Artificial intelligence is increasingly being used to help developers identify security weaknesses in software, and a new tool from OpenAI reflects that shift.
The company has introduced Codex Security, an automated security assistant designed to examine software projects, detect vulnerabilities, confirm whether they can actually be exploited, and recommend ways to fix them.
The feature is currently being released as a research preview and can be accessed through the Codex interface by users subscribed to ChatGPT Pro, Enterprise, Business, and Edu plans. OpenAI said customers will be able to use the capability without cost during its first month of availability.
According to the company, the system studies how a codebase functions as a whole before attempting to locate security flaws. By building a detailed understanding of how the software operates, the tool aims to detect complicated vulnerabilities that may escape conventional automated scanners while filtering out minor or irrelevant issues that can overwhelm security teams.
The technology is an advancement of Aardvark, an internal project that entered private testing in October 2025 to help development and security teams locate and resolve weaknesses across large collections of source code.
During the last month of beta testing, Codex Security examined more than 1.2 million individual code commits across publicly accessible repositories. The analysis produced 792 critical vulnerabilities and 10,561 issues classified as high severity.
Several well-known open-source projects were affected, including OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium.
Some of the identified weaknesses were assigned official vulnerability identifiers. These included CVE-2026-24881 and CVE-2026-24882 linked to GnuPG, CVE-2025-32988 and CVE-2025-32989 affecting GnuTLS, and CVE-2025-64175 along with CVE-2026-25242 associated with GOGS. In the Thorium browser project, researchers also reported seven separate issues ranging from CVE-2025-35430 through CVE-2025-35436.
OpenAI explained that the system relies on advanced reasoning capabilities from its latest AI models together with automated verification techniques. This combination is intended to reduce the number of incorrect alerts while producing remediation guidance that developers can apply directly.
Repeated scans of the same repositories during testing also showed measurable improvements in accuracy. The company reported that the number of false alarms declined by more than 50 percent while the precision of vulnerability detection increased.
The platform operates through a multi-step process. It begins by examining a repository in order to understand the structure of the application and map areas where security risks are most likely to appear. From this analysis, the system produces an editable threat model describing the software’s behavior and potential attack surfaces.
Using that model as a reference point, the tool searches for weaknesses and evaluates how serious they could be in real-world scenarios. Suspected vulnerabilities are then executed in a sandbox environment to determine whether they can actually be exploited.
When configured with a project-specific runtime environment, the system can test potential vulnerabilities directly against a functioning version of the software. In some cases it can also generate proof-of-concept exploits, allowing security teams to confirm the problem before deploying a fix.
Once validation is complete, the tool suggests code changes designed to address the weakness while preserving the original behavior of the application. This approach is intended to reduce the risk that security patches introduce new software defects.
The launch of Codex Security follows the introduction of Claude Code Security by Anthropic, another system that analyzes software repositories to uncover vulnerabilities and propose remediation steps.
The emergence of these tools reflects a broader trend within cybersecurity: using artificial intelligence to review vast amounts of software code, detect vulnerabilities earlier in the development cycle, and assist developers in securing critical digital infrastructure.
Microsoft’s new Threat Intelligence report reveals that threat actors are using genAI tools for various tasks, such as phishing, surveillance, malware building, infrastructure development, and post-hack activity.
In various incidents, AI helps to create phishing emails, summarize stolen information, debug malware, translate content, and configure infrastructure. “Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure,” the report said.
"For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions,’ warns Microsoft.
Microsoft found different hacking gangs using AI in their cyberattacks, such as North Korean hackers known as Coral Sleet (Storm-1877) and Jasper Sleet (Storm-0287), who use the AI in their remote IT worker scams.
The AI helps to make realistic identities, communications, and resumes to get a job in Western companies and have access once hired. Microsoft also explained how AI is being exploited in malware development and infrastructure creation. Threat actors are using AI coding tools to create and refine malicious code, fix errors, and send malware components to different programming languages.
