OpenAI's new agent hunts software bugs like a human

The big picture: Software flaws are an unavoidable part of coding, and they provide prime entry points for cyberattacks.

• Source code is an especially high-value target for hackers. They can leverage flaws to gain unauthorized access to corporate networks and deploy malware or steal sensitive customer information and corporate secrets.

Zoom in: OpenAI said Thursday that the new agent, called Aardvark, is entering beta as an invite-only web app that connects to a user's GitHub environment.

• Aardvark uses GPT-5's reasoning to continuously scan codebases, skipping traditional methods like fuzzing, and seek out any weak points.
• The agent then flags possible bugs, tests them in a sandbox, and ranks their severity before proposing fixes.
• "In some way, it looks for bugs very much in the same way that a human security researcher might," Matt Knight, vice president at OpenAI, said.

Yes, but: The agent doesn't patch anything itself. Humans must verify and deploy any fix Aardvark suggests.

• For each issue, Aardvark also annotates the code and explains its reasoning — helping users understand each finding before acting.

Between the lines: Bug hunting has long relied on human researchers and penetration-testing firms. But that process is slow, leaving software exposed if hackers get there first.

• "This is an area and a capability that has been out of reach until very recently," Knight said. "But new innovations have unlocked it."

The intrigue: In early tests, Aardvark discovered 10 previously unknown security vulnerabilities in open-source projects that later received official CVE identifiers, the system used to catalog software vulnerabilities, Knight said.

What's next: Interested companies can apply for early access. OpenAI plans to expand access based on feedback and performance during beta.

Go deeper: AI is about to supercharge cyberattacks