OpenAI has unveiled GPT-Red, a new internal AI system designed to uncover security weaknesses in its models before they are released. The company says GPT-Red has already helped make GPT-5.6 its most robust model yet against prompt injection attacks.
Unlike ChatGPT or GPT-5.6, GPT-Red is not a public-facing model. Instead, it is an automated red-teaming system built to simulate real-world attacks against AI models at scale. By identifying vulnerabilities during development, OpenAI can strengthen its production models before they reach users.
Prompt injection attacks have become one of the biggest security challenges for AI assistants. They attempt to trick a model into ignoring its original instructions and instead follow malicious commands hidden in webpages, emails, local files, code repositories, or responses from connected tools. As AI systems gain access to more third-party content, defending against these attacks has become increasingly important.
OpenAI says GPT-Red was trained using self-play reinforcement learning, where it continuously attacks a collection of defender AI models while those models learn to resist the attacks and complete their intended tasks. As the defenders become stronger, GPT-Red is forced to develop increasingly sophisticated attack techniques.
According to OpenAI, GPT-Red was trained using compute comparable to some of the company’s largest post-training runs. The company describes it as its most capable automated safety red-teaming model to date.
During internal testing, GPT-Red successfully found vulnerabilities across OpenAI’s production and research models, including models up to GPT-5.5. Those attacks were then incorporated into the training process for GPT-5.6, improving the model’s resistance to prompt injection.
OpenAI says GPT-5.6 now records six times fewer failures on its most difficult direct prompt injection benchmark compared to its strongest production model from just four months earlier. On a broader set of internal robustness evaluations, GPT-5.6 failed only 0.05% of GPT-Red’s direct prompt injection attempts.
The company also evaluated GPT-Red on security scenarios it had never encountered during training. In a benchmark based on indirect prompt injection research, GPT-Red achieved an 84% attack success rate compared to 13% for human red-teamers, demonstrating its ability to discover vulnerabilities across unfamiliar environments.
OpenAI tested GPT-Red against an AI-powered autonomous vending machine in a realistic security exercise. After developing attacks in a simulated environment, GPT-Red successfully manipulated the production system into lowering the price of expensive products, ordering new inventory at heavily discounted prices, and canceling another customer’s order. OpenAI says the vulnerabilities were disclosed and additional safeguards are now being tested.
In another evaluation, GPT-Red targeted a coding agent powered by GPT-5.4 Mini across a suite of data exfiltration scenarios. OpenAI found that GPT-Red was both more effective and more efficient than a prompted GPT-5.5 baseline at uncovering these security weaknesses.
Despite its capabilities, GPT-Red will remain an internal-only model. OpenAI says it intentionally keeps the system private so its specialized attack techniques cannot be misused. Instead, GPT-Red will continue to be used alongside human red-teamers, third-party security testing, layered safeguards, and real-time monitoring to improve the safety of future AI models.
OpenAI also confirmed that it will publish a technical preprint with additional details about GPT-Red later this week.
