OpenAI has introduced an internal AI system called GPT-Red, which specifically targets its own language models to identify security vulnerabilities before real attackers can exploit them. According to the manufacturer, direct prompt injection attacks now fail only 0.05 percent of the time in GPT-5.6 Sol, six times less often than in GPT-5.1. The system itself will not be released.
Self-Play Training Gradually Intensifies Attacks
GPT-Red is created through reinforcement learning in self-play: An attacker model and several defender models train against each other in parallel, as OpenAI explains in its own blog. The attacker model receives a reward when it triggers a real vulnerability, such as a successful prompt injection. The defender models are rewarded for fending off the attack while still completing their primary task.
As the defenders improve, GPT-Red must find new, more sophisticated attack vectors. Testing is conducted in simulated everyday scenarios involving files, websites, emails, and tool outputs. Each scenario has a defined threat model: it specifies what control GPT-Red has over the simulated environment. According to OpenAI, early versions of the system have been incorporated into training since GPT-5.3. The training process has reportedly been ongoing for over a year and has consumed significant computational resources.
In tests, GPT-Red identified specific security vulnerabilities that go beyond simple text manipulation. These include reading internal directories, intercepting AWS credentials, and injecting fraudulent payment instructions. In one scenario, the system took control of an autonomous vending machine agent and independently changed prices or canceled orders. Codex CLI agents, which edit code directly in command lines, also came under the simulated attacks’ scrutiny.
A particularly effective method is referred to by OpenAI as “Fake Chain-of-Thought”: here, an attacker injects fake intermediate steps into the visible model reasoning to prompt the system to disclose protected information. According to the company, this trick succeeded in more than 95 percent of cases against GPT-5.1, while the success rate for GPT-5.6 Sol drops to below ten percent. The patterns uncovered are immediately incorporated into new protective mechanisms of the current model generation.
Numbers Show Significant Progress Compared to Older Models
For novel, indirect prompt injection scenarios, GPT-Red claims a success rate of 84 percent. Human testers solve the same tasks only 13 percent of the time – these comparative values remain independently unverified. Routine testing was conducted against six model generations from GPT-5.1 to GPT-5.6 Sol, as well as against real agent systems.
The advantage of the automated system lies primarily in its speed: it can simulate new attack variants around the clock, while human teams must manually design individual scenarios. OpenAI continuously compares the current values with earlier internal test series to make progress visible across multiple model generations.
Jessica Ji from the Georgetown Center for Security and Emerging Technology evaluates the approach in an interview with MIT Technology Review positively. The results appear promising, but human expertise remains crucial to identify gaps in the test scenarios themselves. According to OpenAI, GPT-Red shows significant weaknesses in multi-turn conversational attacks that build over several dialogue rounds, as well as in image-based prompt injection techniques. In both areas, human attackers still deliver better results than the automated system.
GPT-Red itself remains exclusively for internal use and is kept separate from the delivered models to prevent the attack methods from leaking outside. It remains to be seen whether automated red teaming can keep pace with the speed at which agentic AI systems with access to emails, payments, and browsers are being deployed. OpenAI itself had only referred to prompt injection as an ongoing research problem last November, stating that it cannot be solved with a single solution – GPT-Red does not fundamentally change this.


