OpenAI Launches Codex Security: A New Era for App Security
TLDR:
– Codex Security is OpenAI new AI-powered app security agent
– Scanned over 1.2 million commits, finding 792 critical vulnerabilities
– Uses threat modeling and automated validation to reduce false positives
– Available to ChatGPT Pro, Enterprise, Business, and Edu customers
Introducing Codex Security
OpenAI has unveiled Codex Security, a new artificial intelligence agent designed specifically for application security. The tool aims to address one of the biggest challenges in modern software development: efficiently identifying and fixing security vulnerabilities without overwhelming security teams with false positives.
The announcement marks OpenAI expansion beyond conversational AI into the enterprise security space. Codex Security builds deep context about projects to identify complex vulnerabilities that other agentic tools often miss, surfacing higher-confidence findings with fixes that meaningfully improve system security.
Context is essential when evaluating real security risks, but most AI security tools simply flag low-impact findings and false positives, forcing security teams to spend significant time on triage, OpenAI explained in their announcement. At the same time, agents are accelerating software development, making security review an increasingly critical bottleneck.
How It Works
Codex Security operates in three main phases. First, it analyzes repositories to understand the security-relevant structure of systems and generates project-specific threat models. These models capture what systems do, what they trust, and where they are most exposed. Users can edit these threat models to keep the agent aligned with their team priorities.
Second, the system prioritizes and validates issues using the threat model as context. It searches for vulnerabilities and categorizes findings based on expected real-world impact. Where possible, Codex Security pressure-tests findings in sandboxed validation environments to distinguish real issues from noise.
Finally, the tool proposes fixes that align with system intent and surrounding behavior, enabling patches that improve security while minimizing regressions. This makes patches safer to review and implement.
Impressive Results
The early results have been promising. Over the last 30 days, Codex Security scanned more than 1.2 million commits across external repositories in the beta program, identifying 792 critical findings and 10,561 high-severity issues. Critically, these issues appeared in under 0.1% of scanned commits, demonstrating the system ability to identify security-impacting problems while minimizing noise.
In early internal deployments, Codex Security surfaced a real server-side request forgery (SSRF), a critical cross-tenant authentication vulnerability, and many other issues that OpenAI security team patched within hours. The system has improved significantly over time—in one case, it cut noise by 84% since initial rollout, and false positive rates have fallen by more than 50% across all repositories.
Availability and Pricing
Starting today, Codex Security is rolling out in research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web interface. Users will get free usage for the next month, after which pricing details will be announced.
OpenAI also announced the Codex Open Source Fund, which now includes conditional access to Codex Security as part of the six-month ChatGPT Pro with Codex subscriptions being offered to open source developers.
Impact on the Security Landscape
The launch of Codex Security represents a significant shift in how organizations approach application security. By combining agentic reasoning from frontier models with automated validation, it delivers high-confidence findings and actionable fixes, allowing teams to focus on the vulnerabilities that matter and ship secure code faster.
For Malaysian businesses and developers, this tool could be particularly valuable as the country continues to grow its tech sector and attract more foreign investment in software development. Better security tools mean more robust applications and greater trust in locally-developed software.
Source:
OpenAI Official
The Verge
