OpenAI launches Codex Security to find vulnerabilities other tools miss
TL;DR:
- OpenAI has released Codex Security in research preview, an agentic security tool that builds project-specific threat models to identify high-confidence vulnerabilities and generate actionable patches.
- During beta testing, the tool cut noise by up to 84%, reduced false positives by over 50%, and lowered over-reported severity findings by more than 90%.
- The system has already found and reported real vulnerabilities in widely used open-source projects including OpenSSH, GnuTLS, and Chromium, with 14 CVEs assigned.
OpenAI has made Codex Security available in research preview to ChatGPT Pro, Enterprise, Business, and Edu customers. The tool, previously known as Aardvark during a private beta, takes a different approach from most AI security scanners by building deep context about each project before looking for problems.
The pitch is simple: most AI security tools generate too many low-impact findings and false positives. Security teams spend more time triaging noise than fixing real issues. Codex Security aims to reverse that ratio.
How it works
The system analyses a repository to understand its security-relevant structure, then generates an editable threat model capturing what the system does, what it trusts, and where it is most exposed. Using that model as context, it searches for vulnerabilities and categorises findings by expected real-world impact.
Where possible, findings are pressure-tested in sandboxed validation environments. The tool then proposes fixes aligned with the system’s existing architecture, reducing the risk of introducing regressions. It also learns from user feedback: when teams adjust a finding’s severity, the threat model updates for future scans.
Over the past 30 days, the system scanned more than 1.2 million commits across beta repositories, identifying 792 critical findings and 10,561 high-severity findings. Critical issues appeared in under 0.1% of scanned commits.
Open source contributions
OpenAI has been running Codex Security against the open-source projects it depends on, reporting findings to maintainers. The approach was shaped by maintainer feedback: the problem is not too few vulnerability reports but too many low-quality ones. Fourteen CVEs have been assigned from Codex Security findings so far, with vulnerabilities reported in OpenSSH, GnuTLS, GOGS, and several other projects.
The company has also launched Codex for OSS, offering free ChatGPT accounts and Codex Security access to open-source maintainers. Projects like vLLM are already using it in their regular workflows.
For UK development teams, the tool addresses a real bottleneck. As AI-assisted coding accelerates development velocity, security review increasingly becomes the constraint. Whether Codex Security’s precision improvements hold across diverse codebases and threat profiles remains to be seen, but the signal-to-noise ratio improvements during beta are notable.