OpenAI has introduced Aardvark, an autonomous AI agent designed to function as a security researcher powered by GPT-5. Built to address one of the most pressing challenges in technology, Aardvark is capable of identifying, analyzing, and helping fix software vulnerabilities at scale—potentially shifting the balance in favor of defenders in the ongoing battle against cyber threats. Aardvark operates by continuously monitoring code repositories, analyzing changes in real time, and detecting security flaws with a human-like approach. Rather than relying on traditional methods such as fuzzing or static analysis, it uses advanced language model reasoning and tool integration to understand code behavior, simulate exploits, and propose targeted fixes. It reads code, runs tests, uses development tools, and evaluates risk—all in a way that mirrors how expert security researchers work. The system follows a multi-stage process: it identifies potential vulnerabilities, assesses their exploitability, prioritizes them by severity, and generates clear, actionable recommendations for remediation. Aardvark integrates directly with developer workflows, including GitHub and Codex, ensuring it supports development without slowing it down. In internal testing across OpenAI’s codebases and with select external partners, Aardvark has proven effective. It has uncovered meaningful vulnerabilities, including complex issues that only manifest under specific conditions. In benchmark tests on well-known open-source repositories, Aardvark detected 92% of known and artificially introduced vulnerabilities, demonstrating strong recall and real-world utility. Beyond security flaws, Aardvark has also identified logic errors, incomplete patches, and privacy issues. It has contributed to responsible disclosure by finding and reporting ten vulnerabilities in open-source projects that have been assigned CVE identifiers. OpenAI is committed to giving back to the open-source community and plans to offer pro-bono scanning to select non-commercial projects to improve the security of the broader software supply chain. OpenAI has also updated its coordinated disclosure policy to be more developer-friendly, emphasizing collaboration and sustainable impact over rigid timelines. The company believes tools like Aardvark will uncover more bugs, and it wants to work with teams to address them effectively and responsibly. With over 40,000 CVEs reported in 2024 alone and roughly 1.2% of code commits introducing bugs, software vulnerabilities pose a systemic risk across industries. Aardvark represents a new defender-first model—proactively protecting systems as code evolves. By catching issues early, validating real-world exploitability, and delivering clear fixes, it strengthens security without hindering innovation. Aardvark is currently in private beta. OpenAI is inviting select organizations and open-source projects to participate, offering early access and the opportunity to help refine detection accuracy, validation processes, and reporting. Interested parties can apply to join the beta program to help shape the future of AI-powered security.