
Good morning, security frontrunners
In this week’s cyber AI breakdown, we take a look at OpenAI’s new Patch the Planet initiative.
What is Patch the Planet?
So how does the tech work?
The early numbers
Which is better of OpenAI’s GPT-5.5-Cyber and Anthropic’s Mythos?
Our final take
DEEP-DIVE
What is Patch the Planet?
A few days ago, OpenAI expanded their Daybreak program to include the new ‘Patch the Planet’ initiative.
The goal of this initiative is to “to help maintainers strengthen the critical open-source software the world relies on”.
They’re doing this by using AI to detect, validate and support with the patching of vulns, without overwhelming maintainers.
This is a similar goal as agent-based security tools Agent Val and Firefly, which we covered in last week’s edition.
However, unlike Agent Val and Firefly which rely entirely on agents, OpenAI has instead opted to rely very much on a human-in-the-loop model by partnering with security firm, Trail of Bits.
Basically, how it works is:
Open source maintainers opt in
OpenAI’s tools detect and validate vulnerabilities in their codebase
Trail of Bits researchers manually review the findings
OpenAI’s tools generate patches and test cases
The patches are reviewed and implemented by the maintainers
Patch the Planet’s initial focus on open source projects makes sense - open source is now shared infrastructure.
Projects such as Python, Go, cURL, pyca/cryptography, Sigstore, aiohttp, NATS Server, and freenginx underpin enormous parts of the internet and enterprise software supply chain.
These are the types of projects where a single high-impact vulnerability can ripple through thousands of downstream systems.
Trail of Bits says more than 30 projects have already committed to participate.
So how does the tech work?
Codex Security is the workbench, and GPT-5.5-Cyber is the brain.
Codex Security provides the scaffolding for GPT-5.5-Cyber to do its thing.
Codex Security gives the AI a controlled way to inspect the repository, reason about the code, run tests, produce findings, and generate patches. It does that by cloning the repository into an isolated workspace.
Before hunting for vulnerabilities, Codex Security uses GPT-5.5-Cyber to understand the code and build context.
This is the “what are we protecting?” step. It learns about the architecture, important assets, entry points, trust boundaries, risky components, and security assumptions.
Then, the hunt for vulnerabilities happens.
GPT-5.5-Cyber can follow data flow, connect functions, reason through attack paths, compare checks and sinks, and look for places where security assumptions break.
Although GPT-5.5-Cyber’s reasoning is clearly impressive, you can’t just point, shoot and hope for the best. To get the most out of a model, you need to apply a system or method to its reasoning.
This is where Trail of Bits come in.
One of the key discovery and validation approaches they’ve developed is the ‘Historical CVE variant analysis’ model.

In simple terms, the model:
Loads vulnerability and issue data
The system is given a list of historical CVEs and selected issues to investigate.Creates AI tasks for each issue
The orchestrator gives each issue to Codex to look for related vulnerabilities or similar root causes.Filters out weak candidates
If Codex cannot find a real defect pattern or useful variant, the issue is skipped.Validates possible findings
Two independent false-positive checks review the candidate to see whether it is plausible, risky, and reproducible.Report only real, new issues
Valid findings are checked for duplicates. Only confirmed, non-duplicate vulnerabilities are reported.
Trail of Bits also used Fuzzing and Differential Testing as other discovery and validation methods. Both of which they claimed were dramatically faster to build and implement with AI (obviously).
Once the vulnerabilities have been accepted, Codex Security turns them into minimal patches, conducts regression testing, collects proof of the fix, and then pass it all on for humans to review before merging.
To put it all into context, here’s the end-to-end flow of the Patch the Planet program:

The early numbers
Trail of Bits says the first week of Patch the Planet covered 19 projects and produced hundreds of discovered bugs, 64 pull requests, and 51 filed issues.
Of those, 37 pull requests were already merged, and 19 issues were already closed with a fix.
In OpenAI’s own benchmarks:
GPT‑5.5‑Cyber reached 85.6% on CyberGym, compared with 81.8% for GPT‑5.5 (which is actually BETTER than Mythos)

On ExploitGym, GPT‑5.5‑Cyber scored 39.5% versus 25.95%, and
On SEC-bench Pro it reached 69.8% versus 63.1%.

Honestly, only a little bit better really.
OpenAI’s GPT-5.5-Cyber > Anthropic’s Mythos
Patch the Planet is naturally comparable with Anthropic’s Mythos work. Both represent frontier AI moving into high-end vulnerability discovery.
But they are not the same type of offering.
Mythos is primarily framed around advanced AI vulnerability discovery (and it is damn good at it). However, it doesn’t offer as much around remediation or patching.
Anthropic themselves highlighted this, saying high and critical severity bugs found by Mythos took two weeks to patch.
…which is a scary, considering that 1/3rd of exploited vulnerabilities are exploited the day or day before they're disclosed.
GPT-5.5-Cyber, on the other hand, seems to be better at detecting and validating vulnerabilities than Mythos AND the Patch the Planet initiative shows how it can be used to address the problem of remediation at scale.
It is entirely possible that Mythos, given the right ‘workbench’ or ‘harness’ can be used to offer similar remediation and patching capabilities, however, we haven’t seen this just yet.
Who can use it?
Patch the Planet is not a general self-service product that any company can simply switch on.
It is an initiative for open-source maintainers, especially those responsible for critical projects. Participating projects receive expert support, access to ChatGPT Pro, conditional access to Codex Security, and API credits for core open-source development, maintainer automation, and release workflows.
Trail of Bits says maintainers of critical open-source projects can apply to join, and the program has a growing waitlist.
For enterprises, the adjacent path is OpenAI’s Daybreak and Codex Security ecosystem.
OpenAI says GPT‑5.5 with Trusted Access for Cyber and Codex Security are the right starting point for most defenders, while GPT‑5.5‑Cyber is intended for verified defenders whose authorised work requires more advanced cyber capability and stronger controls.
Final take
Yes, human-in-the-loop is safer, but not infinitely scalable.
Patch the Planet may work brilliantly for 30 critical open-source projects, but the wider vulnerability ecosystem is growing much faster than expert review capacity.
If we don’t come up with a more scalable solution to high-speed detection → patching workflow, we’ll never overcome the bottleneck observed during the Mythos preview, people.
That’s it for this week!
See you next Sunday 🙂
Zac S from The Cyber Breakdown