Meet Aardvark, OpenAI’s security agent for code analysis and patching

OpenAI has launched Aardvark, a GPT-5 powered autonomous security researcher agent available in private beta. Aardvark continuously analyzes codebases, identifies vulnerabilities, validates exploits, and generates patches, mimicking human security researchers. It operates through a multi-stage process including threat modeling, commit-level scanning, validation in a sandbox, and automated patching with OpenAI Codex integration. The agent has shown high effectiveness in identifying known and synthetic vulnerabilities in benchmark tests. Aardvark has successfully discovered multiple critical issues in open-source projects, with findings responsibly disclosed. It integrates with GitHub and common development pipelines, offering human-auditable insights. The tool aims to address the growing demands on security teams and the increasing number of reported vulnerabilities. Aardvark represents OpenAI's move towards specialized, semi-autonomous AI agents. It is currently available to organizations using GitHub Cloud, with participation requiring feedback and agreement to beta terms. OpenAI plans to offer pro bono scanning for selected non-commercial open-source repositories. Aardvark's capabilities, including surfacing logic errors and privacy risks, suggest potential broader utility beyond security. For enterprises, it could act as a force multiplier for security teams, streamlining vulnerability management. The agent's integration into development workflows aims to prevent bugs introduced during rapid iteration without slowing delivery.