Codex Security (formerly Aardvark)
Sources: Original Aardvark announcement · Codex Security research-preview announcement (2026-03-06) · Outbound coordinated disclosure policy
What
OpenAI’s agentic-security-researcher product. Originally announced as Aardvark — “an agentic security researcher powered by GPT-5” — and run in private beta across OpenAI’s internal codebases and external alpha partners for several months before the public announcement. On 2026-03-06 the product was renamed Codex Security and built directly into Codex; it is now available as a research preview to ChatGPT Enterprise, Business, and Edu customers via Codex web, with free usage for the initial rollout month.
Four-stage pipeline: Analysis (whole-repo threat model) → Commit scanning (each new commit against repo + threat model; historical back-scan on first connect) → Validation (isolated sandboxed exploit trigger to confirm exploitability) → Patching (OpenAI Codex generates patches, Aardvark scans the patch, human review gates application). Methodological frame explicitly rejects rule-based SAST primitives — “does not rely on traditional program analysis techniques like fuzzing or software composition analysis” — and adopts the human-security-researcher metaphor of reading code, writing tests, and using tools.
Relevance to This Wiki
Fifth sourced production path on the ai-vuln-discovery axis as of 2026-05-15, alongside Big Sleep + CodeMender (Google), MDASH (Microsoft), XBOW × Mythos / Glasswing (Anthropic + partners), OpenAnt (Knostic OSS), and Claude Code Security (Anthropic commercial preview). Adds the OpenAI-side commercial-preview entry — adjacent to and structurally parallel with Claude Code Security on the Anthropic side. Both reject rule-based SAST framing in identical language. Both are commercial closed-source private-preview offerings integrated with the vendor’s existing developer-product surface (Codex web vs Claude Code on the web).
Outputs / Numbers
- 92% recall on “golden” repositories (internal benchmark with known + synthetically-introduced vulnerabilities). Not directly comparable to MDASH’s 88.45% / raw Mythos’s 83.1% on the public CyberGym leaderboard because the benchmark sets are different.
- Ten CVE IDs assigned from OSS responsibly-disclosed Aardvark findings as of the original announcement.
- Pro-bono OSS scanning committed for select non-commercial open-source repositories.
- Updated outbound coordinated-disclosure policy released in tandem — explicit shift away from rigid timelines toward collaboration to absorb the discovery-rate increase the tool enables.
- Base-rate framing: 40,000+ CVEs reported in 2024; ~1.2% of commits introduce bugs.
Notable Design Choices
- Continuous commit-level scanning against a stable whole-repo threat model. The threat model is the durable artifact; subsequent commit scans are deltas evaluated against it. This is a different structural choice from OpenAnt’s per-unit static-then-agentic phasing — Aardvark treats the repository as a stable referent and the commit history as the event stream.
- Validation by sandboxed exploit trigger. Each candidate vulnerability is attempted in an isolated, sandboxed environment to confirm exploitability. The sandbox primitive (Docker, gVisor, Firecracker, custom) is not disclosed. This is the dynamic-execution form of the same FP-control discipline that OpenAnt formalizes as Adversarial Reflexion, Claude Code Security formalizes as Claude proving-or-disproving its own findings, and MDASH formalizes as a prover stage.
- Codex-integrated patch generation with one-click human approval. Patches are generated by OpenAI Codex (separate product), scanned by Aardvark, and surfaced for human review. Nothing applied without approval.
- Explicit rejection of fuzzing + SCA. “Aardvark does not rely on traditional program analysis techniques like fuzzing or software composition analysis. Instead, it uses LLM-powered reasoning and tool-use.” This is the same methodological frame as Claude Code Security — both reject the SAST product category as the prior generation.
Adjacent Gaps
- No public benchmark. Golden repositories not disclosed; recall not comparable across vendors.
- No published FP rate. “Low false-positive” asserted without quantification.
- No published cost shape. Subscription-bundled for Enterprise / Business / Edu; not bounded for non-subscription OSS use.
- Sandbox primitive not disclosed. The validation-stage exploit-trigger harness is asserted but not described.
- Aardvark internal codename retained; the wiki’s canonical name for the product is Codex Security with Aardvark as alias.