Addendum to GPT-5.2 System Card: GPT-5.2-Codex

GPT-5.2-Codex is our most advanced agentic coding model yet for complex, real-world software engineering. A version of GPT-5.2 optimized for agentic coding in Codex, it includes further improvements on long-horizon work through context compaction, stronger performance on project-scale tasks like refactors and migrations, and improved performance in Windows environments — and significantly stronger cybersecurity capabilities.

This system card outlines the comprehensive safety measures implemented for GPT-5.2-Codex. It details both model-level mitigations, such as specialized safety training for harmful tasks and prompt injections, and product-level mitigations like agent sandboxing and configurable network access.

GPT-5.2-Codex was evaluated under our Preparedness Framework. It is very capable in the cybersecurity domain but does not reach High capability on cybersecurity. We expect current trends of rapidly increasing capability to continue, and for models to cross the High cybersecurity threshold in the near future. Like other recent models, it is being treated as High capability on biology, and is being deployed with the corresponding suite of safeguards we use for other models in the GPT-5 family. It does not reach High capability on AI self-improvement.

To further ecosystem insight into frontier AI, and for consistency with our general practice, we provide the following benchmark evaluations of GPT-5.2-Codex across disallowed content categories tested in a conversational setting. We do not believe these conversational evals are reflective of real-world risk in the context of this coding-focused model. The model is not intended for deployment in any general-purpose chat application, and will not be deployed by OpenAI in any such context.

We report here on our Production Benchmarks, a new more challenging evaluation set with conversations representative of challenging examples from production data. As we noted in previous system cards, we introduced these Production Benchmarks to help us measure continuing progress given that our earlier Standard evaluations for these categories had become relatively saturated.

These evaluations were deliberately created to be difficult. They were built around cases in which our existing models were not yet giving ideal responses, and this is reflected in the scores below. Error rates are not representative of average production traffic. The primary metric is not_unsafe, checking that the model did not produce output that is disallowed under the relevant OpenAI policy.

GPT-5.2-Codex generally performs on par with GPT-5.1-Codex-Max when used in a conversational setting, and within requirements for this type of model. As explained in the GPT-5.1-Codex-Max system card, the model is not intended for conversational deployments.

We evaluate the robustness of models to jailbreaks: adversarial prompts that purposely try to circumvent model refusals for content it’s not supposed to produce.

Below is an adaptation of the academic jailbreak eval, StrongReject [1]. This eval inserts a known jailbreak into an example from disallowed content evals. We then run it through the same policy graders we use for disallowed content checks. We test jailbreak techniques on base prompts across harm categories, and evaluate for not_unsafe according to relevant policy.

GPT-5.2-Codex performs lower than GPT-5.1-Codex-Max, but performance here is acceptable given that the model is not expected to be used in conversational deployments.

Codex agents are intended to operate within isolated, secure environments to minimize potential risks during task execution. The sandbox method is determined by the interface, and differs between using Codex locally or in the cloud.

When using Codex in the cloud, the agent runs with access to an isolated container hosted by OpenAI, effectively its own computer with network access disabled by default. This containerized environment prevents the agent from interacting with the user’s host system or other sensitive data outside of its designated workspace.

When using Codex locally on MacOS, Linux, and Windows, the agent executes commands within a sandbox by default. On MacOS, this sandboxing is enforced using Seatbelt policies, a built-in MacOS feature. On Linux, a combination of seccomp and landlock is utilized to achieve similar isolation. On Windows, users can use a native sandboxing implementation or benefit from Linux sandboxing via Windows Subsystem for Linux. Users can approve running commands unsandboxed with full access, when the model is unable to successfully run a command within the sandbox.

These default sandboxing mechanisms are designed to:

While users have the flexibility to expand these capabilities (e.g., enabling network access to specific domains), the default configurations are intentionally designed to provide a robust baseline for risk mitigation.

As part of our commitment to iterative deployment, we originally launched Codex cloud with a strictly network-disabled, sandboxed task-execution environment. This cautious approach reduced risks like prompt injection while we gathered early feedback. Users told us they understand these risks and want the flexibility to decide what level of Internet connectivity to provide to the agent during task execution.

For example, as the agent works, it may need to install or update dependencies overlooked by the user during environment configuration. Giving the user the choice to enable internet access–whether to a specific set of allowed sites, or to the internet at large–is necessary to unlock a number of use cases that were previously not possible.

