News · OpenAI ships Codex Security, an application-security agent built on a per-project threat model
OpenAI ships Codex Security, an application-security agent built on a per-project threat model
The tool formerly called Aardvark enters research preview with claims of higher-precision findings and a focus on the web-facing vulnerabilities that ship alongside fast-moving frontend code.
The bugs on the list are web-application bugs
OpenAI describes Codex Security as an application security agent that builds "deep context about your project to identify complex vulnerabilities that other agentic tools miss." What stands out in the specifics is the character of the vulnerabilities it names. In early internal deployments it surfaced a real SSRF and a critical cross-tenant authentication vulnerability. The CVE list in the appendix reads similarly: a 2FA bypass and an unauthenticated bypass in GOGS, path traversal enabling arbitrary write, LDAP injection, a session that was not rotated on password change, and disabled TLS verification on an Elasticsearch client.
These are the failure modes of running web systems, not abstract memory-safety trivia. Cross-tenant auth leaks, un-rotated sessions, and SSRF are exactly the kinds of defects that accumulate when application and interface code is written and shipped quickly. OpenAI frames the timing directly: "agents are accelerating software development, making security review an increasingly critical bottleneck." The tool is positioned against the review debt that fast shipping creates.
A threat model teams can edit, then sandbox validation
The mechanism worth reading carefully is the threat model. Codex Security analyzes a repository and generates a project-specific model that captures, in OpenAI's words, "what the system does, what it trusts, and where it is most exposed." That model is editable, so a team can correct the agent's assumptions about trust boundaries, and it feeds the ranking of findings by expected real-world impact.
After discovery, the agent pressure-tests findings in sandboxed validation environments and, when configured with an environment tailored to the project, validates issues "directly in the context of the running system," producing working proof-of-concepts. Then it proposes patches meant to align with system intent and "minimize regressions." The whole pipeline is built to answer the question a triage engineer actually asks: is this exploitable here, and what does the fix touch?
The precision claims, and what they don't say
OpenAI's central pitch is signal-to-noise. It cites cutting noise by 84% on one repository since initial rollout, reducing over-reported severity by more than 90%, and lowering false positive rates by more than 50% across all repositories. At scale, over the last 30 days it scanned more than 1.2 million commits across external beta repositories, flagging 792 critical and 10,561 high-severity findings, with critical issues appearing in under 0.1% of scanned commits.
These are self-reported improvements from a beta, and the baselines are internal, so the percentages describe progress against OpenAI's own earlier output rather than a comparison to any competing tool. The 0.1% figure is the more concrete signal: it shows the system holding back the flood of low-value flags that maintainers told OpenAI was the actual problem. As one NETGEAR reviewer put it:
Its findings were impressively clear and comprehensive, often giving the sense that an experienced product security researcher was working alongside us.Montana Labs
What this changes for teams shipping web code fast
Codex Security is in research preview via Codex web for ChatGPT Pro, Enterprise, Business, and Edu customers, with free usage for a month. For teams whose output is web and interface code, the practical draw is not that the agent finds bugs but that it structures them: a threat model tied to your architecture, findings ranked by impact in your system, and patches scoped to reduce regression risk. The feedback loop is part of the design — adjusting the criticality of a finding refines the threat model on later runs.
The open-source angle underscores the same bet. OpenAI reported vulnerabilities to projects including OpenSSH, GnuTLS, GOGS, libssh, PHP, and Chromium, with fourteen CVEs assigned, after maintainers told them the problem was "too many low-quality" reports, not too few. The implication for a fast-moving frontend or full-stack team is narrow but real: the value of an agentic scanner is decided at triage, and Codex Security is wagering that an editable, per-project threat model is what makes its output worth a security engineer's time rather than another queue to clear.
Find this story relevant to you?
Contact us to find a unique solution
Need an AI engineering partner that can actually build?
We help businesses integrate AI, build AI-powered products, automate high-value workflows, and modernize the software systems behind them.
Related reading
More analysis around product delivery, operational AI, and the systems work that makes deployment hold up in reality.