OpenAI on Tuesday announced the expansion of its AI-powered cybersecurity initiative, Daybreak – but experts are now warning Cybernews that fixing software flaws before hackers can exploit them may become the industry's biggest challenge.

The recently expanded defense initiative says Daybreak’s new AI security tools and industry partnerships are designed to help enterprise organizations to simultaneously find and fix software bugs with precision and at machine speed.

“Through Codex Security, Patch the Planet, GPT‑5.5‑Cyber, and the Daybreak Cyber Partner Program, developers, maintainers, researchers, enterprises, and public institutions can turn frontier AI capability into measurable risk reduction,” the announcement said.

The AI startup says it is working alongside major industry and government partners, including CrowdStrike, Cloudflare, Cisco, Oracle, Palo Alto Networks, and other well-known cybersecurity firms.

The "fix everything" patching problem

Calling it a “full remediation loop,” OpenAI says its latest GPT-5.5 cybersecurity model, combined with the agentic Codex Security, can review code, identify vulnerabilities, validate fixes, analyze dependencies, and generate remediation guidance, all in one fell swoop.

Still, Gene Moody, Field CTO at Action1, warns that treating Daybreak as an autonomous “easy button” is not the answer.

"AI-driven patching is often framed as the inevitable solution to vulnerability management. But without a clear alignment to business context, AI has no reliable way to distinguish between what should be fixed, what must be deferred, and what could break critical operations,” Moody tells Cybernews.

A “fix everything” approach ignores the reality that risk is not purely technical; it is inexorably tied to how an application supports the business, he says.

Moody adds that without strong business context and vendor-validated controls, autonomous patching “may ultimately create operational instability, technical debt, including inconsistencies across environments, signature and trust issues, and configuration drift at scale – and over time, those inconsistencies would compound."

The new bottleneck: fixing vulnerabilities

While OpenAI CEO Sam Altman said Daybreak was designed to "accelerate cyber defense and continuously secure software," security experts worry that validating and fixing software bugs before attackers can exploit them presents another major challenge.

In a post on X touting a state-of-the-art CyberGym and the full version of GPT-5.5-Cyber – rolled out to critical infrastructure defenders in early May – Altman said Daybreak is about wanting “to help all companies be secure, working with the USG and the security ecosystem.”

Nidhi Aggarwal, Chief Product Officer at HackerOne, likens the broader wave of frontier model–powered security platforms to AI-driven offensive security “going mainstream” and says the real work, increasingly, “is on the other side of discovery.”

“We'll continue to see these models released, and they will continue to help discover more of the right vulnerabilities. But the bottlenecks the industry now faces are twofold,” he says, noting the industry shakeup with the April launch of the industry's first cybersecurity frontier model, Anthropic's Mythos, and its less powerful public version, Fable 5.

It's a tale of industry fanfare turning to panic, and all within a matter of weeks. Fears that hackers could gain access to the powerful AI model even led the Trump administration to ban Mythos and Fable 5 from all government agencies in June.

The bottlenecks Aggarwal refers to:

• Most organizations aren't ready to safely apply these models directly, still needing guardrails such as scoping, access controls, evaluation pipelines, and integration with existing workflows.
• Once vulnerabilities are found, security teams must determine which findings are real, prioritize them by business impact, and get fixes to the right teams quickly.

AI won't solve cybersecurity

Other experts say initiatives like Daybreak risk creating unrealistic expectations about what artificial intelligence can accomplish in cybersecurity.

"What’s exaggerated right now is the idea that AI is somehow going to solve cybersecurity. It won't," says Richard Bird, Chief Security and Strategy Officer at Singulr AI.

Instead, Bird says AI is amplifying long-standing weaknesses that organizations have struggled with for years, including poor visibility, fragmented controls, weak governance, and inconsistent policy enforcement.

"The companies that benefit most from AI in security won't be the ones with the most advanced models – they'll be the ones that maintain operational control while those models are running," he said.

Moody also warned that the volume of AI-generated findings could soon outpace vendors' ability to produce tested and supported patches.

"Systems that diverge from vendor-supported baselines are more likely to experience failed updates, unstable behavior, and increased operational overhead," Moody said.

OpenAI on Tuesday also announced the official date for its annual developer conference, OpenAI DevDay 2026, to be held in San Francisco on September 29th.

OpenAI says the event will showcase new AI models, APIs, and tools designed for AI startups, developers, and enterprise teams shipping production applications. Developers have until July 10th to submit applications to attend.

---

Unlock more exclusive Cybernews content on YouTube.