QUICK ANSWER
OpenAI Daybreak (launched May 11, 2026) uses GPT-5.5 models and Codex Security to continuously scan codebases for vulnerabilities, build threat models, validate attack paths, and propose patches — all inside the development loop. It is publicly available via scan request. Anthropic's equivalent is Project Glasswing, which uses the unreleased Claude Mythos model but is restricted to roughly 50 partner organizations. Daybreak is the more accessible option today.
What OpenAI Daybreak Actually Does
Daybreak is not a vulnerability scanner in the traditional sense. It does not sit at the perimeter and look for known CVEs. Instead, it embeds into the development workflow and uses Codex Security — OpenAI's application security agent — to build a threat model from your actual code repository, then continuously updates that model as the codebase changes.
The workflow has four stages. First, Codex Security builds an editable threat model from the repository — a structured map of what the application does, what it trusts, and where it accepts external input. Second, it identifies realistic attack paths, filtered to focus on exploitable issues rather than theoretical risks. Third, it validates likely vulnerabilities in an isolated environment — actually attempting to reproduce issues before flagging them, which reduces the noise of false positives. Fourth, it proposes patches for human review, so engineers can accept, modify, or reject the suggested fix.
Sam Altman framed the launch on X: "AI is already good and about to get super good at cybersecurity; we'd like to start working with as many companies as possible now to help them continuously secure themselves." The design goal is to move security from a quarterly audit — something done after software ships — into a continuous background process that runs alongside development.
Daybreak vs. Anthropic Project Glasswing — Side by Side
| Feature |
OpenAI Daybreak |
Anthropic Project Glasswing |
| Launch date |
May 11, 2026 |
April 7, 2026 (limited preview) |
| Underlying model |
GPT-5.5 + GPT-5.5-Cyber + Codex Security |
Claude Mythos Preview (unreleased publicly) |
| Availability |
Public — request a scan at openai.com/daybreak |
Restricted — ~50 partner organizations |
| Key partners |
Cloudflare, Cisco, CrowdStrike, Oracle, Zscaler |
AWS, Apple, Cisco, Google, JPMorgan Chase, Microsoft |
| Core capability |
Codebase threat modeling, attack path validation, patch proposals |
Vulnerability discovery and patching (Mozilla found and patched 271 Firefox bugs) |
| Integration point |
Development loop — alongside Codex as an agentic security layer |
Organizational security program — delivered via partner channel |
| Public pricing |
Not disclosed — contact sales or request scan |
Not disclosed — partner channel only |
The most practically important difference right now is access. Daybreak is available to any organization that requests a scan at openai.com/daybreak. Glasswing requires being one of Anthropic's approximately 50 partner organizations — a list that includes some of the largest companies in tech and finance, but excludes most organizations. If you want to pilot AI-assisted vulnerability scanning today, Daybreak is the available option.
Glasswing has a notable proof point: Mozilla used Claude Mythos through Glasswing to find and patch 271 vulnerabilities in the Firefox browser ahead of a major release. OpenAI has not published equivalent case study numbers for Daybreak at this stage, though the partner list — Cloudflare, Cisco, CrowdStrike, Oracle, and Zscaler — suggests early deployments are underway in production security environments.
Why Both Initiatives Exist at the Same Time
Cybersecurity is one of the clearest enterprise use cases for frontier AI, and both OpenAI and Anthropic are racing to own it. The core argument is that AI can tilt the balance in favor of defenders: attackers only need to find one exploitable path, while defenders have to secure everything. AI that continuously scans code, validates attack paths, and proposes patches in real time changes that asymmetry.
Anthropic launched Glasswing first on April 7, using Mythos — a model that is stronger than Claude Opus 4.7 on math and security tasks, but deliberately withheld from public release to control dual-use risk. OpenAI responded on May 11 with Daybreak, using publicly available GPT-5.5 models and Codex Security, and made the product available to any organization rather than restricting access to a partner list.
The approaches reflect different philosophies: Anthropic is willing to restrict access to its strongest model to reduce the risk of the same capabilities being used offensively. OpenAI is betting that broad availability — with strong verification, account-level controls, scoped access, monitoring, and human review — is the right way to maximize defensive impact while managing dual-use risk.
How to Request a Daybreak Scan
OpenAI has opened Daybreak via a request flow at openai.com/daybreak. Organizations can request a vulnerability assessment, contact sales for broader deployment, or partner with one of the existing security ecosystem partners (Cloudflare, Cisco, CrowdStrike, Oracle, Zscaler) that are already deploying Daybreak capabilities. Broader rollout with industry and government partners is planned in the coming weeks.
Access controls are strict: OpenAI requires verification, applies account-level controls, scoped permissions, monitoring, and human review before Codex Security can access a codebase. This reflects the dual-use risk of giving frontier AI deep read access to production code — the same capability that finds vulnerabilities defensively could theoretically be used offensively if the access controls were weak.
Frequently Asked Questions
Is OpenAI Daybreak free?
OpenAI has not published pricing for Daybreak. Organizations can request a scan, after which pricing is discussed with sales. It is not currently offered as a self-serve paid tier.
Does Daybreak require you to give OpenAI access to your code?
Yes — Codex Security builds its threat model from your repository. OpenAI applies verification, account-level controls, scoped access, and monitoring. If full code access is a concern for your organization, contact OpenAI sales to discuss the access scope before requesting a scan.
What is Claude Mythos and why can't I access it?
Claude Mythos is Anthropic's unreleased frontier model, stronger than Opus 4.7 on math and security tasks. Anthropic has deliberately withheld it from public release and deployed it only through Project Glasswing to approximately 50 partner organizations, citing dual-use risk concerns. There is no public waitlist or API access for Mythos at this time.
How many vulnerabilities has Daybreak found so far?
OpenAI has not published specific vulnerability counts for Daybreak deployments as of launch. Anthropic's Glasswing has the notable data point of 271 vulnerabilities found and patched in Firefox via Mozilla. Watch for OpenAI to publish case study results as partner deployments mature.
Which is better for my organization — Daybreak or Glasswing?
If you can get Glasswing access, the Mozilla results suggest it is highly effective. But access is restricted to ~50 partners. Daybreak is available today to any organization via scan request. For most security teams who are not already Glasswing partners, Daybreak is the practical choice for piloting AI-assisted vulnerability scanning right now.