OpenAI has introduced Aardvark, a new AI agent that finds and fixes security bugs using GPT-5. In a 2022 survey conducted by Secure Code Warrior of 1,200 developers, 86% reported that they don't view app security as a top priority when writing code, citing multiple reasons. While it is not entirely the developer's fault, however, companies and developers must consider cybersecurity as a top priority.
While an app's or website's design, user interface (UI), and intuitiveness are important for user retention, poor app security can lead to the loss of customer trust, severe financial costs, and legal penalties. Yes, poor design can indeed lead to user abandonment, but it is a fixable problem. However, a strong app security foundation is more critical to preventing catastrophic damage and building a sustainable, trustworthy product.
Context AI: An AI-powered office suite that helps you work more efficiently by connecting with your work apps to turn scattered information into polished, presentation-ready documents, spreadsheets, and presentations.
What is Aardvark by OpenAI?
Aardvark by OpenAI is an autonomous AI agent that uses GPT-5 to help developers and security teams find and fix security vulnerabilities at scale. Aardvark is currently available in private beta to validate and improve its capabilities in the field. While traditional security tools rely on methods like software composition analysis (SCA), Aardvark uses Large Language Model (LLM)-powered reasoning and tool-use to understand code behavior and identify vulnerabilities.
OpenAI discussed how Software security is one of the most critical and challenging frontiers in technology, with tens of thousands of new vulnerabilities being discovered each year across enterprise and open-source codebases. Developers and cybersecurity teams face the difficult tasks of finding and patching vulnerabilities before their adversaries do. That is where Aardvark comes in as an agentic security researcher.
How does Aardvark by OpenAI work?
The process Aardvark follows is a multi-stage pipeline to identify, explain, and fix vulnerabilities that ensures a thorough and efficient security analysis.
- Analysis: Aardvark starts by reviewing the entire code repository to create a threat model that shows its understanding of the project's security objectives and design.
- Commit scanning: Aardvark then scans for vulnerabilities by inspecting changes to the code at the commit level, comparing them against the entire repository and the threat model. When you first connect a repository, the AI agent scans its history to identify existing issues, explains the vulnerabilities it finds step-by-step, and annotates code for human review.
- Validation: When Aardvark finds a potential vulnerability, it attempts to trigger it in a sandboxed environment to confirm its exploitability. It then explains the steps taken to help ensure accurate, high-quality, and low false-positive insights are returned to users.
- Patching: Finally, Aardvark integrates with OpenAI Codex to generate and propose a patch for the identified vulnerability, ready for human review and a one-click fix.
Aardvark works alongside engineers and integrates with GitHub, Codex, and your existing workflows to deliver clear, actionable insights without slowing your development. While Aardvark is built for security, OpenAI's test has revealed that it can also find bugs, including logic flaws, incomplete fixes, and privacy issues.
According to OpenAI, Aardvark has already been in use for several months within OpenAI and with external alpha partners, where it has successfully surfaced significant vulnerabilities. In benchmark tests, it identified 92% of known and synthetically introduced vulnerabilities, showing its high recall and real-world effectiveness.
OpenAI is also extending Aardvark's capabilities to the open-source community, having already discovered and responsibly disclosed multiple vulnerabilities, ten of which have received Common Vulnerabilities and Exposures (CVE) identifiers. The AI company plans to offer pro-bono scanning to select non-commercial open-source repositories to help secure the software ecosystem.
Why companies and developers should adopt OpenAI's Aardvark?
With over 40,000 CVEs reported in 2024 alone, the need for a more scalable and efficient approach to security is undeniable. Aardvark comes in as a new, defender-first model that partners an AI agent with development teams to provide continuous protection as code grows, especially in this era of vibe coding. Aardvark has the potential to significantly strengthen security without hindering innovation by catching vulnerabilities early, validating their real-world exploitability, and offering clear fixes.
As we said earlier, although poor app design may lead to user abandonment, it is a fixable problem. However, strong app security is foundational to preventing catastrophic damage and building a sustainable, trustworthy product.
💡 For Partnership/Promotion on AI Tools Club, please check out our partnership page.
