OpenAI unveils Aardvark, an autonomous GPT-5 agent built to hunt software vulnerabilities

OpenAI Group PBC today unveiled Aardvark, a new GPT-5-powered autonomous artificial intelligence agent designed to identify, verify and help fix software vulnerabilities in real time.

Pitched by OpenAI as representing a "breakthrough in AI and security research," Aardvark is described as an "AI security researcher" capable of scanning code repositories, reasoning about potential exploits and even generating validated patches. The idea is to give defenders an intelligent ally that can keep pace with the speed and scale of modern software development.

Aardvark integrates directly with platforms such as GitHub and supports both open-source and enterprise environments.

The agent works by analyzing an entire repository to build a contextual threat model before scanning every new code commit for vulnerabilities. Once an issue is detected, Aardvark automatically attempts to reproduce the exploit in a sandbox to confirm it's real, then proposes a fix using OpenAI's Codex engine.

To make sure humans are still in play, the system provides reports and suggested patches for human review rather than making unverified changes autonomously.

According to OpenAI, early results have been promising, with Aardvark identifying roughly 92% of known and synthetic vulnerabilities in benchmark repositories during internal testing. In limited trials, the agent has also uncovered real issues in open-source projects, several of which have been assigned official Common Vulnerabilities and Exposure numbers.

OpenAI hasn't really been known for the development of cybersecurity tools. The company says Aardvark is part of a new commitment to "giving back," by contributing tools and findings that make the digital ecosystem safer for everyone. As part of that commitment, Aardvark will be offered pro bono scanning to select noncommercial open-source repositories to contribute to the security of the open-source software ecosystem and supply chain.

Aardvark is currently available in private beta testing to validate and refine its capabilities in the field. OpenAI has not provided a timeline for when the new "AI security researcher" might be generally available.