OpenAI has disclosed GPT-Red, an internal automated red-teaming model built to find security flaws in its AI systems before attackers do, according to a blog post the company published on July 15.
How it works
GPT-Red is trained with self-play reinforcement learning: it acts as an attacker trying to manipulate a target model through prompt injection hidden in emails, webpages, files, or code, while a separate defender model tries to resist and stay on task. OpenAI says GPT-Red is rewarded for triggering genuine failures, and the defender is rewarded for holding the line, pushing both to improve against each other over repeated rounds.
In evaluations against novel, previously unseen attack scenarios, GPT-Red succeeded 84% of the time, compared with 13% for human red-teamers, OpenAI said. The company used the exploits GPT-Red discovered to adversarially retrain its latest model, GPT-5.6 Sol, which it says now fails just 0.05% of the time on OpenAI’s hardest direct prompt-injection benchmark — a sixfold reduction in failures compared with the production model from four months earlier. One attack pattern GPT-Red found, dubbed “Fake Chain-of-Thought,” worked on GPT-5.1 95% of the time; on GPT-5.6 Sol that fell to under 10%.
Real-world style tests
OpenAI said GPT-Red also probed practical scenarios, including manipulating a simulated AI-run vending machine into slashing prices to $0.50, placing a high-value order at that price, and cancelling another customer’s order, as well as attempting data exfiltration against a Codex CLI coding agent. The company said it tested for capability trade-offs and found the added robustness did not measurably reduce the models’ general performance or cause excessive refusals of legitimate requests.
Staying internal
OpenAI is not releasing GPT-Red to ChatGPT users or API developers. Because it was deliberately trained to find and exploit weaknesses, the company is keeping it walled off from public production systems to prevent its attack capabilities from being misused.
The disclosure comes as AI agents are increasingly given access to email, browsers, and file systems, widening the surface for prompt-injection attacks — a risk regulators and independent safety testers have flagged repeatedly this year.