The new Codex Security tool uses artificial intelligence to scan codebases, identify vulnerabilities, validate them, and suggest fixes for developers and security teams.

OpenAI has introduced Codex Security, an artificial intelligence–powered security agent designed to help developers detect and fix vulnerabilities in software projects.

The tool is currently available in a research preview for users of ChatGPT Pro, Enterprise, Business, and Edu plans. OpenAI is offering free access to the feature for the first month through the Codex web interface.

AI Designed to Find Complex Security Flaws

Codex Security aims to help developers detect vulnerabilities that traditional tools often miss.

According to OpenAI, the AI agent analyzes the context of a project and builds an understanding of the system before identifying potential weaknesses.

The system then prioritizes vulnerabilities based on their real-world impact and proposes fixes that developers can review and deploy.

This approach aims to reduce the noise from insignificant issues and highlight vulnerabilities that actually affect security.

Built on Earlier Security Research

Codex Security is the next evolution of Aardvark, a vulnerability detection system OpenAI introduced in private beta in October 2025.

The goal of the project is to help development and security teams detect and remediate vulnerabilities at scale, especially in large code repositories.

Large-Scale Code Scanning Results

During the past month, Codex Security scanned more than 1.2 million code commits across external repositories.

The system identified:

• 792 critical vulnerabilities
• 10,561 high-severity vulnerabilities

Some findings affected widely used open-source projects, including:

• OpenSSH
• GnuTLS
• GOGS
• Thorium
• libssh
• PHP
• Chromium

Several vulnerabilities were assigned CVE identifiers, including issues in GnuPG and GnuTLS.

How Codex Security Works

The AI security agent operates in three main stages.

1. System Analysis

First, Codex scans the repository to understand the architecture of the project. It builds an editable threat model that identifies the most exposed areas of the system.

2. Vulnerability Detection

Next, the tool analyzes the code to find security flaws and classifies them based on severity and potential real-world impact.

3. Validation and Fix Suggestions

Finally, the agent tests suspected vulnerabilities inside a sandbox environment. This process helps confirm the issue and reduces false positives.

Once validated, Codex proposes fixes that align with the system’s behavior and minimize potential regressions.

Reduced False Positives in Testing

OpenAI reports that its testing shows improved accuracy in vulnerability detection.

Across multiple repositories, the system reduced false positives by more than 50% while maintaining high detection rates.

The company says the agent can also generate proof-of-concept exploits in controlled environments to demonstrate how vulnerabilities might be exploited.

AI Security Tools Are Growing Quickly

The launch of Codex Security reflects a broader trend in the cybersecurity industry.

Recently, Anthropic introduced Claude Code Security, another AI-powered tool designed to scan codebases and suggest security patches.

These tools aim to help developers detect vulnerabilities earlier in the development process and improve the overall security of modern software systems.