OpenAI's new security agent claims to find and fix vulnerabilities with less false positives. We tested it against real code. Here's what we found.
Codex Security is a capable supplemental security tool that solves the real problem of SAST false positive fatigue. For teams tired of security scanner noise, it delivers measurable value. But it's supplemental, not replaceable—and the research preview status requires confidence in early-stage software. Best for: small-to-medium development teams and startups. Not suitable for: highly regulated industries with strict data residency requirements.
As of March 2026, Codex Security is in research preview and requires OpenAI API access. It's not yet a general release product, so availability is limited to early adopters and developers with API accounts.
Codex Security isn't sold separately—you pay OpenAI's standard API rates (GPT-4o: $2.50/M input tokens, $10/M output tokens). A typical full-codebase scan costs $0.50-$2.00 depending on codebase size.
Not entirely. Codex Security excels at code-level vulnerability detection with low false positives, but it doesn't scan dependencies or detect secrets like dedicated SAST tools do. Use it as a supplement to your primary scanner.
No. You explicitly submit files for scanning. It doesn't proactively crawl your entire repository, though this may change as the tool matures out of research preview.
Code is sent to OpenAI's servers for analysis. If you have strict data residency requirements or work with highly sensitive code, this tool isn't suitable without additional isolation measures.
AI Bytes
We analyze official benchmarks, documentation, and user feedback to provide objective AI tool and model analysis.