OpenAI has introduced Aardvark, an autonomous AI agent designed to identify and fix security vulnerabilities in software codebases. The system, powered by GPT-5, is now available in private beta to select partners, who will collaborate with OpenAI to refine its detection accuracy, validation workflows, and reporting experience.
“Aardvark represents a breakthrough in AI and security research—an autonomous agent that can help developers and security teams discover and fix security vulnerabilities at scale,” OpenAI said in a statement announcing the launch.
The agent continuously monitors code repositories to find and validate vulnerabilities, assess their exploitability, and propose targeted patches. Unlike traditional approaches such as fuzzing or software composition analysis, Aardvark uses large language model (LLM)-based reasoning to interpret code, detect bugs, and generate fixes.
According to OpenAI, Aardvark operates through a multi-stage process: analysing full repositories to build a threat model, scanning commits for potential vulnerabilities, validating exploitability in a sandboxed environment, and generating patches using Codex for human review and integration.
In internal testing, Aardvark identified 92% of known and synthetically introduced vulnerabilities across benchmark repositories. It has also been deployed across OpenAI’s internal systems and those of early external partners, where it has reportedly identified “meaningful vulnerabilities” and contributed to strengthening defensive systems.
Beyond enterprise use, OpenAI said Aardvark has been applied to open-source projects, resulting in the discovery and responsible disclosure of multiple security issues, ten of which have received Common Vulnerabilities and Exposures (CVE) identifiers.
“As beneficiaries of decades of open research and responsible disclosure, we’re committed to giving back—contributing tools and findings that make the digital ecosystem safer for everyone,” the company said. OpenAI also announced plans to offer pro-bono scanning for select non-commercial open-source repositories.
The company has updated its coordinated disclosure policy to prioritise collaboration and sustainable remediation timelines. “We anticipate tools like Aardvark will result in the discovery of increasing numbers of bugs, and want to sustainably collaborate to achieve long-term resilience,” OpenAI said.
OpenAI’s move comes amid rising concerns about software security. More than 40,000 CVEs were reported in 2024, and the company noted that about 1.2% of all code commits introduce bugs.
By deploying AI-driven systems like Aardvark, OpenAI seeks to shift the balance toward defenders through a “defender-first model” that provides continuous protection as code evolves.
ALSO READ: Databricks Launches Data Intelligence for Cybersecurity
