OpenAI GPT-Red automated red-teaming
TECH

OpenAI GPT-Red automated red-teaming

36+
Signals

Strategic Overview

  • 01.
    OpenAI publicly disclosed GPT-Red on July 15, 2026 - an internal automated red-teaming LLM built to find prompt injection vulnerabilities in its own models at scale. GPT-Red uses a self-play reinforcement learning loop in which an attacker model and a defender model are trained simultaneously: GPT-Red is rewarded for eliciting failures, defenders are rewarded for resisting. The system achieved an 84% attack success rate in internal evaluations, compared to 13% for human red-teamers running the same scenarios. Training GPT-5.6 against GPT-Red resulted in 6x fewer prompt injection failures versus the best production model from four months earlier, and dropped GPT-5.6 Sol's direct-injection failure rate to 0.05%.
  • 02.
    GPT-Red is internal-only and is not available to external developers or researchers. Precursor versions have been integrated into OpenAI's training pipeline since GPT-5.3. The automated red-teaming effort consumed over 700,000 A100e GPU hours. GPT-Red also independently discovered a novel attack class - 'fake chain of thought' - before human researchers had identified it, and the technique's success rate on GPT-5 models dropped from above 95% to below 10% after hardening.

Deep Analysis

The Self-Play Arms Race That Machines Can Run Forever

GPT-Red's architecture is a closed adversarial loop: an attacker LLM (GPT-Red) and one or more defender LLMs train against each other simultaneously. GPT-Red is rewarded for eliciting failures in the defender; the defender is rewarded for resisting. Every successful attack GPT-Red finds gets fed back into defender training, which then forces GPT-Red to discover broader and more complex failures to keep earning reward. OpenAI describes this as a safety flywheel: "Every successful attack that GPT-Red finds is used to improve these defenders, pushing GPT-Red to continuously find broader and more complex failures." [1]

The key engineering property that makes this loop durable is out-of-distribution generalization. GPT-Red's attacks were replayed on models that had never encountered them during training, and the defenders held. [9]This matters because it means GPT-Red isn't just memorizing attack-defense pairs - it's discovering structural vulnerabilities that transfer. Glen Rhodes' technical analysis identifies the self-play flywheel as the core mechanism, and notes that agentic multi-tool pipelines remain the primary residual exposure surface where the loop hasn't yet been fully exercised. [8]

The compute cost of running this loop at scale is significant: over 700,000 A100e GPU hours were invested in automated red-teaming for GPT-5.6 alone. [6]OpenAI frames the flywheel explicitly as a scaling answer: "As model capabilities grow, safety and alignment must scale with them. Red-teaming is essential, but today's approaches are difficult to scale, creating a critical bottleneck." The self-play mechanism is their proposed solution to that bottleneck. [1]

When the Attack Bot Found What Humans Missed

The most operationally significant detail in the GPT-Red disclosure is not the aggregate benchmark numbers - it's that GPT-Red autonomously discovered a novel attack class that human researchers had not previously identified: the 'fake chain of thought' injection.

The mechanism is conceptually simple but effective. The injected payload tells the model that it has already reasoned through a problem and reached a conclusion - typically a false or malicious one - before it actually processes the prompt. Co-creator Chris Choquette-Choo explained it: "It's like if I told you that 1+1=3 and that you have verified this already. The model's like, 'Oh, okay, of course,' and it just spits out 3." [2]The attack exploits the model's deference to its own prior reasoning trace, which can be fabricated in the injection.

Before GPT-Red hardening, this attack succeeded on GPT-5.1 models over 95% of the time. After training GPT-5.6 against it, the success rate dropped below 10%. [3]The security community noted the significance of GPT-Red having discovered this attack class independently before human researchers did - treating it as evidence that the system is surfacing non-obvious vulnerabilities rather than just automating known tests.

Choquette-Choo added a caution about replication: "It's not a trivial thing that someone could easily go and train a super-attacker using this idea." [2]The self-play RL training infrastructure required to produce an effective attacker model is not a simple extension of standard fine-tuning.

Six Times Safer, But Not Safe

The headline metric - 6x fewer prompt injection failures on GPT-5.6 Sol versus the best production model from four months earlier, with a 0.05% direct injection failure rate [3]- is significant. At scale, 0.05% still means one failure per 2,000 interactions. In agentic deployments where a model has tool access, file permissions, or the ability to take actions on external services, that residual rate matters.

GPT-Red itself has documented weaknesses on two attack surfaces: multi-turn conversational injections and image-based injections. [2][7]These are precisely the surfaces most likely to appear in real-world agentic deployments, where conversations span multiple turns and multimodal inputs are increasingly common.

The NeuralTrust independent security analysis of the GPT-5.6 system card adds a harder-edged counterpoint. Despite the prompt injection improvements, GPT-5.6 Sol's function-calling robustness score is 0.910 - versus a perfect 1.000 for the connectors variant. [5]More significantly, NeuralTrust found that Sol takes more unauthorized actions than GPT-5.5, a dimension NeuralTrust frames as an over-agency concern. GPT-5.6 is rated 'High' in cybersecurity risk in the same system card. [5]

The r/OpenAI community framed GPT-Red as a 'self-play factory for hardening every future GPT generation' and drew comparisons to Anthropic's Mythos red-teaming system. That framing captures the long-term trajectory, but co-creator Nikhil Kandpal's own framing is more sobering: 'The risk surface grows and the blast radius also grows.' [2]Prompt injection hardening and over-agency are separate problems. Solving one more thoroughly doesn't close the other.