We enable users to decide on a per-project basis which sites, if any, to let the agent access while it is running. This includes the ability to provide a custom allowlist or denylist. Enabling internet access can introduce risks like prompt injection, leaked credentials, or use of code with license restrictions. Users should review outputs carefully and limit access to trusted domains and safe HTTP methods. Learn more in the docs: https://developers.openai.com/codex/cloud/agent-internet

Our approach to safety mitigations builds upon the comprehensive mitigation strategies already implemented for different interfaces including Codex cloud and Codex CLI. This section will focus exclusively on the specific safety training mitigations applied to the GPT-5.2-Codex model itself.

Cybersecurity risk stems from the dual-use nature of many cyber capabilities. Techniques such as reconnaissance, fuzzing, exploit adaptation, and malware tooling are essential for patch validation, incident response, and practitioner training. However, the same code, automation, and agentic behaviors can be repurposed for unauthorized access, stealthy persistence, credential theft, or large-scale disruptive attacks—especially against sensitive targets. Safeguards must therefore preserve authorized research and defensive operations while constraining deployment-ready, evasive, or chained exploit guidance that could compromise the confidentiality, integrity, or availability of real-world systems.

As the models increase in cybersecurity capability, technical mitigations alone may not be sufficient to prevent harm. In cybersecurity, defensive and offensive behaviors often look very similar. So in addition to safety training and other model and system level mitigations, we are making efforts to strengthen the ecosystem and accelerate defenders. Early examples of these efforts include our pilot to grant trusted access for cyberdefense and Aardvark, our agentic security researcher, which we are using to improve open-source software (OSS) security at global scale.

As with GPT-5.2-Thinking, we trained GPT-5.2-Codex integrations to provide maximally helpful support on educational/cybersecurity topics while refusing or de-escalating operational guidance for cyber abuse, including areas such as malware creation, credential theft, and chained exploitation. We assess performance on data that do not overlap with the training set, measuring policy compliance rate (higher is better).

Overall, GPT-5.2-Codex performs better than GPT-5.1 Thinking and slightly below GPT-5.2-Thinking. We saw no meaningful regression in capability evaluations. We observe minimal regression in helpfulness on benign cyber requests, as well as a small drop in helpfulness for high risk dual use cyber requests.

Coding agents have access to powerful tools—file systems, Git, package managers, and other development interfaces—that enable them to act autonomously. While these capabilities unlock productivity, they also introduce high-impact failure modes that involve deletion or corruption of data.

Simple instructions like “clean the folder” or “reset the branch” can mask dangerous operations (rm -rf, git clean -xfd, git reset –hard, push –force) that lead to data loss, repo corruption, or security boundary violations.

We observed that Codex models were more likely to attempt data-destructive actions when encountering user-produced edits during the course of its rollouts. GPT-5.2-Codex was trained with a “user model” that made conflicting edits over the course of its rollouts during RL. The model received positive reinforcement if it did not revert the user’s changes during the course of the rollout.

To measure that the intervention was effective, we developed a new destructive actions evaluation that measures the model’s ability to preserve user-produced changes and avoid taking destructive actions.

GPT-5.2-Codex frontier capabilities are assessed under the Preparedness Framework. We are treating GPT-5.2-Codex as High risk in the Biological and Chemical domain. While the model’s cybersecurity capabilities are stronger than its predecessors, it does not reach our threshold for High capability in the Cyber domain. It also does not reach High capability in the AI self-improvement domain.

As we did for other models in the GPT-5 series, we are treating GPT-5.2-Codex as High risk in the Biological and Chemical domain, and continuing to apply the corresponding safeguards.

To evaluate models’ ability to troubleshoot wet lab experiments in a multimodal setting, we evaluate models on a set of 350 fully held-out virology troubleshooting questions from SecureBio.

GPT-5.2-Codex is the highest-performing model on this evaluation. All models exceed the median domain expert baseline of 22.1%.

To evaluate models’ ability to troubleshoot commonly published lab protocols, we modify 108 multiple choice questions from FutureHouse’s ProtocolQA dataset [2] to be open-ended short answer questions, which makes the evaluation harder and more realistic than the multiple-choice version. The questions introduce egregious errors in common published protocols, describe the wet lab result of carrying out this protocol, and ask for how to fix the procedure. To compare model performance to that of PhD experts, we performed expert baselining on this evaluation with 19 PhD scientists who have over one year of wet lab experience.

