OpenAI expands Daybreak with patching tools & partners

OpenAI has expanded its Daybreak cybersecurity programme with new tools, partnerships and a wider release of its GPT-5.5-Cyber model. The push focuses on patching software flaws, not just identifying them.

The update includes a new version of the Codex Security plugin, a limited release of the full GPT-5.5-Cyber model to approved defenders, a Daybreak Cyber Partner Program for security vendors and service providers, and a new open-source initiative called Patch the Planet.

OpenAI is presenting the changes as a response to shifting cybersecurity workloads as artificial intelligence speeds up vulnerability discovery. It argues that defenders now struggle less to find flaws than to validate them, prepare fixes, test patches and deploy them before attackers can exploit them.

The revised Codex Security plugin is designed to sit inside development workflows and handle defensive tasks such as scanning codebases, reviewing recent changes, generating reports on severity and affected code, tracing attack paths, building threat models and producing proposed patches for review. It can also process findings from existing scanners, advisories, bug bounty reports and ticketing systems.

According to OpenAI, the Codex Security cloud service has scanned more than 30 million commits across more than 30,000 codebases since its research preview launch in March. Human reviewers have marked more than 70,000 findings as fixed, while more than 500,000 findings have been automatically determined to be fixed.

Model release

OpenAI also widened access to GPT-5.5-Cyber, a version of its model intended for authorised cybersecurity work. The model was previously available in an initial preview with narrower scope. The new release is still being provided on a limited basis to what OpenAI called trusted defenders.

On OpenAI's CyberGym benchmark, GPT-5.5-Cyber scored 85.6%, compared with 81.8% for GPT-5.5. OpenAI also reported gains on ExploitGym, where GPT-5.5-Cyber scored 39.5% against 25.95% for GPT-5.5, and on SEC-bench Pro, where it scored 69.8% against 63.1%.

OpenAI said the model is intended to support longer, more detailed analysis across large codebases, including checking whether vulnerable code is reachable, validating likely issues in controlled environments, drafting patches and assembling evidence for human review. It added that GPT-5.5 with Trusted Access for Cyber and Codex Security remained the starting point for most defenders, while GPT-5.5-Cyber would be reserved for users needing more permissive behaviour under tighter controls.

OpenAI added that its models and tools have already helped defenders identify and validate vulnerabilities in software including Firefox, V8, Safari, OpenBSD, FreeBSD and HTTP/2 implementations.

Partner network

Another part of the expansion is the Daybreak Cyber Partner Program, which gives participating security companies access to GPT-5.5 with Trusted Access for Cyber for use in the products and services they deliver to customers. OpenAI said this would let customers benefit from the model while keeping direct access with partner organisations rather than end users.

The initial partner list includes Accenture, Akamai, NCC Group, Capgemini, Cato Networks, Check Point, Cisco, Cloudflare, Cognizant, CrowdStrike, Darktrace, Elastic, EY, Fortinet, GuidePoint Security, IBM, KPMG, Okta, Palo Alto Networks, Proofpoint, PwC, SentinelOne, SpecterOps, Sophos, Tenable, Trend AI, Wiz and Zscaler.

OpenAI said it would work with those partners on safeguards, monitoring and abuse-prevention standards for deployment across the security sector.

Open-source focus

Patch the Planet targets widely used open-source projects that often have small maintainer teams despite their importance to business software, public services and critical infrastructure. The initiative was founded with Trail of Bits and is being run in collaboration with HackerOne and Calif, with expert researchers using Codex Security and OpenAI models to work directly with maintainers.

More than 30 open-source projects have committed to take part, with initial participants including cURL, Go, Python, Sigstore and pyca/cryptography. OpenAI said the first five-day sprint across multiple projects surfaced hundreds of issues for review and led to dozens of patches being merged, with further work under way.

OpenAI cited research from the Linux Foundation and Harvard showing that 94% of the widely used projects examined had fewer than 10 developers responsible for more than 90% of the code added in a year. It said that as AI generates more vulnerability reports, maintainers face a heavier burden in filtering false positives unless extra support is provided.

Patch the Planet is intended to reduce that burden by having researchers validate and deduplicate vulnerabilities and patches before they reach maintainers. Participating projects will also receive ChatGPT Pro, conditional access to Codex Security and API credits for development and release workflows.

Alongside the product and partner announcements, OpenAI said it had been working with government bodies on cyber testing, evaluation and standards. It said it had established Trusted Access for Cyber partnerships with Australia, Canada, France, Germany, Japan, the Republic of Korea and EU institutions including ENISA, and that it also had a growing partnership with the UK government on cyber-related work.

OpenAI framed the programme as part of a broader effort to give defenders more help with remediation as AI increases the volume of vulnerabilities that can be found. "Finding vulnerabilities is important, but it's landing the fix that protects the world, and that takes collaboration and community support," it said.