The bottleneck in cybersecurity has flipped: finding vulnerabilities is no longer the hard part, patching them is. OpenAI's Daybreak initiative, announced today, pours concrete numbers on that shift -- and delivers tools to automate the fix side of the equation at a scale that matches AI-driven discovery.
GPT-5.5-Cyber, now out of permissive-only preview, sets a new state-of-the-art on CyberGym at 85.6%, up from GPT-5.5's 81.8%. That 3.8-point jump matters less than what the model is designed to do: generate and verify patches for critical vulnerabilities in major browsers, network infrastructure, FreeBSD, and the Linux kernel. Finding is table stakes; fixing is the product.
Codex Security by the Numbers
Since March, Codex Security's research preview has scanned over 30 million commits across more than 30,000 codebases. Human reviewers have manually marked over 70,000 findings as fixed, and over 500,000 findings have been automatically determined to be fixed. That's the scale at which patching must now happen -- not per-project, but across entire ecosystems.
Today's update to the Codex Security plugin embeds that capability directly into every developer's workflow. Run a deep scan on an entire codebase, a subset, or a single commit. It builds threat models (or generates one if none exists), traces attack paths, validates findings, and spits out a targeted patch with evidence. It can also import existing findings from scanners, bug-bounty reports, or ticketing systems, then triage and auto-patch the backlog.
Patch the Planet: Open Source at Scale
OpenAI didn't go it alone. Patch the Planet, founded with Trail of Bits in collaboration with HackerOne, Calif, researchers, and maintainers, already has more than 30 open-source projects committed. Initial participants include cURL, Go, Python, Sigstore, and pyca/cryptography. The goal: move from findings to fixes, not just publish another advisory.
The partnership structure matters. OpenAI provides the models and Trusted Access for Cyber; Trail of Bits brings exploit and patch engineering; HackerOne connects the bug-bounty pipeline. Together they aim to convert model capability into real-world risk reduction for infrastructure that underpins the internet.
Why This Changes the Defense Game
For years, finding serious vulnerabilities required rare expertise, time, and deep familiarity with complex systems. AI changed that physics. Now defenders are overwhelmed with the number of vulnerabilities found. Vulnerability reports on their own do not protect anyone. The value comes from validating the issue, understanding its impact, developing and testing a patch, coordinating disclosure, and helping teams deploy the fix.
Daybreak brings together the frontier cyber capabilities of OpenAI's models, Codex Security workflows, and ecosystem partners to help approved defenders validate vulnerabilities, prioritize risk, generate and test fixes, and produce evidence inside existing security and development workflows. The goal is not to concentrate defensive capability in a few hands but to democratize patching at machine speed.
OpenAI is betting that defenders armed with these tools can keep pace with attackers who already leverage AI to find and exploit flaws faster than ever.
Source: Daybreak: Tools for securing every organization in the world
Domain: openai.com
Comments load interactively on the live page.