OpenAI has launched Aardvark, an autonomous agent designed to help developers and security teams identify and remediate software vulnerabilities. Powered by GPT-5, the system is built to function like a human security researcher, continuously scanning codebases, analyzing commits and changes, identifying vulnerabilities, how they might be exploited, and proposing targeted patches.

The tool is now in private beta, with OpenAI aiming to refine performance and accuracy through real-world use.

According to OpenAI, Aardvark’s multi-stage pipeline analyzes entire repositories, monitors code changes, and proactively tests potential security issues.

Key workflow steps include:

Rather than relying on traditional security analysis methods such as fuzzing or software composition analysis, Aardvark uses LLM-powered reasoning and tool execution to understand code behavior and surface vulnerabilities. It reads and interprets code the way a human researcher would, generating tests, analyzing logic paths, and using development tools to identify issues that conventional scanning might miss.

OpenAI reports that Aardvark has been operating internally for months, identifying meaningful vulnerabilities across its codebase and those of external alpha partners. Those early users have also highlighted the depth of Aardvark’s analysis, noting that the system can surface issues that only appear under complex or specialized conditions.

In benchmark tests on curated “golden” repositories, the system identified 92 percent of known and synthetic vulnerabilities, showing its effectiveness in real-world scenarios.

OpenAI acknowledges that its work builds on years of progress made possible by the open-source and security research communities. In recognition of that foundation, the company says it aims to give back by making advanced security capabilities available to the ecosystem. As part of these efforts, OpenAI plans to provide pro-bono scanning for select non-commercial open-source projects to help strengthen and contribute to software supply-chain security.

Aardvark has already been applied to open-source projects, where it has discovered and responsibly disclosed vulnerabilities, including ten that have received Common Vulnerabilities and Exposures (CVE) identifiers.

OpenAI also updated its outbound coordinated disclosure policy to emphasize collaboration with developers and scalable long-term impact, rather than rigid deadlines that can create pressure during remediation. The company expects tools like Aardvark to surface a greater volume of vulnerabilities over time and says it plans to work closely with maintainers to support sustainable, resilient security practices across the ecosystem.

Software vulnerabilities continue to pose a systemic risk across industries, spanning enterprise systems, open-source codebases, and critical infrastructure. Each year, tens of thousands of new vulnerabilities are discovered, with more than 40,000 CVEs reported in 2024 alone. Even small code changes introduce meaningful exposure, as roughly 1.2 percent of commits can lead to bugs with potential real-world consequences.

Security teams face a constant race to identify and patch weaknesses before adversaries exploit them, and manual coverage is increasingly difficult as codebases scale. OpenAI positions Aardvark as a way to strengthen the defensive side of this equation by continuously analyzing code, validating exploitability, and proposing targeted fixes.

Aardvark reflects a defender-first model, operating as an always-on system that works alongside engineering teams to surface vulnerabilities in real time as code evolves. By pairing autonomous detection with verified testing and actionable patches, Aardvark aims to expand access to security expertise and strengthen protection without slowing innovation.

The Aardvark private beta is now open to select partners. Selected participants will receive early access and collaborate with OpenAI to refine detection accuracy, validation workflows, and reporting features.

Organizations and open-source projects interested in early participation can apply through OpenAI to help shape detection accuracy, validation workflows, and reporting features.

Modern software is built and updated at a pace that has outgrown traditional security practices. Each code change introduces potential risk, yet most organizations only review portions of their codebase and often do so after vulnerabilities make it into production. The result is a growing gap between how fast software evolves and how quickly security teams can respond.

Tools like Aardvark point to a turning point. If AI systems can continuously analyze code, confirm exploitability, and propose fixes, security will no longer rely solely on periodic audits or the limited bandwidth of human teams. Instead, vulnerability detection could become a persistent background function of the development process, catching issues before they reach the real world.

For companies, this shift matters because the cost of a missed vulnerability continues to rise, affecting trust, regulatory exposure, and operational stability. For developers and security teams, it signals a future where AI acts as a constant partner in safeguarding systems, allowing experts to focus on strategy, complex threats, and high-impact decisions rather than manual scanning alone.

This development suggests a broader industry transition: from defensive reaction to continuous, proactive protection built directly into the software lifecycle.

Editor’s Note: This article was created by Alicia Shapiro, CMO of AiNews.com, with writing, image, and idea-generation support from ChatGPT, an AI assistant used for research and drafting. However, the final perspective and editorial choices are solely Alicia Shapiro’s. Special thanks to ChatGPT for assistance with research and editorial support in crafting this article.