OpenAI’s Codex Security launched March 6, 2026 in research preview, extending the company’s agentic AI work into application security. The tool operates as an autonomous agent: it reads a repository, builds a functional understanding of the application, finds vulnerabilities, and generates suggested fixes. OpenAI confirmed the launch on its website, with the tool available to ChatGPT Enterprise, Business, and Education users. The first month is free.
According to AI Business and The Hacker News, OpenAI reports the tool scanned 1.2 million commits and identified 792 critical and 10,561 high-severity problems. It surfaced 14 CVEs across major open-source projects, a claim that Harper Foley’s legal and tech commentary team acknowledged as real. These figures come from OpenAI’s own disclosure. No independent verification methodology exists yet.
That last point is the one enterprise security teams should sit with. The benchmark numbers are striking. But “792 critical issues” across 1.2 million commits is a vendor-reported figure, not a peer-reviewed result. The 14 CVEs are independently meaningful, CVEs have a registry, but the aggregate metrics need external replication before they become reliable baselines.
For ChatGPT Enterprise and Business subscribers, the free month is a reasonable window to run the tool against an internal repository and form a firsthand assessment. The more useful question isn’t whether the numbers hold up – it’s whether the tool’s suggested fixes are actionable in a real engineering workflow.