OpenAI expands Daybreak cyber program with new Codex Security tools and GPT-5.5-Cyber

OpenAI is broadening its Daybreak cyber program with new tools aimed at helping defenders move faster from finding vulnerabilities to fixing them.

The company said Monday that it is adding an updated Codex Security plugin, expanding access to its GPT-5.5-Cyber model, launching a partner program for security vendors, and backing a new open-source patching effort called Patch the Planet. The move reflects OpenAI’s effort to package its models for defensive security workflows rather than just vulnerability discovery.

## Focus shifts from detection to remediation

OpenAI said its models have already been used to identify and generate patches for serious flaws in major browsers, network infrastructure, and operating systems, including FreeBSD and the Linux kernel. With Daybreak, the company says the challenge is no longer only finding bugs. The larger bottleneck is now patching them quickly enough.

According to the company, AI has made vulnerability discovery much faster, which in turn has overwhelmed defenders with reports that need triage, validation, testing, and deployment. OpenAI argues that security teams need tools that can help automate those downstream steps and not just surface more issues.

## Codex Security gets an update

A central part of the expansion is an updated Codex Security plugin. OpenAI says the tool is designed to help developers and security teams scan codebases, assess attack paths, build threat models, validate findings, and generate targeted patches for review.

The company said the plugin can scan an entire codebase, a subset of a project, or even a specific commit or change. It can also triage findings from other scanners, advisories, bug bounty reports, and ticketing systems, then help generate patches at scale. OpenAI said the plugin can export results into existing security systems and support workflows using formats such as SARIF and CodeQL.

OpenAI also disclosed usage numbers from the research preview of Codex Security cloud, which launched in March. The company said the system has scanned more than 30 million commits across over 30,000 codebases. It said human reviewers have marked more than 70,000 findings as fixed, while more than 500,000 findings were automatically determined to be resolved.

## GPT-5.5-Cyber becomes more widely available

OpenAI is also releasing the full version of GPT-5.5-Cyber through a limited rollout to trusted defenders. The company described the model as its strongest version yet for finding and helping patch software vulnerabilities, while preserving the general-purpose reasoning abilities of GPT-5.5.

In OpenAI’s internal benchmarking, the updated model scored 85.6% on CyberGym, up from 81.8% for GPT-5.5. The company said it also performed better on two other benchmarks, ExploitGym and SEC-bench Pro, which are used to measure exploit development and long-horizon vulnerability discovery.

OpenAI said GPT-5.5-Cyber is meant for verified defenders working on authorized security tasks, and that it is paired with stronger verification, monitoring, scoped controls, and review. For most users, the company said GPT-5.5 with Trusted Access for Cyber and Codex Security remains the intended starting point.

## Partners and open source maintainers

OpenAI is also introducing the Daybreak Cyber Partner Program, which will let security software and services companies use GPT-5.5 with Trusted Access for Cyber in their own products. The company named a broad group of launch partners across consulting, cloud security, endpoint security, and other areas.

In open source, OpenAI is working with Trail of Bits, HackerOne, Calif, researchers, and maintainers on Patch the Planet. The initiative is intended to help widely used projects move from vulnerability findings to working fixes. OpenAI said more than 30 open-source projects have agreed to take part, including cURL, Go, Python, Sigstore, and pyca/cryptography.

The company said the program is designed to reduce pressure on maintainers by using human security review to validate and deduplicate issues before they reach project teams. Early work, it said, has already produced hundreds of issues for review and dozens of merged patches.

OpenAI said it has also been in discussion with the U.S. government about its cyber work, including pre-deployment testing and implementation of recent AI-related policy efforts.