OpenAI launches new tools for AI-powered cybersecurity patching
OpenAI launches new tools for AI-powered cybersecurity patching
https://www.digit.fyi/openai-launches-new-tools-for-ai-powered-cybersecurity-patching/
Publish Date: 2026-06-24 07:45:00
Source Domain: www.digit.fyi
Using an unordered list, summarize the following article with between 4 and 8 key points.
OpenAI has expanded its Daybreak cybersecurity programme with new tools, partnerships and initiatives intended to help organisations move beyond identifying software vulnerabilities and towards automatically developing and deploying fixes.
The announcement – via a very aspirationally titled blog – includes an updated Codex Security plugin, the full release of GPT-5.5-Cyber to “verified defenders”, a new partner programme for cybersecurity providers and Patch the Planet, an initiative supporting widely used open-source projects.
OpenAI said advances in frontier AI had dramatically increased the speed at which vulnerabilities could be discovered, shifting the central challenge facing defenders.
“AI has changed the physics of cybersecurity. Frontier AI models have been increasingly accelerating vulnerability discovery. The bottleneck historically has been finding vulnerabilities, but now defenders are overwhelmed with the number of vulnerabilities found. Instead, the bottleneck is now patching vulnerabilities.”
The company said vulnerability reports were of limited value unless organisations could validate the problem, assess its potential impact, produce and test a patch and then deploy the fix.
“Vulnerability reports, on their own, do not protect anyone. The value comes from validating the issue, understanding its impact, developing and testing a patch, coordinating disclosure, and helping teams deploy the fix.”
Codex Security Expansion
OpenAI initially launched Codex Security in cloud research preview in March. Since then, it has scanned more than 30 million commits across over 30,000 codebases.
Human reviewers have manually marked more than 70,000 findings as fixed, while more than 500,000 have automatically been determined to have been resolved.
The updated Codex Security plugin allows developers to scan entire codebases, selected sections or specific changes and commits.
It can identify potential vulnerabilities, assess whether affected code is reachable, gather supporting evidence, develop a targeted patch and verify whether the proposed fix addresses the issue. Where an organisation does not already have a threat model, the tool can also generate one.
OpenAI said human users would remain responsible for deciding which findings to investigate and which changes to apply.
The plugin can also triage findings from existing scanners, security advisories, bug bounty reports and ticketing systems. Results can be exported into vulnerability management systems or integrated into other development tools.
GPT-5.5-Cyber Sees Limited Release to “Verified Defenders”
OpenAI is also releasing the full version of GPT-5.5-Cyber through a continued limited rollout to “verified defenders whose authorized work requires our most advanced cyber capabilities and more permissive behavior.”
The model is designed to be more permissive during authorised cybersecurity work while offering stronger capabilities for finding and helping to patch software vulnerabilities.
It can analyse large codebases, identify security-relevant components, trace whether potentially vulnerable code can be reached, validate issues in controlled environments and assist with developing and testing patches.
OpenAI said the model was intended to support the full remediation process rather than simply generate a greater number of vulnerability reports.
According to OpenAI, GPT-5.5-Cyber achieved a score of 85.6% on CyberGym, which measures whether an AI agent can reproduce known software vulnerabilities. GPT-5.5 recorded 81.8% on the same benchmark.
The model also scored 39.5% on ExploitGym, compared with 25.95% for GPT-5.5, and 69.8% on SEC-bench Pro, compared with 63.1%.
However, OpenAI said benchmark scores were only one indication of whether the model could successfully identify genuine vulnerabilities, distinguish actionable findings from false positives and help defenders deploy fixes safely.
For most defensive cybersecurity work, the company said GPT-5.5 combined with Trusted Access for Cyber and Codex Security would remain the recommended starting point.
OpenAI said its models had already helped defenders identify and validate vulnerabilities in systems including Firefox, Safari, OpenBSD, FreeBSD and HTTP/2 implementations.
New Security Partner Programme
The company has also launched the OpenAI Daybreak Cyber Partner Program, allowing selected cybersecurity software and services providers to incorporate GPT-5.5 with Trusted Access for Cyber into products offered to customers.
Initial participants include Accenture, Akamai, Cisco, Cloudflare, CrowdStrike, Darktrace, IBM, Palo Alto Networks, Sophos, Tenable, Wiz and Zscaler.
Recommended reading
OpenAI said direct access to the model would remain with participating partners, while their customers would benefit from its defensive capabilities through existing security products and services.
Supporting Open-Source Maintainers
OpenAI has also established Patch the Planet with Trail of Bits, in collaboration with HackerOne, Calif, security researchers and open-source maintainers.
The initiative will fund expert researchers and provide them with access to Codex Security and OpenAI models to help validate vulnerabilities and develop fixes for widely used open-source software.
More than 30 projects have committed to participate, including cURL, Go, Python, Sigstore and pyca/cryptography.
OpenAI acknowledged that AI-generated vulnerability reports could create additional work for small open-source teams, particularly when findings were duplicated, inaccurate or of poor quality.
Under the programme, researchers will review and validate both vulnerabilities and proposed patches before passing them to maintainers.
According to OpenAI, an initial five-day sprint across several projects surfaced hundreds of issues for review and resulted in dozens of patches being merged, with further fixes still in development.
“Finding vulnerabilities is important, but it’s landing the fix that protects the world, and that takes collaboration and community support.”
OpenAI said it was also working with governments and critical infrastructure operators to develop safeguards tailored to sensitive systems. Trusted Access for Cyber partnerships have been established with countries including Australia, Canada, France, Germany, Japan and the Republic of Korea, alongside EU institutions.
The company also said it had a growing partnership with the UK government covering cybersecurity, testing and evaluation.
“The goal is to move beyond using models to find more vulnerabilities, towards a world of safer software and cyber resilience.”
Related