A few malware experiments showed traces of AI-enabled malware that create scripts or configure behaviour at runtime. Microsoft found Coral Sleet using AI to make fake company sites, manage infrastructure, and troubleshoot their installations.
When security analysts try to stop the use of AI in these attacks, Microsoft says hackers are using jailbreaking techniques to trick AI into creating malicious code or content.
Besides generative AI use, the report revealed that hackers experiment with agentic AI to do tasks autonomously. The AI is mainly used for decision-making currently. As IT worker campaigns depend on the exploitation of authentic access, experts have advised organizations to address these attacks as insider risks.
Expanding cybersecurity services as a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) requires more than strong technical capabilities. Providers also need a sustainable business approach that can deliver clear and measurable value to clients while supporting growth at scale.
One approach gaining attention across the cybersecurity industry is risk-based security management. When implemented effectively, this model can strengthen trust with customers, create opportunities to offer additional services, and establish stable recurring revenue streams. However, maintaining such a strategy consistently requires structured workflows and the right supporting technologies.
To help providers adopt this approach, a new resource titled “The MSP Growth Guide: How MSPs Use AI-Powered Risk Management to Scale Their Cybersecurity Business” outlines how organizations can transition toward scalable cybersecurity services centered on risk management. The guide provides insights into the operational difficulties many MSPs encounter, offers recommendations from industry experts, and explains how AI-driven risk management platforms can help build a more scalable and profitable service model.
Why Risk-Focused Security Enables Service Expansion
Many MSPs already deliver essential cybersecurity capabilities such as endpoint protection, regulatory compliance assistance, and other defensive tools. While these services remain critical, they are often delivered as separate engagements rather than as part of a unified strategy. As a result, the long-term strategic value of these services may remain limited, and opportunities to generate consistent recurring revenue may be reduced.
Adopting a risk-centered cybersecurity framework can shift this dynamic. Instead of addressing isolated technical issues, providers evaluate the complete threat environment facing a client organization. Security risks are then prioritized according to their potential impact on business operations.
This broader perspective allows MSPs to move away from reactive fixes and instead deliver continuous, proactive security management.
Organizations that implement this risk-first model can gain several advantages:
• Security teams can detect and address threats before they escalate into damaging incidents.
• Defensive measures can be continuously updated as the cyber threat landscape evolves.
• Critical assets, daily operations, and organizational reputation can be protected even when compliance regulations do not explicitly require certain safeguards.
Another major benefit is alignment with modern cybersecurity frameworks. Many current standards require companies to conduct formal and ongoing risk evaluations. By integrating risk management into their core service offerings, MSPs can position themselves to pursue higher-value contracts and offer additional services driven by regulatory compliance requirements.
Common Obstacles That Limit Risk Management Services
Although risk-focused security delivers substantial value, MSPs often encounter operational barriers that make these services difficult to scale or demonstrate clearly to clients.
Several recurring challenges affect service delivery and growth:
Manual assessment processes
Traditional risk evaluations often rely heavily on manual work. This approach can consume a vast majority of time, introduce inconsistencies, and make it difficult to expand services efficiently.
Lack of actionable remediation plans
Risk reports sometimes underline security weaknesses but fail to outline clear steps for resolving them. Without defined guidance, clients may struggle to understand how to address the issues that have been identified.
Complex regulatory alignment
Organizations frequently need to comply with multiple cybersecurity standards and regulatory frameworks. Managing these requirements manually can create inefficiencies and inconsistencies.
Limited business context in security reports
Many security assessments are written in highly technical language. As a result, business leaders and non-technical stakeholders may find it difficult to interpret the results or understand the real impact on their organization.
Shortage of specialized cybersecurity professionals
Skilled risk management experts remain in high demand across the industry, making it difficult for service providers to recruit and retain qualified personnel.
Third-party risk visibility gaps
Many cybersecurity platforms focus only on internal infrastructure and overlook risks introduced by external vendors and service providers.
These challenges can make it difficult for MSPs to transform risk management into a scalable and profitable cybersecurity offering.
