OpenAI has unveiled GPT-Red, a new internal AI model built to spot vulnerabilities in advanced AI systems before bad actors can exploit them. OpenAI says GPT-Red is already being used during the development of GPT-5.6, making the latest model six times more resilient to the toughest prompt injection attacks than the previous generation.
The
launch of GPT-Red underscores OpenAI’s growing focus on using AI to secure other AI. Instead of relying solely on human
security researchers, the company now uses a sophisticated language model that continuously tries to attack its own systems. The lessons from those attempts are then used to harden future models.
The goal is simple: prevent hacks where possible. Easier said than done—OpenAI and its peers are prime targets.
What is GPT-Red?
GPT-Red is an automated red-teaming model. Red teaming is a practice where security experts deliberately try to deceive or attack a system to uncover vulnerabilities before cybercriminals do.
According to OpenAI, GPT-Red operates much like a human attacker. It crafts an attack, observes how an AI model responds, then adapts its strategy to find new weak points. This cycle repeats thousands of times, enabling GPT-Red to develop increasingly effective attacks.
Defense against prompt injections
OpenAI targets GPT-Red primarily at prompt injections. In these attacks, adversaries hide instructions in webpages, emails, documents, or code. When an AI agent processes that content, it may execute unwanted commands—like exfiltrating sensitive data or performing malicious actions.
As AI assistants gain deeper access to browsers, files, enterprise data, and external apps, OpenAI warns the risk of such attacks is rising. GPT-Red aims to surface these weaknesses during model development.
GPT-5.6 is significantly tougher
OpenAI says GPT-Red is now part of the training process for GPT-5.6 Sol. As a result, the newest model performs far better on security tests.
According to the company:
- the most severe direct prompt injection attacks are six times less likely to succeed than on the previous production model;
- GPT-5.6 Sol passes more than 97 percent of various internal prompt injection tests;
- only 0.05 percent of direct attacks executed by GPT-Red itself succeed.
OpenAI stresses these gains were achieved without increasing refusals of legitimate requests. In other words, stronger security without sacrificing usability.
GPT-Red outperformed human testers
In internal evaluations, OpenAI compared GPT-Red with human red-teamers on new attack scenarios not used in training.
The company reports GPT-Red achieved a successful attack in 84 percent of scenarios, versus 13 percent for human testers. It also uncovered vulnerabilities in experimental AI agents controlling, among other things, a smart vending machine and programming environments. According to OpenAI, those security issues have been reported and are being addressed.
AI is increasingly securing AI
With GPT-Red, OpenAI is embracing an approach where AI systems don’t just assist users—they actively improve the safety of future models.
The company argues that human-only red teaming isn’t scalable as AI systems grow more capable. By having specialized AI models continually devise new attack techniques, vulnerabilities can be found faster and directly folded into new training cycles.
OpenAI calls this a step toward a self-reinforcing security strategy, where today’s AI helps make tomorrow’s models more robust and reliable. The company plans to publish a scientific preprint later this week with more technical details on GPT-Red.