Security

OpenAI uses AI attacker GPT-Red against its own models

3 min read
Server rows in a data center with security code on a monitor in the background, symbolic image for OpenAI's AI security system GPT-Red Image generated with GPT Image 2
Server rows in a data center with security code on a monitor in the background, symbolic image for OpenAI's AI security system GPT-Red

TL;DR Too Long; Didn’t read

OpenAI has introduced GPT-Red: an internal AI system reduces the success rate of direct prompt injection attacks on GPT-5.6 Sol to 0.05 percent. In novel, indirect attacks, GPT-Red still achieves 84 percent, while human testers only reach 13 percent. The automated system remains an exclusively internal tool at OpenAI despite the progress.

Key takeaways

  • GPT-Red is an internal OpenAI system that automatically detects vulnerabilities in its own language models through self-play.
  • An attacker model is trained against multiple defender models, with successful attacks tightening the next training round.
  • Discovered gaps range from credential theft to the manipulation of an autonomous vending machine agent.
  • Georgetown researcher Jessica Ji considers the results promising but continues to advocate for human review.
  • In multi-turn conversations and image-based attacks, human testers still lead.
  • OpenAI deliberately keeps GPT-Red under wraps to avoid sharing attack methods with competitors.

OpenAI has introduced an internal AI system called GPT-Red, which specifically targets its own language models to identify security vulnerabilities before real attackers can exploit them. According to the manufacturer, direct prompt injection attacks now fail only 0.05 percent of the time in GPT-5.6 Sol, six times less often than in GPT-5.1. The system itself will not be released.

Self-Play Training Gradually Intensifies Attacks

GPT-Red is created through reinforcement learning in self-play: An attacker model and several defender models train against each other in parallel, as OpenAI explains in its own blog. The attacker model receives a reward when it triggers a real vulnerability, such as a successful prompt injection. The defender models are rewarded for fending off the attack while still completing their primary task.

As the defenders improve, GPT-Red must find new, more sophisticated attack vectors. Testing is conducted in simulated everyday scenarios involving files, websites, emails, and tool outputs. Each scenario has a defined threat model: it specifies what control GPT-Red has over the simulated environment. According to OpenAI, early versions of the system have been incorporated into training since GPT-5.3. The training process has reportedly been ongoing for over a year and has consumed significant computational resources.

In tests, GPT-Red identified specific security vulnerabilities that go beyond simple text manipulation. These include reading internal directories, intercepting AWS credentials, and injecting fraudulent payment instructions. In one scenario, the system took control of an autonomous vending machine agent and independently changed prices or canceled orders. Codex CLI agents, which edit code directly in command lines, also came under the simulated attacks’ scrutiny.

A particularly effective method is referred to by OpenAI as “Fake Chain-of-Thought”: here, an attacker injects fake intermediate steps into the visible model reasoning to prompt the system to disclose protected information. According to the company, this trick succeeded in more than 95 percent of cases against GPT-5.1, while the success rate for GPT-5.6 Sol drops to below ten percent. The patterns uncovered are immediately incorporated into new protective mechanisms of the current model generation.

Numbers Show Significant Progress Compared to Older Models

For novel, indirect prompt injection scenarios, GPT-Red claims a success rate of 84 percent. Human testers solve the same tasks only 13 percent of the time – these comparative values remain independently unverified. Routine testing was conducted against six model generations from GPT-5.1 to GPT-5.6 Sol, as well as against real agent systems.

The advantage of the automated system lies primarily in its speed: it can simulate new attack variants around the clock, while human teams must manually design individual scenarios. OpenAI continuously compares the current values with earlier internal test series to make progress visible across multiple model generations.

Jessica Ji from the Georgetown Center for Security and Emerging Technology evaluates the approach in an interview with MIT Technology Review positively. The results appear promising, but human expertise remains crucial to identify gaps in the test scenarios themselves. According to OpenAI, GPT-Red shows significant weaknesses in multi-turn conversational attacks that build over several dialogue rounds, as well as in image-based prompt injection techniques. In both areas, human attackers still deliver better results than the automated system.

GPT-Red itself remains exclusively for internal use and is kept separate from the delivered models to prevent the attack methods from leaking outside. It remains to be seen whether automated red teaming can keep pace with the speed at which agentic AI systems with access to emails, payments, and browsers are being deployed. OpenAI itself had only referred to prompt injection as an ongoing research problem last November, stating that it cannot be solved with a single solution – GPT-Red does not fundamentally change this.

Frequently asked questions

Is GPT-Red publicly accessible?

No, OpenAI keeps the system exclusively internal and deliberately separates it from the delivered products.

Which models were tested with GPT-Red?

The tests included the model series from GPT-5.1 to GPT-5.6 Sol as well as real agent systems like a vending machine agent and Codex CLI tools.

What is a prompt injection?

Attackers inject hidden instructions into texts, websites, or emails to prompt an AI model to perform unwanted actions.

Where does GPT-Red still have weaknesses?

In multi-turn conversational attacks over several dialogue rounds and in image-based prompt injections, human testers continue to deliver better results.

Since when has GPT-Red been included in training?

According to OpenAI, early versions of the system have been used since GPT-5.3 to harden the models.


← Back to the blog