OpenAI Daybreak Turns Codex Into a Cyber Defense Distribution Channel
OpenAI Daybreak pushes Codex Security into vulnerability review, patch validation, and trusted cyber workflows.
Security teams did not need another dashboard. They needed a way to move defensive reasoning into the code path before a vulnerable release becomes an incident.
OpenAI has introduced Daybreak, a cybersecurity program and product surface that combines frontier models, Codex as an agentic harness, and a tiered access model for verified defensive work. OpenAI describes the goal as bringing secure code review, threat modeling, patch validation, dependency risk analysis, detection, and remediation guidance into everyday development. Coverage from The Verge, MacRumors, and Moneycontrol framed Daybreak as OpenAI's answer to Anthropic's Project Glasswing and Claude Mythos, but the more important point is commercial distribution. Daybreak is a workflow wrapper around cyber-capable models, not only a benchmark claim.
If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected.
The architecture in one picture
graph TD
A[Repository and dependency graph] --> B[Codex Security harness]
B --> C[Threat model]
B --> D[Vulnerability triage]
B --> E[Patch proposal]
E --> F[Automated tests]
F --> G[Human security review]
G --> H[Audit evidence]
H --> I[Production release]
The operational scorecard
| Layer | Daybreak role | Buyer question |
|---|---|---|
| Code review | Reason across code and dependencies | Can it find subtle issues without flooding teams |
| Patch validation | Generate and test targeted fixes | Can reviewers trust the proposed remediation path |
| Access control | Use trusted cyber tiers for authorized users | Can dangerous capability be scoped and logged |
| Evidence | Return findings and remediation proof | Can the work survive audit and incident review |
The strategic move hiding under the security label
Daybreak should be read as a distribution move for defensive AI. OpenAI already has a developer surface through Codex, an enterprise sales path through ChatGPT and API contracts, and model tiers designed for different risk levels. Daybreak ties those pieces together. The value proposition is not that a model can describe a vulnerability in a demo. The value proposition is that a verified organization can put model reasoning into a controlled remediation loop and keep evidence of what happened.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
Why Codex matters more than the model name
Cybersecurity workflows are messy because every finding has context. A vulnerability may be real but unreachable. A dependency may be risky but blocked by compensating controls. A patch may fix one issue while breaking an implicit contract. Codex gives OpenAI a harness for repository access, tool calls, tests, and iterative patch work. That makes the model useful inside a software lifecycle rather than as a detached advisory engine.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The access model is the product
OpenAI's Daybreak page describes different access levels, including general GPT-5.5 use, trusted access for cyber, and a more permissive GPT-5.5-Cyber preview for specialized authorized workflows. That tiering is central. The same reasoning that helps defenders can help attackers if released without controls. The product therefore has to sell both capability and restraint. Buyers will ask for role controls, logs, approval gates, and a clear line between vulnerability discovery and exploit enablement.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
What competitors will copy
The obvious copy is the branding: every lab will want a cyber defense initiative. The harder copy is the operating path. To compete, a model provider needs security partners, repository integration, evaluation sets, legal terms, account controls, and enterprise procurement. Point solutions can still win narrow categories, but frontier labs can bundle reasoning, coding agents, and distribution. That bundling is why Daybreak matters.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The risk buyers should not ignore
Automated security work can create false confidence. A model can miss a path, misunderstand a framework, or propose a patch that passes visible tests while weakening a deeper invariant. The correct adoption pattern is not to let the model approve itself. The correct pattern is model-assisted triage, generated evidence, human review, regression testing, and post-release monitoring.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
What to watch next
The next signal is not how many vulnerabilities Daybreak claims to find in a showcase. The useful signal is whether enterprise customers wire it into real release processes, whether security teams report lower remediation time, and whether the system reduces duplicate tickets and noisy findings. If Daybreak becomes a trusted security workbench, OpenAI gains a defensible foothold in a budget category that is already accustomed to high spending.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The operating question
The operational question for buyers is not whether the announcement is impressive. It is whether the capability can be connected to a workflow with a named owner, a measurable baseline, a review path, and a failure procedure. AI programs fail when they stop at access. They work when a team can describe what changed, what evidence was collected, which humans remained accountable, and what happens when the system is wrong.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The procurement reality
Procurement teams are now asking harder questions because the first wave of generative AI spending created mixed results. Usage grew quickly, but measurable return did not always follow. The next round of budgets will favor systems that reduce cycle time, error rates, rework, backlog, support cost, or compliance overhead. A vendor story that cannot connect capability to those metrics will be treated as an experiment rather than a platform.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The architecture lesson