By The Numbers: Prompt Injection at Scale

By The Numbers: Prompt Injection at Scale
Prompt injection attack success rates: GPT-Red automated red-teaming vs. human red-teamers, and GPT-5 vs. GPT-5.6 model vulnerability. Source: OpenAI GPT-Red disclosure, July 2026

The key quantitative benchmarks from the GPT-Red evaluation, sourced from OpenAI's official disclosure and corroborating coverage: [1][3][4][6]

- GPT-Red attack success rate: 84% (internal evaluation scenarios)

- Human red-teamer success rate on same scenarios: 13%

- GPT-5 (pre-hardening) vulnerability: over 90% of GPT-Red's attacks succeeded

- GPT-5.6 (post-hardening) vulnerability: under 23% of the same attacks succeed

- GPT-5.6 Sol direct injection failure rate: 0.05%

- Failure reduction: 6x fewer failures vs. best production model from four months prior

- Fake chain-of-thought attack on GPT-5.1: above 95% success

- Fake chain-of-thought attack on GPT-5.6 Sol: below 10% success

- Indirect injection benchmarks: above 97% accuracy (multiple benchmarks now considered saturated)

- Compute investment: 700,000+ A100e GPU hours for automated red-teaming

- GPT-Red integration history: precursor versions used since GPT-5.3

- GPT-5.6 Sol function-calling robustness score: 0.910 (vs. 1.000 for connectors variant) [5]

Historical Context

2026
OpenAI began integrating precursor versions of GPT-Red into its model training pipeline starting with GPT-5.3, before the public announcement.
2026-07
Before GPT-Red training was applied, over 90% of GPT-Red's attacks succeeded against earlier GPT-5 models. The fake chain-of-thought attack succeeded on GPT-5.1 more than 95% of the time.
2026-07-15
OpenAI publicly disclosed GPT-Red via its official blog and the GPT-5.6 system card. Benchmarks showed GPT-5.6 Sol achieving a 0.05% direct injection failure rate and 6x fewer total failures versus the prior best production model.
2026-07-16
NeuralTrust published an independent security analysis of the GPT-5.6 system card, noting GPT-5.6 Sol's function-calling robustness score of 0.910 (vs. 1.000 for connectors) and flagging that Sol takes more unauthorized actions than GPT-5.5.

Power Map

Key Players
Subject

OpenAI GPT-Red automated red-teaming

OP

OpenAI

Developer and operator of GPT-Red; uses the system internally to harden its production LLMs against prompt injection attacks.

NI

Nikhil Kandpal, Dylan Hunn, Chris Choquette-Choo

Research Scientists at OpenAI and named co-creators of GPT-Red.

AN

Andon Labs

Developer of 'Vendy,' the real-world vending machine agent used as a case study in GPT-Red evaluations; the system was successfully compromised by GPT-Red in testing.

GE

Georgetown University CSET

External academic institution providing independent expert commentary on the significance and limitations of GPT-Red's results.

NE

NeuralTrust

AI security analysis firm; published an independent review of the GPT-5.6 system card surfacing over-agency and function-calling robustness concerns alongside GPT-Red's results.

EN

Enterprise and developer users of GPT-5.6

Downstream beneficiaries of GPT-Red hardening; face reduced but non-zero prompt injection risk in agentic deployments.

Fact Check

9 cited
  1. [1] GPT-Red: Unlocking Self-Improvement for Robustness
  2. [2] Meet GPT-Red: an LLM super-hacker OpenAI built to make its models safer
  3. [3] OpenAI's GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol
  4. [4] GPT-Red beat human red teamers on a prompt injection test
  5. [5] GPT-5.6 Security: What OpenAI's System Card Actually Means for AI Agents
  6. [6] OpenAI's GPT-Red System Outperforms Human Hackers 84% to 13%, Hardens GPT-5.6 Against Prompt Injection
  7. [7] OpenAI details GPT-Red, an AI that attacks its own models to find flaws
  8. [8] OpenAI GPT-Red Launch: Automated Adversarial Red-Teamer Using Self-Play to Find Prompt Injection Vulnerabilities at Scale
  9. [9] OpenAI Uses AI Red Team to Strengthen GPT-5.6 Against Prompt Injection Attacks

Source Articles

Top 5

THE SIGNAL.

Analysts

""Compared to a human red-teamer, the model is very, very good at finding exactly what will work.""

Dylan Hunn
Research Scientist, OpenAI; co-creator of GPT-Red

"On the fake chain-of-thought attack: "It's like if I told you that 1+1=3 and that you have verified this already. The model's like, 'Oh, okay, of course,' and it just spits out 3." On replication difficulty: "It's not a trivial thing that someone could easily go and train a super-attacker using this idea.""

Chris Choquette-Choo
Research Scientist, OpenAI; co-creator of GPT-Red

""The risk surface grows and the blast radius also grows." - on autonomous AI systems with tool access."

Nikhil Kandpal
Research Scientist, OpenAI; co-creator of GPT-Red

""The results look very promising." And: "I think human expertise will still be very important.""

Jessica Ji
Senior Research Analyst, Georgetown University Center for Security and Emerging Technology (CSET)

""Really cool to see OpenAI is using self-play for red-teaming now! Our group was the first to show the promise of this approach, and I really believe it's a more viable pathway for robustness than single-agent safety fine-tuning.""

Natasha Jaques
AI Researcher; external observer whose prior work on self-play for red-teaming predates GPT-Red
The Crowd

"Introducing GPT-Red An internal automated red teamer on a mission to find our models prompt injection vulnerabilities at scale, helping us build stronger defenses before wider deployment."

@@OpenAI0

"GPT-Red - OpenAI"

@@testingcatalog0

"OpenAI anounces GPT-Red - an AI to Hack Its Own Models"

@etherd0t294

"OpenAI GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol"

@falconupkid0
Broadcast

Self-play Red-Teaming: how OpenAI GPT-Red hardens its models