Last year, OpenAI introduced Aardvark, a security researcher agent powered by GPT‑5, in private beta with a small group of customers. Aardvark is an autonomous agent that can discover and fix security vulnerabilities in an application. Customers can point Aardvark to a codebase, and it will continuously analyze the code to identify vulnerabilities and propose fixes for them.
Today, OpenAI announced that Aardvark has evolved into Codex Security. Codex Security is now available in research preview to ChatGPT Pro, Team, Enterprise, and Edu customers via the Codex web interface with free usage until next month.
OpenAI claims that Codex Security tries to solve two kinds of problems. First, AI agents are accelerating software development by generating thousands of lines of code, making manual security reviews a complex process. Second, existing security tools in the market flag low-impact issues and highlight several false positives, forcing developers to spend significant amounts of time on triaging.
Codex Security uses agentic reasoning with automated validation to discover high-impact issues and actionable fixes specific to the codebase.
By learning from the deployment of Aardvark in private preview, OpenAI was able to improve Codex Security regarding how users provide relevant product context and the quality of the findings.
During the beta period, OpenAI worked with external testers to improve how users add product context and move from onboarding to actually securing their code. The company also said Codex Security’s findings became much more accurate over time. In one example, repeated scans on the same repository reduced noise by 84% compared to the initial rollout.
OpenAI added that the rate of over-reported severity has dropped by more than 90%, while false positives across repositories are down by more than 50%. These changes should help security teams focus on real issues instead of spending time on unnecessary triage. The company expects Codex Security’s signal-to-noise ratio to improve further over time.