OpenAI · 2026-07-15 · major
GPT-Red — OpenAI's AI red-teamer beats humans 84% to 13% on prompt injection
GPT-Red is an internal OpenAI model trained by self-play to attack other AIs. On novel prompt-injection tests it succeeds 84% of the time versus 13% for human red-teamers, and OpenAI used it to make GPT-5.6 six times harder to break.

OpenAI's internal AI trains itself to break other AIs so OpenAI can patch the holes before shipping.
Key specs
| Attack success (gpt red) | 84% |
|---|---|
| Attack success (humans) | 13% |
| Gpt 5.6 injection failures | 6× fewer |
Quick facts
| Maker | OpenAI |
|---|---|
| What it is | Automated red-team model |
| Training | Self-play attacker vs defender |
| Attack success vs humans | 84% vs 13% |
| Used to harden | GPT-5.6 (Sol, Terra, Luna) |
| Availability | Internal only, no API |
What is it?
GPT-Red is an OpenAI safety model that automatically probes other AIs for prompt-injection weaknesses. Rather than the static red-team benchmarks OpenAI used to run, GPT-Red sends a live prompt, reads the response, and keeps rewriting its attack until the target misbehaves.
How does it work?
The training loop pits GPT-Red against defender models in reinforcement learning. GPT-Red earns reward when it makes the defender leak secrets or execute an injected instruction; the defender earns reward for finishing the real task. Each side keeps evolving as the other gets stronger.
Why does it matter?
OpenAI credits GPT-Red with making GPT-5.6 roughly six times more robust to direct prompt injection than its best model four months earlier. Fake chain-of-thought injections that succeeded over 95% of the time against GPT-5.1 now succeed under 10% of the time against GPT-5.6 Sol.
Who is it for?
AI safety researchers, red teamers, and security engineers who deploy LLMs behind tools.
Frequently asked questions
- Is GPT-Red available in the OpenAI API?
- GPT-Red is an internal OpenAI safety model, not a public product. Developers cannot call GPT-Red directly through the API or ChatGPT. OpenAI uses it in-house to attack other OpenAI models during training so real deployments like GPT-5.6 Sol, Terra, and Luna ship with fewer prompt-injection weaknesses.
- How does GPT-Red differ from a normal red-team benchmark?
- GPT-Red is a live model, not a fixed prompt list. GPT-Red sends a prompt to the target AI, watches the reply, and iterates the attack toward a goal the way a human red-teamer would. Because the target keeps learning to block old tricks, GPT-Red has to invent new ones.
- How much more robust is GPT-5.6 because of GPT-Red?
- OpenAI reports that GPT-5.6 has roughly six times fewer failures on its hardest prompt-injection benchmark than the best OpenAI production model from four months earlier. Fake chain-of-thought injections that beat GPT-5.1 over 95% of the time now succeed under 10% of the time against GPT-5.6 Sol.
- Does hardening against GPT-Red hurt normal answers?
- OpenAI says GPT-5.6 does not refuse more legitimate requests or lose accuracy on regular tasks after adversarial training against GPT-Red. OpenAI frames GPT-Red as a way to keep pushing robustness without paying the usual over-refusal tax that comes from generic safety fine-tuning.
Try it
Read the OpenAI post at openai.com/index/unlocking-self-improvement-gpt-red/