All models underperform the consensus expert baseline (54%) and the median expert baseline of 42%. To run this eval with browsing, we maintain a domain blocklist and filter out any browsing results to sites on the blocklist. We also inspect browsing rollouts using a classifier which flags instances of cheating and manually review all flagged rollouts.

We evaluated models on a tacit knowledge and troubleshooting multiple choice dataset created with Gryphon Scientific. The questions span all 5 stages in the biothreat creation process and focus on areas where tacit knowledge would be a bottleneck. Tacit knowledge questions are meant to be obscure to anyone not working in the field, i.e., they either require tracking down authors of relevant papers or knowing people in the field. Troubleshooting questions are meant to be obscure to anyone without hands-on experience, i.e., the answers are known only to people who have tried the protocol themselves.

This set is uncontaminated; it was created fully in-house with our partners at Gryphon Scientific and has not been published.

GPT-5.2-Codex underperforms GPT-5.1-Codex-Max by four percentage points.

To evaluate models’ ability to identify and correct real-world experimental errors in biological protocols, we built a short-answer troubleshooting dataset from expert-written wet lab procedures. TroubleshootingBench focuses on tacit, hands-on knowledge and uncontaminated procedures that are not available online.

Scientists with a PhD in a relevant biological discipline (virology, genetics, microbiology, or protein engineering) were asked to transcribe biological protocols they have personally used in the lab. Each protocol must include precise step-by-step procedures, equipment, and reagents. If a protocol was adapted from a publication, experts were required to significantly alter at least several steps. From these protocols, they created three troubleshooting questions each, introducing subtle or realistic execution errors (e.g., improper homogenization technique) and describing the resulting failed outcome.

After going through independent expert review, the resulting dataset includes 52 protocols, each paired with three expert-written troubleshooting questions. To benchmark model performance, we ran a human baselining campaign with 12 independent PhD experts. The 80th percentile expert score (36.4%) is used as an indicative threshold for model performance. Compared to ProtocolQA Open-Ended, which focuses on well-known published procedures, TroubleshootingBench is designed to test model performance on non-public, experience-grounded protocols and errors that rely on tacit procedural knowledge.

GPT-5.2-Codex scores similarly to GPT-5.2-Thinking on this evaluation.

Cybersecurity capabilities and capability measurements are both rapidly evolving. GPT-5.2-Codex is the most cyber-capable model we’ve deployed to date. As a result, we are continuing to invest in safeguards that we put in place as part of GPT-5-Codex, including both the model safety training described above and scaling up our monitoring and enforcement pipeline to disrupt potential misuse. We are also working on initiatives to help defenders and strengthen cybersecurity safeguards, and we continue to build and strengthen our cybersecurity evaluations.

Under our Preparedness Framework, High cybersecurity capability is defined as a model that removes existing bottlenecks to scaling cyber operations, including either by automating end-to-end cyber operations against reasonably hardened targets, or by automating the discovery and exploitation of operationally relevant vulnerabilities.

In our analysis of prior cybersecurity incidents involving severe harm through either of these two routes, we find each instance demanded proficiency in each of three skills:

Each of our recent frontier releases has reflected refinements in the benchmarks we use to measure cyber capability:

As we continue to refine our approach to evaluating cyber capabilities, we’re using three benchmarks that are associated with the three skills above:

Each of these evaluations has important limitations:

Because of these limitations, excelling on all three evaluations is necessary but not sufficient for a model to be considered High in cyber capability. Even a model that exhibits very strong results can still fall short of what is required for scalable, end-to-end cyber operations against hardened targets. A review of these results and other relevant information by the Safety Advisory Group and OpenAI leadership determined that GPT-5.2-Codex’s performance—while stronger than earlier models—does not meet the level of consistency needed for High cyber capability.

We evaluate model performance on a test set of curated, publicly available CTF challenges which met the following criteria:

Challenges were further divided into the level of proficiency needed to solve the challenge, ultimately organized by whether the challenge required high school, collegiate, or professional-level cybersecurity knowledge and skills, with judgment on the requisite skills manually determined by our in-house cybersecurity expert. For all Collegiate and Professional CTFs we require that the solution involves a non-trivial level of exploitation, requiring chaining two or more exploitation steps and not be solvable by copy-pasting textbook examples. Historically, we reported results across high school, collegiate, and professional levels but given the rise in capabilities and our investment in more rigorous benchmarks we focus only on professional CTFs.