Most successful deployments will use layered architecture. The model handles reasoning and language. The workflow layer handles permissions, tool access, state, and retries. The policy layer handles what the system is allowed to do. The observability layer records inputs, outputs, tool calls, and decisions. The human layer reviews exceptions and owns judgment. Removing any layer makes the system faster in a demo and weaker in production.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The market implication
The market is shifting from model access to system ownership. A buyer can already reach powerful models through several providers. What remains scarce is a reliable operating model for using those models inside regulated, high-value, or failure-sensitive work. That is why distribution, governance, support, integration, and evidence are becoming as important as raw benchmark gains.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The competitive response
Competitors will respond in predictable ways. Large platforms will bundle the capability into existing suites. Specialist vendors will argue that domain-specific evaluation and workflow depth beat general models. Cloud providers will package infrastructure and management controls. Consulting firms will turn the story into transformation programs. Buyers should expect rapid feature imitation and slower proof of durable value.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The implementation trap
The common implementation trap is choosing the most visible workflow instead of the most measurable one. Executive attention gravitates toward dramatic examples, but reliable gains often start in narrower work: triage, routing, summarization with citations, draft generation with review, test creation, document comparison, alert enrichment, and support follow-up. Those workflows have clear inputs and outputs, which makes evaluation possible.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The governance burden
Every useful AI system creates a governance burden because it changes who knows what, who can do what, and who is responsible for the result. The burden is manageable when teams define authority clearly. It becomes dangerous when a model borrows human credentials, touches sensitive data without classification, or creates records that no one reviews. Governance should be built into the workflow rather than bolted on after adoption spreads.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The next six months
The next six months will separate announcement value from production value. Watch customer evidence, not only vendor claims. Watch whether teams expand usage after the first pilot. Watch whether legal and security teams become blockers or partners. Watch whether the system survives messy exceptions, not only scripted demos. Durable adoption will look less like magic and more like better operating discipline.
For this story, the practical reading is specific: If Daybreak works, it changes where AI security tools sit. Instead of living only in a scanner, ticket queue, or advisory report, the model becomes part of pull requests, dependency upgrades, threat model reviews, and remediation evidence. That puts OpenAI closer to the operating loop where software risk is created and corrected. That reading matters because executives are trying to distinguish a durable operating shift from a short news cycle. The headline creates attention, but the deployment path decides value.
The strongest organizations will avoid treating the announcement as a mandate. They will identify the exact workflow affected, define what data enters the system, decide which tools the AI can call, and set a review standard before the pilot expands. That discipline is not bureaucracy. It is what lets teams move quickly without losing the ability to explain the result.
There is also a talent question. AI does not remove the need for expert operators. It changes where their time goes. Analysts, engineers, support leads, security reviewers, and compliance teams spend less time on repetitive drafting or search and more time on judgment, exception handling, measurement, and system improvement. Teams that ignore that shift will either over-automate or underuse the technology.
The economic question is equally direct. A capability is valuable only when it changes a constraint. The constraint might be response time, remediation backlog, language coverage, compute availability, compliance evidence, or policy uncertainty. If a deployment does not name the constraint, it will be difficult to defend later. If it does name the constraint, the team can measure before and after with less room for vague success claims.
The source trail
This article is based on public reporting and primary material available on May 12, 2026. Vendor claims are treated as claims unless they have been independently verified in production by customers, auditors, regulators, or public technical evidence.
- OpenAI Daybreak: https://openai.com/daybreak
- The Verge on Daybreak: https://www.theverge.com/ai-artificial-intelligence/928342/openai-daybreak-security-ai
- MacRumors coverage: https://www.macrumors.com/2026/05/11/openai-launches-daybreak/
- Moneycontrol explainer: https://www.moneycontrol.com/technology/openai-takes-on-mythos-with-its-new-daybreak-platform-what-is-it-how-it-works-and-more-article-13916345.html
The careful reading matters because several of these stories involve reported deals, phased rollouts, forward-looking product claims, or government policy processes. Those categories can change as contracts are signed, products reach users, and evidence becomes public.
Analysis by Sudeep Devkota, Editorial Analyst at ShShell Research. Published May 12, 2026.