Jul 18, 2026
AI

OpenAI uses GPT-Red to automate attacks on its own models

OpenAI says an internal red-team model found attacks far more often than human testers, though prompt-injection failures remain unresolved.

Wei-Lin Zhao

By Wei-Lin Zhao · AI Correspondent

· 3 min read

OpenAI uses GPT-Red to automate attacks on its own models
Photo: The Decoder

OpenAI has built an internal system, GPT-Red, to automatically attack its own GPT models and feed the results back into training. The company says the system found successful attacks in 84% of tested scenarios, compared with 13% for human red teamers, a gap that could change how AI labs test models before deployment.

GPT-Red is designed to simulate prompt injections and related attacks, including cases where malicious instructions are embedded in emails, websites or files. OpenAI says it trained the model with self-play reinforcement learning: attacker models try to compromise defender models, defender models try to block them, and both sides improve through repeated runs.

The work targets one of the more stubborn problems in agentic AI. Models connected to external tools, inboxes, documents or commerce systems can be exposed to instructions from untrusted content. If those instructions override a user’s intent or system rules, the model can take actions it should not take. OpenAI’s example was concrete: in one test, GPT-Red manipulated an AI-powered vending machine in the company’s office, changed prices and canceled orders from other customers.

Better test coverage, not a solved problem

OpenAI says the attacks discovered by GPT-Red are now used directly in model training. The company claims GPT-5.6 Sol has six times fewer failures on direct prompt-injection tests than its strongest model from four months earlier, while maintaining general performance. OpenAI did not disclose the full benchmark design in the announcement, and said a paper with more detail will follow.

The remaining failure rate is the part operators will care about. OpenAI says about 3.8% of “stronger” prompt-injection attempts still succeed. At low volume, that may sound contained. At the scale of an agent handling hundreds or thousands of external inputs, a single-digit failure rate can still produce a meaningful number of successful compromises.

The Decoder compared that residual exposure with reported behavior from Anthropic’s Claude Opus 4.5, which it said also resists prompt injections better than rivals but still fails under stronger attacks. The comparison points to the same operational constraint across frontier models: better red teaming reduces the attack surface, but does not remove it.

Internal tool, external signal

GPT-Red will remain internal, according to OpenAI. That limits outside scrutiny for now and leaves unanswered questions about test distribution, attack diversity and whether the measured gains hold in customer environments with messy permissions, legacy systems and unpredictable content.

Even with those caveats, the approach is notable for AI infrastructure teams and buyers. Manual red teaming is expensive and slow, and it rarely covers the long tail of adversarial inputs that production agents will see. If automated attackers can generate stronger tests at scale, model providers can harden systems faster. The same result also underscores why companies rolling out AI agents still need containment, permissions and monitoring rather than relying on model behavior alone.

This story draws on original reporting from The Decoder.

More from AI

All AI →