How AI-Powered Platforms Help Address These Barriers
To overcome these operational difficulties, many providers are turning to artificial intelligence-driven risk management tools.
AI-based platforms can automate large portions of the risk management process. Tasks that previously required extensive manual effort, such as risk assessment, prioritization, and reporting, can be completed more quickly and consistently.
These systems are designed to streamline the entire risk management lifecycle while incorporating advanced security expertise into service delivery.
What Modern Risk Management Platforms Should Deliver
A well-designed AI-enabled risk management solution should do more than simply detect potential threats. It should also accelerate service delivery and support business growth for service providers.
Organizations adopting these platforms can expect several operational benefits:
• Faster onboarding and service deployment through automated and easy-to-use risk assessment tools
• More efficient compliance management supported by built-in mappings to cybersecurity frameworks and continuous monitoring capabilities
• Clearer reporting that presents cybersecurity risks in language business leaders can understand
• Demonstrable return on investment by reducing manual workloads and enabling more efficient service delivery
• Additional revenue opportunities by identifying new cybersecurity services clients may require based on their risk profile
Key Capabilities to Evaluate When Selecting a Platform
Selecting the right technology platform is critical for service providers that want to scale cybersecurity operations effectively.
Several capabilities are considered essential in modern risk management tools:
Automated risk assessment systems
Automation allows providers to generate assessment results within days rather than months, while minimizing human error and ensuring consistent outcomes.
Dynamic risk registers and visual risk mapping
Visualization tools such as heatmaps help security teams quickly identify which risks pose the greatest threat and should be addressed first.
Action-oriented remediation planning
Effective platforms convert risk findings into structured and prioritized tasks aligned with both compliance obligations and business objectives.
Customizable risk tolerance frameworks
Organizations can adapt risk scoring models to match each client’s specific operational priorities and appetite for risk.
The MSP Growth Guide provides additional details on the features providers should consider when evaluating potential solutions.
Building Long-Term Strategic Value with AI-Driven Risk Management
For MSPs and MSSPs seeking to expand their cybersecurity practices, AI-powered risk management offers a way to deliver consistent value while improving operational efficiency.
By automating risk assessments, prioritizing security issues based on business impact, and standardizing reporting processes, these platforms enable providers to deliver reliable cybersecurity services to a growing client base.
The guide “The MSP Growth Guide: How MSPs Use AI-Powered Risk Management to Scale Their Cybersecurity Business” explains how service providers can integrate AI-driven risk management into their offerings to support long-term growth.
Organizations interested in strengthening customer relationships, expanding cybersecurity services, and building a competitive advantage may benefit from adopting risk-focused security strategies supported by AI-enabled platforms.
Cisco Talos researchers said that the hacker is related to the Tropic Trooper and FamousSparrow hacker groups, but it is tracked as a different activity cluster.
According to the experts, UAT-9244 shares the same victim profile as Salt Typhoon, but they are failing to find a link between the two security clusters.
The experts found that the campaign used three previously unknown malware families: PeerTime, a Linux backdoor that employs BitTorrent; TernDoor, a Windows backdoor; and BruteEntry, a brute-force scanner that makes proxy infrastructure (ORBs).
TernDoor is installed via DLL side-loading through the authentic executable wsprint.exe to deploy malicious code from BugSplatRc64.dll, which decodes and runs the final payload in memory (inserted inside msiexec.exe).
The malware consists of a WSPrint.sys, an embedded Windows driver, which is used for terminating, suspending, and resuming processes.
Persistence is gained through Windows Registry modifications and scheduled tasks, which also hide the scheduled task. Besides this, TernDoor runs commands through a remote shell, executes arbitrary processes, collects system data, reads/writes files, and self-deletes.
PeerTime is an ELF Linux backdoor that attacks various architectures (MIPS, ARM, AARCH, PPC), hinting that it was made to attack a wide range of embedded systems and network devices.
