVE-2025-35432, CVE-2025-35433, CVE-2025-35434, CVE-2025-35435, CVE-2025-35436
According to the AI company, the latest iteration of the Application Security Agent leverages the reasoning capabilities of its Frontier models and combines them with automated validation to reduce the risk of false positives and provide actionable improvements.
OpenAI’s scans on the same repositories over time have demonstrated increasing accuracy and declining false positive rates, with the latter falling by more than 50% across all repositories.
In a statement shared with The Hacker News, OpenAI said Codex Security is designed to improve signal-to-noise by grounding vulnerability discovery in the system context and validating findings before they are exposed to users.
Specifically, the agent works in three phases: It analyzes a repository to get a handle on the security-relevant structure of the project’s system and generates an editable threat model that shows what it does and where it is most exposed.
Once the system context is created, Codex Security uses it as a basis to identify vulnerabilities and classify findings based on their real-world impact. Stress-testing is performed in a sandboxed environment to verify identified issues.
“When Codex Security is configured with an environment tailored to your project, it can validate potential issues directly in the context of the running system,” OpenAI said. “That deeper validation can further reduce false positives and enable the creation of a working proof-of-concept, giving security teams stronger evidence and a clear path to remediation.”
In the final stage the agent proposes improvements that best align with system behavior to minimize regressions and make them easier to review and deploy.
The news of Codex Security comes just weeks after Anthropic launched Cloud Code Security to help users scan software codebases for vulnerabilities and suggest patches.
