OpenAI GPT-Red automated red-teaming model
TECH

OpenAI GPT-Red automated red-teaming model

26+
Signals

Strategic Overview

  • 01.
    OpenAI announced GPT-Red on July 15, 2026 - an internal automated red-teaming model trained via adversarial self-play to find prompt injection vulnerabilities at scale before wider deployment.
  • 02.
    GPT-Red independently discovered a previously unknown attack class called 'fake chain of thought,' which inserts spoofed reasoning steps into a model's chain of thought, tricking it into treating false premises as already-verified facts.
  • 03.
    After more than a year of training, GPT-Red reduced prompt injection attack success rates on GPT-5.6 Sol from over 90% (on GPT-5) to under 23%, and fake chain-of-thought attacks from above 95% to fewer than 10%.
  • 04.
    OpenAI confirmed GPT-Red will remain an internal-only tool and will not be publicly released, because it contains intentionally developed offensive capabilities.

Deep Analysis

The Adversarial Dojo: How AI Trains Against Itself

GPT-Red operates inside what OpenAI calls a 'dojo' - a simulated environment replicating real-world agentic tasks including web browsing, email, calendar management, and code editing. In each training round, GPT-Red attacks a collection of diverse defender LLMs simultaneously. The reward structure is adversarial by design: GPT-Red earns credit for eliciting a valid failure such as a successful prompt injection, while each defender earns credit for resisting the attack and completing its original task. [1]

The flywheel effect is the key innovation. As defenders become more robust through training, GPT-Red is forced to discover stronger and more diverse attacks to keep earning rewards. This creates a capability floor that rises automatically - the system does not plateau at today's known attack library but actively searches for tomorrow's. OpenAI Research Scientist Dylan Hunn framed this explicitly: 'As more capable models become available, we will have already designed the system that can discover new modes of attack.' [2]The implication is structural: GPT-Red is infrastructure that compounds with model capability rather than a static test suite that goes stale.

The Exploit GPT-Red Invented: Fake Chain-of-Thought Injection

The most consequential finding from GPT-Red's training run is an attack class that OpenAI researchers say they had not previously encountered: fake chain-of-thought (CoT) injection. In this attack, a malicious prompt inserts a fabricated reasoning step into the model's visible chain of thought - effectively spoofing an entry in the model's internal deliberation log. Because the model is trained to trust its own prior reasoning as verified context, it treats the forged premise as established fact and acts accordingly. Research Scientist Chris Choquette-Choo described the mechanic: 'It's like if I told you that 1+1=3 and that you have verified this already.' [2]

This attack surface did not meaningfully exist before reasoning models became the dominant paradigm. Chain-of-thought outputs were originally an interpretability aid; they have since become load-bearing components of how frontier models make decisions. GPT-Red's discovery reveals that externalizing a model's reasoning trace - a feature intended to improve transparency - simultaneously creates a writable attack surface. On GPT-5.1, fake CoT attacks succeeded in over 95% of attempts. On GPT-5.6 Sol, trained against GPT-Red, that rate fell below 10%. [2]

By the Numbers: AI vs. Human Red-Teamers

By the Numbers: AI vs. Human Red-Teamers
Prompt injection attack success rates before and after GPT-Red adversarial training. Data: MIT Technology Review / OpenAI, July 2026.

The performance gap between GPT-Red and human red-teamers is not incremental - it is structural. In internal evaluation scenarios against novel safety environments, GPT-Red succeeded 84% of the time. Human red-teamers in the same tests succeeded 13% of the time. [3]That six-to-one ratio reflects something beyond speed or scale: the model is better at generating attacks that actually work, not merely generating more of them.

The downstream impact on GPT-5.6 Sol is equally striking. Prompt injection attack success rates dropped from over 90% against GPT-5 to under 23% against GPT-5.6 - a reduction of more than three-quarters. GPT-5.6 Sol also recorded six times fewer failures on direct prompt injection benchmarks compared to its predecessor from just four months prior. [3]Critically, OpenAI reports that models trained with GPT-Red showed no increased refusal rates or decreased performance on legitimate tasks - meaning the robustness gains came without the usual capability-safety tradeoff that has historically constrained this work. [4]

Where Human Hackers Still Win

GPT-Red's limitations are as informative as its strengths. The system struggles with two attack categories that human red-teamers handle without difficulty: multi-turn conversational attacks and image-based prompt injections. [2]Multi-turn attacks require strategic patience - building rapport, establishing false context across several exchanges, then exploiting accumulated trust. This is a distinctly human social-engineering skill that does not map cleanly onto single-pass optimization.