Cisco Talos found the variants for PeerTime. The first variant is written in C/C++, and the second is based on Rust. The experts also found a Simplified Chinese debug string inside the instrumentor binary, which may be its source. The payload is decoded and installed in memory, and its process is renamed to look real.
Lastly, there is BruteEntry, which consists of a brute-forcing component and a Go-based instrumentor binary. Its function is to transform compromised devices into Operational Relay Boxes (ORBs), which are scanning nodes.
The attacker brute-forces SSH, PostgreSQL, and Tomcat by using workstations running BruteEntry to search for new targets. The C2 receives the results of the login attempt along with the task status and notes.
Cisco Systems has confirmed that attackers are actively exploiting two security flaws affecting its Catalyst SD-WAN Manager platform, previously known as SD-WAN vManage. The company disclosed that both weaknesses are currently being abused in real-world attacks.
The vulnerabilities are tracked as CVE-2026-20122 and CVE-2026-20128, each presenting different security risks for organizations operating Cisco’s software-defined networking infrastructure.
The first flaw, CVE-2026-20122, carries a CVSS score of 7.1 and is described as an arbitrary file overwrite vulnerability. If successfully exploited, a remote attacker with authenticated access could overwrite files stored on the system’s local file structure. Exploitation requires the attacker to already possess valid read-only credentials with API access on the affected device.
The second vulnerability, CVE-2026-20128, has a CVSS score of 5.5 and involves an information disclosure issue. This flaw could allow an authenticated local user to escalate privileges and obtain Data Collection Agent (DCA) user permissions on a targeted system. To exploit the vulnerability, the attacker must already have legitimate vManage credentials.
Cisco released fixes for these issues late last month. The patches also addressed additional vulnerabilities identified as CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.
The company provided updates across multiple software releases. Systems running versions earlier than 20.9.1 should migrate to a patched release. Fixes are available in the following versions:
According to Cisco’s Product Security Incident Response Team, the company became aware in March 2026 that CVE-2026-20122 and CVE-2026-20128 were being actively exploited. Cisco did not disclose how widespread the attacks are or who may be responsible.
Additional insights were shared by researchers at watchTowr. Ryan Dewhurst, the firm’s head of proactive threat intelligence, reported that the company observed exploitation attempts originating from numerous unique IP addresses. Investigators also identified attackers deploying web shells, malicious scripts that allow remote command execution on compromised systems.
Dewhurst noted that the most significant surge in attack activity occurred on March 4, with attempts recorded across multiple global regions. Systems located in the United States experienced slightly higher levels of activity than other areas.
He also warned that exploitation attempts are likely to continue as additional threat actors begin targeting the vulnerabilities. Because both opportunistic and coordinated attacks appear to be occurring, Dewhurst said any exposed system should be treated as potentially compromised until proven otherwise.
Security experts emphasize that SD-WAN management platforms function as centralized control hubs for enterprise networks. As a result, vulnerabilities affecting these systems can carry heightened risk because they may allow attackers to manipulate network configurations or maintain persistent access across multiple connected sites.
In response to the ongoing attacks, Cisco advises organizations to update affected systems immediately and implement additional security precautions. Recommended actions include restricting administrative access from untrusted networks, placing devices behind properly configured firewalls, disabling the HTTP interface for the Catalyst SD-WAN Manager administrator portal, turning off unused services such as HTTP or FTP, changing default administrator passwords, and monitoring system logs for suspicious activity.
The disclosure follows a separate advisory issued a week earlier in which Cisco reported that another flaw affecting Catalyst SD-WAN Controller and SD-WAN Manager — CVE-2026-20127, rated 10.0 on the CVSS scale had been exploited by a sophisticated threat actor identified as UAT-8616 to establish persistent access within high-value organizations.
This week the company also released updates addressing two additional maximum-severity vulnerabilities in Secure Firewall Management Center. The flaws, tracked as CVE-2026-20079 and CVE-2026-20131, could allow an unauthenticated remote attacker to bypass authentication protections and execute arbitrary Java code with root-level privileges on affected systems.