OpenAI Expands GPT-5.5-Cyber as AI Pushes Vulnerability Patching Into a New Era

OpenAI is expanding access to an improved version of GPT-5.5-Cyber, giving trusted defenders a more powerful AI model for finding, validating, and helping patch software vulnerabilities.

The release is part of OpenAI’s Daybreak initiative and comes as AI is rapidly changing vulnerability research. The company says GPT-5.5-Cyber can analyze large codebases, identify security issues, validate findings in controlled environments, and generate patches for human review.

OpenAI is also updating its Codex Security plugin to help developers scan code, review recent changes, trace attack paths, produce severity reports, and generate codebase-specific remediation guidance. The plugin can also triage findings from scanners, advisories, bug bounty reports, and ticketing systems, helping security teams work through vulnerability backlogs faster.

Alongside the model update, OpenAI is launching Patch the Planet with Trail of Bits to help secure major open-source projects. Initial participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org.

The launch reflects a broader shift in cybersecurity. AI models are making it easier to uncover flaws across complex systems, but the hard part is increasingly patching them before attackers can act. OpenAI said Daybreak has already helped identify vulnerabilities across Linux, OpenBSD, FreeBSD, dnsmasq, Chrome V8, Safari, Firefox, and major HTTP/2 implementations.

Diana Kelley, CISO at Noma Security, said the announcement shows defenders are entering a faster phase of AI-assisted security.

“This announcement is another signal that we’re entering an accelerated phase of AI-assisted cybersecurity. The conversation is shifting from whether AI can help security teams to how defenders can effectively operationalize advanced AI systems.

What’s encouraging is the recognition that defenders need access to advanced capabilities, including vulnerability research, authorized exploit development, and validation of security controls in their own environments. OpenAI’s Daybreak and Trusted Access for Cyber, much like Anthropic’s Glasswing program, reflect a growing industry understanding that vetted defenders need practical access to advanced AI systems.

At the same time, adversaries are actively experimenting with AI-enabled attack workflows, making it important that defenders are not left at a capability disadvantage. The challenge is maintaining defender advantage. Responsible access programs can help ensure that security researchers and defenders are not operating with one hand tied behind their backs, while still preserving meaningful safeguards against misuse. For security leaders, the actionable takeaway is to start identifying where AI can safely accelerate authorized testing, detection, and remediation today. ”

For enterprises and open-source maintainers, the message is clear: AI is no longer just a tool for discovering vulnerabilities. It is becoming part of the full remediation cycle, from validation and prioritization to patch development and testing. The question now is whether defenders can use that speed to close security gaps before attackers exploit them.