Image-based injections exploit the visual modality: instructions embedded in images that the model processes as content rather than commands. Both gaps point to a common underlying weakness - GPT-Red was trained primarily in text-based agentic task environments, and its attack vocabulary reflects that domain. Georgetown CSET's Jessica Ji acknowledged the results while noting that 'human expertise will still be very important,' a view borne out by these specific gaps. [2]OpenAI's decision to keep GPT-Red internal also raises a related accountability question: the same capabilities that make it an effective internal hardening tool would make it dangerous in adversarial hands - and without external access, independent researchers cannot audit whether the claimed improvements hold under conditions OpenAI did not test. [3]

Historical Context

2022-04
Began external red teaming with the DALL-E 2 launch, establishing early precedent for adversarial testing of frontier models before deployment.
2023-12
Formally launched its Red Teaming Network, scaling human-driven adversarial evaluation across external researchers and domain experts.
2026-07-15
Publicly announced GPT-Red and the GPT-5.6 Sol robustness results, marking the shift from human-led to AI-led red teaming at production scale.

Power Map

Key Players
Subject

OpenAI GPT-Red automated red-teaming model

OP

OpenAI

Developer and operator of GPT-Red. Uses it internally to harden frontier models against prompt injection before deployment. Controls the offensive capability and has committed to keeping it internal.

GE

Georgetown University CSET

Independent AI security research body providing third-party expert assessment. Called the approach promising while emphasizing that human expertise remains essential.

RI

Rival AI labs (Anthropic, Google DeepMind, Meta, xAI)

GPT-Red's measurable robustness gains create a credibility benchmark for agentic safety that competing labs must now match in their own deployment pipelines.

EN

Enterprise agentic AI customers

Direct beneficiaries: companies deploying GPT-5.6 in agentic workflows gain protection against a class of attacks that could cause financial and operational harm, as demonstrated by the real-world vending machine manipulation case study.

Fact Check

4 cited
  1. [1] Unlocking Self-Improvement: GPT-Red
  2. [2] Meet GPT-Red: an LLM super-hacker OpenAI built to make its models safer
  3. [3] OpenAI Uses AI Red Team to Strengthen GPT-5.6 Against Prompt Injection Attacks
  4. [4] OpenAI's GPT-Red: AI Learns to Police Itself

Source Articles

Top 5

THE SIGNAL.

Analysts

"Compared to a human red-teamer, the model is very, very good at finding exactly what will work, exactly what's most effective."

Chris Choquette-Choo
Research Scientist, OpenAI

"On fake chain-of-thought injection: 'It's like if I told you that 1+1=3 and that you have verified this already.' The attack exploits the model's tendency to trust its own prior reasoning steps."

Chris Choquette-Choo (on fake CoT mechanics)
Research Scientist, OpenAI

"As more capable models become available, we will have already designed the system that can discover new modes of attack - framing GPT-Red as infrastructure that scales with model capability."

Dylan Hunn
Research Scientist, OpenAI

"The risk surface grows and the blast radius also grows - noting that as AI agents gain more tool access, successful prompt injections cause proportionally greater real-world harm."

Nikhil Kandpal
Research Scientist, OpenAI

"The results look very promising. I think human expertise will still be very important - automation complements but does not replace skilled human red-teamers."

Jessica Ji
Senior Research Analyst, Georgetown CSET
The Crowd

"Introducing GPT-Red An internal automated red teamer on a mission to find our models' prompt injection vulnerabilities at scale, helping us build stronger defenses before wider deployment. https://t.co/GxnmxxcpSk"

@@OpenAI5626

"OpenAI announced GPT-Red, an internal model for finding prompt-injection vulnerabilities at scale. > GPT-Red is a strong red-teamer, and our previous models are highly vulnerable to its prompt injection attacks. > We use GPT-Red to adversarially train GPT-5.6, making it much more robust to prompt injections."

@@testingcatalog68
Broadcast
GPT-Red: OpenAI's Internal AI Red Teamer Explained

GPT-Red: OpenAI's Internal AI Red Teamer Explained

GPT-Red Exposed: OpenAI's Secret AI Weapon Against Hackers

GPT-Red Exposed: OpenAI's Secret AI Weapon Against Hackers

Claude vs GPT: What Red-Teaming Really Reveals (OpenAI x Anthropic)

Claude vs GPT: What Red-Teaming Really Reveals (OpenAI x Anthropic)