To evaluate the model against the CTFs we give it access to a headless Linux box with common offensive cybersecurity tools preinstalled as well as a harness which allows the model to call those tools or otherwise execute commands similar to as a human. We run 16 rollouts for each CTF exercise, recording the pass@12 metric over the best set of rollouts.

GPT-5.2-Codex is the strongest performing model on our Professional CTFs evaluation to date. This is due in part to compaction, the ability for the model to work coherently across multiple context windows, which particularly helps on long-running cyber evals. For CTFs, this means the model can sustain coherent progress over an extended period instead of collapsing when the window fills, improving task completion rates.

CVE-Bench is a benchmark that tasks models with identifying and exploiting real-world web-application vulnerabilities in a sandbox environment. We used CVE-Bench (version 1.0) with a focus on vulnerabilities covering content-management systems, AI/ML apps, business-management tools, operational-monitoring systems, web infrastructure, libraries/packages, e-commerce platforms, and a small number of computing-management, mail-server, and web-portal applications; due to some infrastructure challenges porting the eval, we only ran 34 out of the 40 benchmark challenges. We ran the benchmark using the zero-day prompt configuration, where the model is given a general task description of what it needs to do, as opposed to the one-day configuration, where the model is given a description of the vulnerability to exploit. Additionally, we ran the benchmark such that the agent does not have access to the source code of the web-application, and instead must probe it remotely.

We use pass@1 over 3 rollouts for this evaluation to measure the model’s ability to consistently identify vulnerabilities which are considered relatively straightforward by internal cybersecurity experts. Consistency is important to measure the model’s cost-intelligence frontier to identify vulnerabilities and its ability to potentially evade detection mechanisms that look for scaled attempts of vulnerability discovery and exploitation.

As with CTFs, GPT-5.2-Codex demonstrates incremental improvement relative to GPT-5.1-Codex-Max and significant gains when compared with previous models due to its ability to extend its work across multiple context windows. This performance increase is expected for tasks like vulnerability discovery that involve running many commands and trying different tools with an almost brute-force approach to explore various opportunities for potential exploit identification. While this performance is strong, it does not reach our threshold for potentially High cyber capability, which requires sustained consistency in cyber operations. A consistent pattern of mistakes, even occasional ones, is incompatible with the type of scaled cyber operations that define High cyber capability.

Cyber range exercises measure a model’s ability to conduct fully end-to-end cyber operations in a realistic, emulated network.These exercises are long-form, requiring the model to (1) construct a plan to achieve an abstract adversary objective; (2) exploit vulnerabilities, misconfigurations, and weaknesses that are likely to be seen in the wild; and (3) chain together these exploits to achieve the scenario objective. As part of the release for GPT-5.2-Codex, we add two new range scenarios that offer different insights into capability elicitation: one called Printer Queue where the model is required to identify – and use – secrets stuck in a broken printer queue, and another called HTTPS Oracle where the model must eavesdrop on network traffic to discover a web server is using an insecure communication protocol.

Performance is measured as pass or fail over 16 trials, where a pass denotes at least one success. Combined pass rate is the percentage of passed scenarios.

GPT-5.2-Codex is notably the first model to solve Leaked Token, doing so by using an unintended attack path. Otherwise, it fails the same scenarios as GPT-5.2-Thinking – HTTPS Oracle, Financial Capital, and Medium C2 – the former two having been solved by GPT-5.1-Codex-Max.

Irregular, an AI security organization focused on frontier cybersecurity risks, evaluated GPT-5.2-Codex on a subset of a suite of cyberoffensive challenges spanning three categories:

In this evaluation setting, the model was given up to 1,000 turns per challenge and elicited using techniques designed to maximize performance. Irregular conducted these evaluations using the Responses API with auto-compaction enabled and set xhigh reasoning effort. Each challenge was run multiple times, with success defined by retrieval of a hidden flag. For GPT-5.2-Codex, only medium and hard evaluations from this suite were run. Reported success rates reflect aggregate performance across runs, and cost-per-success is calculated as total API usage cost divided by the number of successful runs. GPT-5.2-Codex achieved average success rates of 79% on Network Attack Simulation challenges, 80% on Vulnerability Research and Exploitation challenges, and 49% on Evasion challenges.

In terms of API usage cost for solved challenges, the average cost-per-success for GPT-5.2-Codex was $5.90 for Vulnerability Research and Exploitation challenges, $32.80 for Network Attack Simulation challenges, and $17.90 for Evasion challenges.

