OpenAI has expanded its cyber-defense program Daybreak, arguing that artificial intelligence (AI) has flipped the hardest part of security from finding software flaws to fixing them.
In an announcement on June 22, the company said the expansion centered on patch automation. It released the full version of a cyber-focused model, GPT-5.5-Cyber, alongside updates to its Codex Security tool and a new open-source patching initiative.
A More Capable, More Permissive Model
GPT-5.5-Cyber has now moved from preview to full release. However, access remains restricted and OpenAI said it was only offering access to the model to verified defenders through a limited release, paired with extra monitoring and controls.
The firm described it as both more capable and more permissive than its general models for authorized security work.
On CyberGym, a test of whether an AI agent can reproduce known vulnerabilities, OpenAI said the model scored a record 85.6%, against 81.8% for the standard GPT-5.5. It also reported gains in exploit writing and proof-of-concept (PoC) generation tests. Those same offensive-leaning skills are why access remains tightly gated, the company said.
Read more on AI and the patching burden: Patch Responsibility Remains Up for Grabs as AI Unearth Flaws At Scale
From Findings to Fixes
The patching push ran mainly through Codex Security, a tool that plugs into OpenAI’s Codex coding assistant to scan code, validate flaws and generate fixes for human review.
OpenAI said that since a March preview, it had scanned more than 30 million commits across 30,000 codebases, with over 500,000 findings logged as fixed.
A newly launched initiative, Patch the Planet, founded with Trail of Bits and others, aims the same tools at open-source software. It funds researchers to help maintainers fix bugs, with more than 30 projects signed up, including cURL, Go and Python.
OpenAI also opened a partner program letting security vendors such as CrowdStrike, Sophos and Fortinet, among others, build its models into their own products.
OpenAI framed the effort as keeping humans in control and getting defensive tools to more organizations before attackers gain the same edge. It said it had agreed cyber partnerships with several governments and would work with critical infrastructure operators.
The AI firm’s benchmark figures came from its own testing, which it said was continuing on real-world fixes.
Rival AI lab Anthropic launched a comparable AI bug-fixing program, Project Glasswing, in April.
Feature image credit: Samuel Boivin / Shutterstock.com
