AI/TLDR

OpenAI · 2026-07-15 · major

GPT-Red — OpenAI's AI red-teamer beats humans 84% to 13% on prompt injection

GPT-Red is an internal OpenAI model trained by self-play to attack other AIs. On novel prompt-injection tests it succeeds 84% of the time versus 13% for human red-teamers, and OpenAI used it to make GPT-5.6 six times harder to break.

OpenAI GPT-Red announcement card — Unlocking Self-Improvement for Robustness

OpenAI's internal AI trains itself to break other AIs so OpenAI can patch the holes before shipping.

Key specs

Attack success (gpt red)84%
Attack success (humans)13%
Gpt 5.6 injection failures6× fewer

Quick facts

MakerOpenAI
What it isAutomated red-team model
TrainingSelf-play attacker vs defender
Attack success vs humans84% vs 13%
Used to hardenGPT-5.6 (Sol, Terra, Luna)
AvailabilityInternal only, no API

What is it?

GPT-Red is an OpenAI safety model that automatically probes other AIs for prompt-injection weaknesses. Rather than the static red-team benchmarks OpenAI used to run, GPT-Red sends a live prompt, reads the response, and keeps rewriting its attack until the target misbehaves.

How does it work?

The training loop pits GPT-Red against defender models in reinforcement learning. GPT-Red earns reward when it makes the defender leak secrets or execute an injected instruction; the defender earns reward for finishing the real task. Each side keeps evolving as the other gets stronger.

Why does it matter?

OpenAI credits GPT-Red with making GPT-5.6 roughly six times more robust to direct prompt injection than its best model four months earlier. Fake chain-of-thought injections that succeeded over 95% of the time against GPT-5.1 now succeed under 10% of the time against GPT-5.6 Sol.

Who is it for?

AI safety researchers, red teamers, and security engineers who deploy LLMs behind tools.

Frequently asked questions

Is GPT-Red available in the OpenAI API?
GPT-Red is an internal OpenAI safety model, not a public product. Developers cannot call GPT-Red directly through the API or ChatGPT. OpenAI uses it in-house to attack other OpenAI models during training so real deployments like GPT-5.6 Sol, Terra, and Luna ship with fewer prompt-injection weaknesses.
How does GPT-Red differ from a normal red-team benchmark?
GPT-Red is a live model, not a fixed prompt list. GPT-Red sends a prompt to the target AI, watches the reply, and iterates the attack toward a goal the way a human red-teamer would. Because the target keeps learning to block old tricks, GPT-Red has to invent new ones.
How much more robust is GPT-5.6 because of GPT-Red?
OpenAI reports that GPT-5.6 has roughly six times fewer failures on its hardest prompt-injection benchmark than the best OpenAI production model from four months earlier. Fake chain-of-thought injections that beat GPT-5.1 over 95% of the time now succeed under 10% of the time against GPT-5.6 Sol.
Does hardening against GPT-Red hurt normal answers?
OpenAI says GPT-5.6 does not refuse more legitimate requests or lose accuracy on regular tasks after adversarial training against GPT-Red. OpenAI frames GPT-Red as a way to keep pushing robustness without paying the usual over-refusal tax that comes from generic safety fine-tuning.

Try it

Read the OpenAI post at openai.com/index/unlocking-self-improvement-gpt-red/

Sources · 3 outlets

Tags

  • openai
  • gpt-red
  • ai-safety
  • red-team
  • prompt-injection
  • self-play
  • reinforcement-learning
  • adversarial-training
  • gpt-5-6
  • robustness

← All releases · Learn AI