OpenAI has unveiled details regarding GPT-Red, an internal automated red-teaming model designed to identify prompt injection vulnerabilities by attacking the company’s own systems. By utilizing self-play reinforcement learning, GPT-Red has demonstrated superior performance compared to human testers, successfully compromising GPT-5.1 in 84% of scenarios within an indirect prompt injection arena, whereas human red-teamers achieved a 13% success rate.
The Mechanics of Automated Red-Teaming
GPT-Red functions as an autonomous agent that mimics human red-teaming behavior by sending prompts, observing responses, and iterating toward specific goals. Unlike static benchmarks, this model is trained at a compute scale comparable to OpenAI’s largest post-training runs. The system operates under two primary deployment strategies: it remains strictly internal to prevent adversarial actors from accessing its capabilities, and it serves a dual purpose by uncovering vulnerabilities before model deployment while simultaneously generating attacks during the training process.
The training process relies on a self-play reinforcement learning loop where GPT-Red acts as the attacker, pitted against a diverse collection of defender large language models. The reward structure is designed to ensure balance; while GPT-Red is rewarded for successful prompt injections, defender models receive rewards for resisting attacks while still successfully completing their assigned tasks. This ensures that defenders cannot simply default to refusing all requests, forcing them to maintain utility while hardening against increasingly sophisticated adversarial inputs.
Discovering Novel Vulnerabilities
During its development, GPT-Red identified a novel class of direct prompt injection known as Fake Chain-of-Thought. In this attack, the model inserts a spoofed entry into the target's internal reasoning trace—the running notes an LLM keeps while solving a problem. By planting this misinformation, the attacker causes the target model to act on spoofed data it incorrectly believes it has verified. This discovery allowed OpenAI to incorporate this specific threat into the training targets for future models.
The effectiveness of this hardening process is evident in the performance of GPT-5.6. While GPT-Red’s strongest attacks were highly effective against the earlier GPT-5, released in August 2025, fewer than 23% of those same attacks succeeded against GPT-5.6. Furthermore, on the most rigorous direct prompt injection benchmarks, GPT-5.6 exhibited six times fewer failures than OpenAI's best production model from four months prior.
Real-World Application and Limitations
OpenAI has tested GPT-Red against live agentic systems to evaluate its impact beyond controlled benchmarks. In one case study, the model successfully compromised an AI-powered vending machine, demonstrating the ability to change item prices, order expensive products for minimal costs, and cancel other customers' orders. In another instance, it attacked a Codex CLI agent, proving more effective and token-efficient than previous baselines.
Despite these advancements, OpenAI acknowledges that significant gaps remain. Human red-teamers are still required for complex multi-turn and image-based attacks. Consequently, OpenAI has confirmed that GPT-Red will not be released for public use, maintaining it as an internal-only tool to secure its models against an expanding attack surface where agents interact with third-party data, browsers, and local files.

Comments (0)
to join the discussion
No comments yet
Be the first to share your thoughts!