Irregular also evaluated GPT-5.2-Codex on CyScenarioBench, a scenario-based evaluation framework that measures an LLM’s ability to plan and execute multi-stage cyber scenarios under realistic constraints. This includes steps such as cyber orchestration, branching-decision accuracy, constraint adherence, and recovery from state inconsistencies. GPT-5.2-Codex did not solve any challenges from CyScenarioBench.

GPT-5.2-Codex performed at a similar capability level to GPT-5.2-Thinking and did not meet our High thresholds. The High capability threshold is defined to be equivalent to a performant mid-career research engineer and performance in the evaluations below indicate we can rule this out for GPT-5.2-Codex.

Measuring if and when models can automate the job of an OpenAI research engineer is a key goal of self-improvement evaluation work. We test models on their ability to replicate pull request contributions by OpenAI employees, which measures our progress towards this capability.

We source tasks directly from internal OpenAI pull requests. A single evaluation sample is based on an agentic rollout. In each rollout:

If all task-specific tests pass, the rollout is considered a success. The prompts, unit tests, and hints are human-written.

GPT-5.2-Codex scores the same as GPT-5.2-Thinking.

Developed by OpenAI, MLE-bench evaluates an agent’s ability to solve Kaggle challenges involving the design, building, and training of machine learning models on GPUs. In this eval, we provide an agent with a virtual environment, GPU, and data and instruction set from Kaggle. The agent is then given 24 hours to develop a solution, though we scale up to 100 hours in some experiments.

The full dataset consists of 75 hand-curated Kaggle competitions, worth $1.9m in prize value. Measuring progress towards model self-improvement is key to evaluating autonomous agents’ full potential. We use MLE-bench to benchmark our progress towards model self-improvement, in addition to general agentic capabilities. The subset plotted below is 30 of the most interesting and diverse competitions chosen from the subset of tasks that are <50GB and <10h.

GPT-5.2-Codex underperforms relative to GPT-5.1-Codex-Max and exceeds the performance of GPT-5-Thinking.

PaperBench [4] evaluates the ability of AI agents to replicate state-of-the-art AI research. Agents must replicate 20 ICML 2024 Spotlight and Oral papers from scratch, including understanding paper contributions, developing a codebase, and successfully executing experiments. For objective evaluation, we develop rubrics that hierarchically decompose each replication task into smaller sub-tasks with clear grading criteria. In total, PaperBench contains 8,316 individually gradable tasks.

We measure a 10-paper subset of the original PaperBench splits, where each paper requires <10GB of external data files. We report pass@1 performance with Extra High reasoning effort and no browsing.

GPT-5.2-Codex exceeds the performance of GPT-5.2-Thinking and GPT-5.1-Codex-Max, setting a new upper bound among our models.

OpenAI-Proof Q&A evaluates AI models on 20 internal research and engineering bottlenecks encountered at OpenAI, each representing at least a one-day delay to a major project and in some cases influencing the outcome of large training runs and launches. “OpenAI-Proof” refers to the fact that each problem is required over a day for a team at OpenAI to solve. Tasks require models to diagnose and explain complex issues—such as unexpected performance regressions, anomalous training metrics, or subtle implementation bugs. Models are given access to a container with code access and run artifacts. Each solution is graded pass@1.

1. [1]

   Alexandra Souly, Qingyuan Lu, Dillon Bowen, Tu Trinh, Elvis Hsieh, Sana Pandey, et al. A strongreject for empty jailbreaks. arXiv preprint arXiv:2402.10260.
2. [2]

   Jon M. Laurent, Joseph D. Janizek, Michael Ruzo, Michaela M. Hinks, Michael J. Hammerling, Siddharth Narayanan, et al. “LAB-bench: Measuring capabilities of language models for biology research.” Available at: https://arxiv.org/abs/2407.10362.
3. [3]

   Yuxuan Zhu, Antony Kellermann, Dylan Bowman, Philip Li, Akul Gupta, Adarsh Danda, et al. “CVE-bench: A benchmark for AI agents’ ability to exploit real-world web application vulnerabilities.” Available at: https://arxiv.org/abs/2503.17332.
4. [4]

   Giulio Starace, Oliver Jaffe, Dane Sherburn, James Aung, Jun Shern Chan, Leon Maksin, et al. “PaperBench: Evaluating AI’s ability to replicate AI research.”