On October 31st, OpenAI officially released Aardvark (codenamed "Aardvark"), an AI security agent powered by GPT-5. Defined as an "agent-based security researcher," the system helps developers and security teams automatically discover and fix security vulnerabilities in large-scale codebases.
Unlike traditional techniques that rely on fuzzing or software composition analysis, Aardvark leverages the reasoning capabilities of large language models. It simulates the working process of human security researchers by reading code, analyzing behavior, writing tests, and verifying their findings. The system can identify 92% of known and manually injected vulnerabilities and can pinpoint complex issues that only occur under complex conditions.
CNMO understands that Aardvark establishes a complete security workflow. This includes threat modeling: comprehensively analyzing the codebase to generate threat models reflecting the project's security goals; commit scanning: monitoring code changes and performing difference analysis based on the threat model; sandbox verification: triggering potential vulnerabilities in an isolated environment to confirm exploitability; intelligent remediation: deeply integrating with Codex to automatically generate remediation patches; and human review: providing clear vulnerability explanations and code annotations, supporting one-click review.
Matt Knight, Vice President of OpenAI, stated, "Developer feedback shows that Aardvark truly provides value in clearly explaining issues and guiding fixes, which confirms the correctness of our technical approach." Currently, Aardvark has performed exceptionally well in internal testing, discovering security vulnerabilities in multiple open-source projects, 10 of which have been assigned CVE numbers. OpenAI plans to provide free scanning services to select non-commercial open-source repositories to improve the security of the entire open-source ecosystem.
