OpenAI unveils GPT-Red to harden GPT-5.6 against attacks
Thu, 16th Jul 2026 (Today)
OpenAI has introduced GPT-Red, an internal automated red-teaming model designed to find vulnerabilities in its AI systems. It has used the model to train GPT-5.6 to better resist prompt injection attacks.
The system is part of a broader OpenAI effort to automate parts of the safety testing process as AI models grow more complex and gain access to browsers, connected apps, files, and other external tools.
Red-teaming is used across the industry to test whether models can be manipulated into unsafe or unintended behaviour. In AI systems that interact with external data sources, one common risk is prompt injection, in which hidden instructions embedded in a webpage, file, or message try to override the model's intended task and push it toward actions such as exposing sensitive information.
GPT-Red was trained to act as an attacker in repeated adversarial exercises. It sends prompts, observes the target model's responses, and iterates in an effort to trigger a valid vulnerability, while defender models are trained in parallel to resist those attempts and still complete their original tasks.
OpenAI said GPT-Red was trained using self-play reinforcement learning and a broad set of simulated attack environments. Those environments are meant to reflect realistic scenarios in which a model may encounter malicious content in local files, webpages, or other third-party sources.
OpenAI trained GPT-Red using a level of compute comparable to some of its largest post-training runs, describing it as a substantial allocation of resources focused specifically on safety work rather than product performance.
Benchmark results
In its own testing, OpenAI said GPT-Red was able to compromise nearly all models it was tested against, including internal systems and production models up to GPT-5.5. After that training phase, the company used GPT-Red to generate attack data for GPT-5.6 to make the newer model more resistant to the same methods.
OpenAI said GPT-5.6 Sol, its latest production model referenced in the research, recorded six times fewer vulnerabilities on its hardest direct prompt injection benchmark than its best production model from four months earlier. It also said GPT-5.6 Sol resists 99.95% of GPT-Red's direct prompt injections across a broad set of robustness environments.
Some prompt injection tests aimed at developer tools and browsing now return accuracy rates above 97% on OpenAI's latest model, according to the company. It also highlighted a category of attacks it called "Fake Chain-of-Thought" attacks, which it said succeeded more than 95% of the time against GPT-5.1 but now succeed less than 10% of the time against GPT-5.6 Sol.
Human comparison
OpenAI also tested GPT-Red against human red-teamers in a replicated version of an indirect prompt injection evaluation based on work by Dziemian and others. In that test, GPT-Red succeeded in 84% of scenarios, compared with 13% for human participants, according to the company.
That result is likely to draw attention because human safety testing remains a core part of model evaluation across leading AI labs. OpenAI argued that human teams remain important for finding vulnerabilities before deployment, but that manual exercises are slower and produce fewer examples than are needed to train stronger safeguards at scale.
Live system tests
OpenAI also described experiments against live agentic systems. In one case, GPT-Red was used against an AI-powered vending machine system in OpenAI's office built by Andon Labs.
OpenAI said GPT-Red first tested attacks in a simulation environment and then transferred them to the live system. It achieved three stated goals: lowering the price of an expensive in-stock item to USD $0.50, ordering a new item priced above USD $100 and offering it for USD $0.50, and cancelling another customer's order.
OpenAI said it disclosed those vulnerabilities and that safeguards are being tested. In another test, the company used GPT-Red against a Codex CLI agent based on GPT-5.4 Mini across 10 held-out data exfiltration scenarios, and said GPT-Red outperformed a prompted GPT-5.5 baseline in both attack success and token use.
Internal separation
OpenAI said GPT-Red is kept separate from the models it deploys publicly. The aim is to isolate the malicious behaviours deliberately trained into the system while transferring the resulting defensive improvements into production models.
OpenAI also said it had been using earlier versions of automated red-teamers in successive production releases since GPT-5.3. Over that period, each release has become more resistant to the attacks generated by those systems, it said.
One of the central questions for automated safety work is whether a model appears safer simply because it refuses more tasks or performs less effectively. OpenAI said it tested for over-refusal and broader frontier performance, and found that normal capabilities remained intact while robustness improved.
"We keep GPT-Red separate from the models we deploy," OpenAI said.