OpenAI has announced Aardvark, an “agentic security researcher” powered by GPT-5 that, according to the company, “thinks like a security researcher and scales to meet the demands of modern software.” Now in private beta, Aardvark is designed to help developers and enterprise security teams discover and fix vulnerabilities at scale—addressing one of the most persistent risks facing organisations today.
Unlike traditional approaches such as fuzzing or software composition analysis, Aardvark relies on LLM-powered reasoning and tool use to analyse code the way a human expert would. OpenAI explained that Aardvark first analyses entire repositories to produce a detailed threat model, then monitors new commits for vulnerabilities, explaining each finding step by step. Suspected issues are validated in a sandboxed environment before Aardvark proposes fixes using OpenAI Codex. These patches can be reviewed and applied with a single click in existing GitHub workflows.
OpenAI reported that Aardvark has been running for several months across internal codebases and with external alpha partners. During this period, it surfaced “meaningful vulnerabilities” and identified issues “that occur only under complex conditions.” In benchmark testing on “golden” repositories, Aardvark identified 92 percent of known and synthetically introduced vulnerabilities, a figure OpenAI described as proof of its real-world effectiveness.
The company also revealed that Aardvark has been deployed across open-source projects, where it has uncovered and responsibly disclosed multiple vulnerabilities—ten of which have been assigned CVE identifiers. As part of its ongoing commitment to the open-source community, OpenAI plans to provide pro-bono scanning for select non-commercial projects. The company also updated its coordinated disclosure policy to prioritise collaboration and sustainable impact over rigid reporting timelines.
Software vulnerabilities represent a systemic business risk. OpenAI noted that over 40,000 CVEs were reported in 2024, and its internal research indicates that around 1.2 percent of code commits introduce new bugs—small errors with potentially major implications.
OpenAI described Aardvark as “a new defender-first model,” integrating continuous security into the software lifecycle. By combining human-like reasoning with validated exploit testing and automated patching, Aardvark promises to strengthen security posture without slowing innovation.
For chief information security officers (CISOs) and engineering leaders, this approach could accelerate remediation times, reduce false positives, and extend coverage across complex, distributed codebases.
Aardvark is currently available in private beta, with OpenAI inviting select enterprise partners to participate in refining its detection accuracy, validation workflows, and reporting experience. For organisations seeking to embed continuous, AI-driven defense within their software pipelines, OpenAI’s launch marks a pivotal step toward intelligent, always-on vulnerability management.