OpenAI on Thursday launched GPT-5.2-Codex on December 18, barely a week after unveiling its GPT-5.2 model series, as the company races to defend its position against Google's Gemini models. The new release represents OpenAI's most advanced agentic coding model yet, optimized for professional software engineering and defensive cybersecurity applications, combining enhanced long-horizon task handling with significantly stronger cybersecurity capabilities that raise both opportunities and dual-use risks.

AI Generated Image

The model is immediately available across all Codex surfaces for paid ChatGPT users, with API access planned for coming weeks. OpenAI said GPT-5.2-Codex excels at large-scale code changes including refactors and migrations, performs better in Windows environments, and introduces improved context compaction for sustained coding sessions.

Cybersecurity capabilities showed marked advancement. While GPT-5.2-Codex did not reach "High" capability under OpenAI's Preparedness Framework, the company said it expects models to cross that threshold soon. CEO Sam Altman announced plans for an invite-only trusted access pilot for vetted security professionals and organizations focused on defensive cybersecurity work.

OpenAI said deployment balances accessibility with safety as capability growth accelerates. The company has implemented specialized safety training for harmful tasks, agent sandboxing, and configurable network access at the product level.

State-of-the-Art Coding Performance Extends Earlier Gains

GPT-5.2-Codex builds on GPT-5.2's strengths unveiled December 11, when OpenAI claimed the model achieved "state-of-the-art agentic coding performance" and positioned GPT-5.2 Thinking as its best vision model. That earlier release scored 55.6% on SWE-Bench Pro, marking OpenAI's first model to reach or exceed human expert performance on professional tasks.

The new Codex variant pushes those metrics higher. GPT-5.2-Codex achieved 56.4% accuracy on SWE-Bench Pro, exceeding GPT-5.2's 55.6% and GPT-5.1's 50.8%. On Terminal-Bench 2.0, which tests AI agents in realistic terminal environments across tasks including code compilation and server setup, GPT-5.2-Codex scored 64.0% compared with GPT-5.2's 62.2% and GPT-5.1's 58.1%.

The model demonstrates improved long-context understanding, reliable tool calling, and native compaction, making it more effective at complex tasks like large refactors and code migrations over extended sessions. Stronger vision performance enables more accurate interpretation of screenshots, technical diagrams, and UI surfaces during coding sessions.

Developer platforms including Windsurf, Cognition, Warp, and JetBrains reported state-of-the-art agentic coding performance following GPT-5.2's December 11 release. Jeff Wang, CEO of Windsurf, said GPT-5.2 "represents the biggest leap for GPT models in agentic coding" and enabled collapsing fragile multi-agent systems into single mega-agents with over 20 tools.

Cybersecurity Capabilities Jump as React Vulnerability Surfaces

GPT-5.2-Codex delivers OpenAI's strongest cybersecurity capabilities to date, with the company tracking sharp jumps in performance starting with GPT-5-Codex and accelerating through subsequent releases. On OpenAI's Professional Capture-the-Flag evaluation measuring advanced multi-step challenges requiring professional-level cybersecurity skills, capability increased substantially with each iteration.

Real-world impact emerged before the new model's release. On December 11, security researcher Andrew MacPherson used GPT-5.1-Codex-Max with Codex CLI to discover three previously unknown vulnerabilities in React that the React team subsequently published. MacPherson was using the model to reproduce an earlier vulnerability known as React2Shell when the model surfaced unexpected behaviors leading to new discoveries.

The researcher guided Codex through standard defensive workflows including setting up test environments, reasoning through attack surfaces, and fuzzing with malformed inputs. OpenAI said the incident demonstrates how advanced AI systems can accelerate defensive security work while highlighting risks that capabilities helping defenders can be misused by malicious actors.

Altman posted on X: "Last week, a security researcher using our previous model found and disclosed a vulnerability in React that could lead to source code exposure. I believe these models will be a net win for cybersecurity, but we are in the 'real impact phase' as they improve."

Trusted Access Program Targets Defensive Security

OpenAI is developing an invite-only trusted access pilot to enable qualifying security professionals and organizations to use frontier AI cyber capabilities for defensive work. The program aims to remove restrictions that security teams encounter when emulating threat actors, analyzing malware for remediation, or stress testing critical infrastructure.

Initial participants will include vetted security professionals with track records of responsible vulnerability disclosure and organizations with clear professional cybersecurity use cases. Qualifying participants will receive access to OpenAI's most capable models for defensive applications to enable legitimate dual-use work.

Altman posted on X: "We are beginning to explore trusted-access programs for defensive cybersecurity work." He also said: "Codex is getting extremely good and will rapidly improve. If you want to help make it 100x better next year, the team is hiring. Crazy adventure guaranteed; success probable."

The company said its deployment approach considers future capability growth as it expects upcoming AI models to continue on the current trajectory toward High-level cybersecurity capability as measured by its Preparedness Framework. GPT-5.2-Codex includes additional model-level and product-level safeguards detailed in an updated system card.

OpenAI said gradual rollout paired with safeguards and close collaboration with the security community aims to maximize defensive impact while reducing misuse risk. The company plans to use learnings from this release to inform expanded access over time as software and cyber capabilities advance.