OpenAI’s new Aardvark agentic security researcher powered by GPT‑5 is an autonomous agent that aims to help developers and security teams find and fix security vulnerabilities at scale. Aardvark is now in private beta as the company refines its capabilities in the field. “Each year, tens of thousands of new vulnerabilities are discovered across enterprise and open-source codebases,” making software security one of the most critical aspects of doing business, says OpenAI, explaining that Aardvark “continuously monitors and analyzes source code to identify and prioritize vulnerabilities and propose fixes.”

Aardvark is different than other tools of this type in that it “looks for bugs as a human security researcher might: by reading code, analyzing it, writing and running tests [and] using tools,” explains OpenAI in a news post. “Aardvark does not rely on traditional program analysis techniques,” but instead “uses LLM-powered reasoning and tool-use to understand code behavior and identify vulnerabilities.”

“Aardvark offers a multi-stage, LLM-driven approach for continuous, 24/7/365 code analysis, exploit validation, and patch generation,” writes VentureBeat, noting that its introduction follows the release of the company’s “gpt-oss-safeguard models, extending the company’s recent emphasis on agentic and policy-aligned systems.”

SiliconANGLE explains that the Aardvark agent “works by analyzing an entire repository to build a contextual threat model before scanning every new code commit for vulnerabilities. Once an issue is detected, Aardvark automatically attempts to reproduce the exploit in a sandbox to confirm it’s real, then proposes a fix using OpenAI’s Codex engine.”

To make sure humans are not cut out of the loop, “the system provides reports and suggested patches for human review rather than making unverified changes autonomously,” SiliconANGLE adds.

Aardvark has been implemented “for several months, running continuously across OpenAI’s internal codebases and those of external alpha partners,” OpenAI says, noting it is also effective on open-source code.

“In benchmark testing on ‘golden’ repositories, Aardvark identified 92 percent of known and synthetically-introduced vulnerabilities, demonstrating high recall and real-world effectiveness,” OpenAI claims.

The Register opines that with Aardvark OpenAI is working to patch vulnerabilities it helped create, writing that “Aardvark might just undo some of the harm that has arisen from vibe coding with the likes of GPT-5, not to mention the general defect rate of human-authored software.”

As to whether it’s really the “breakthrough” OpenAI claims, The Register says testing it against “the many existing AI-flavored security tools that have emerged in recent years, such as ZeroPath and Socket” will be helpful once it is publicly released.