OpenAI introduced GPT-Red on July 15th, an internal automated red-teaming model built to find prompt injection vulnerabilities at scale and feed those attacks back into the training of production models.
The company framed GPT-Red as a safety tool for the agent era: models that browse the web, read local files, call tools, and interact with connected apps are exposed to hostile instructions embedded in third-party data. In an accompanying research post, OpenAI described prompt injection examples involving emails, webpages, tool responses, code repositories, credential exfiltration, fraudulent payment instructions, and attempts to disable account security.
GPT-Red is not a public product. OpenAI says it keeps the model separate from deployed systems because it is specifically trained to produce malicious prompt injection attacks. That separation is the key operational claim in the announcement: OpenAI wants the benefits of an attack model inside its training pipeline without giving outside attackers the same tool.
The timing is tied directly to GPT-5.6. OpenAI made the GPT-5.6 family generally available on July 9th across ChatGPT, Codex, and the API, with Sol as the flagship model, Terra as a lower-cost option, and Luna as the fast, cheaper tier. In that launch post, OpenAI said it combined human red teaming with large-scale automated testing before general availability and described the system as its most robust safety stack to date.
GPT-Red is the clearest look yet at what that automated testing means in practice. OpenAI says GPT-Red was trained through self-play reinforcement learning against a collection of defender models across a broad set of red-teaming scenarios. In those environments, GPT-Red is rewarded for eliciting a valid failure, while the defender models are rewarded for resisting the attack and completing the original task.
That setup turns red teaming into a training loop rather than a one-off audit. As defenders improve, GPT-Red has to find stronger attacks. OpenAI says GPT-Red can control parts of a local file, webpage banner, email body, or tool output, depending on the threat model for a given environment. That matters because prompt injection is rarely a clean chat prompt from a user. It often arrives inside the data an agent has been asked to trust.
OpenAI says GPT-Red can break nearly all internal and production models it was pitted against up to and including GPT-5.5. After GPT-Red completed training, OpenAI used it to generate prompt injections for GPT-5.6 training. The company says GPT-5.6 Sol now has 6x fewer failures on OpenAI's hardest direct prompt injection benchmark than its best production model from four months earlier.
The strongest published comparison is against humans. OpenAI tested GPT-Red on an internal mirror of the indirect prompt injection arena from Dziemian et al. (2025), using scenarios and goals distinct from those used to train GPT-Red. GPT-Red found successful attacks in 84% of scenarios, compared with 13% for human red-teamers, according to OpenAI.
OpenAI also disclosed two applied case studies. In one, GPT-Red attacked an AI-powered vending machine agent in an OpenAI office, built by Andon Labs. After testing attacks in simulation and then transferring them to the live production agent, GPT-Red caused the agent to change the price of an expensive in-stock item to $0.50, order a new item worth more than $100 and offer it for $0.50, and cancel another customer's order. OpenAI says it disclosed those vulnerabilities and that new safeguards are being tested.
In another case, OpenAI used GPT-Red against a Codex CLI agent based on GPT-5.4 mini across 10 held-out data-exfiltration scenarios. OpenAI says GPT-Red was more effective and more token efficient than a prompted GPT-5.5 baseline at getting the agent to exfiltrate sensitive data.
The numbers are company-reported, and OpenAI has not yet published the underlying paper. The research post says a preprint with more details is expected later this week. Until then, the public evidence is limited to OpenAI's own benchmarks, selected case studies, and summary metrics.
Still, the direction is clear. OpenAI is using increasingly capable models to automate parts of its own safety work, the same self-improvement pattern it has already described for model capability research. In its GPT-5.6 launch materials, OpenAI said GPT-5.6 is used internally for debugging research systems, optimizing training recipes, running experiments, and improving another model. GPT-Red applies a version of that loop to security: today's model searches for attacks that become tomorrow's training data.
The most important result is the reduction in successful attacks against GPT-5.6 Sol. OpenAI says an early version of GPT-Red found a class of direct prompt injection attacks it calls "Fake Chain-of-Thought" attacks. Those attacks succeeded more than 95% of the time against GPT-5.1, according to OpenAI, and are now below 10% for GPT-5.6 Sol. Across a broader set of robustness environments, OpenAI says GPT-5.6 Sol fails on only 0.05% of GPT-Red's direct prompt injections.
OpenAI also says those gains did not come from making the model refuse more legitimate work. The company says it tested general frontier capabilities and targeted over-refusal tasks, and found normal capabilities were unaffected while robustness improved. That claim is central because a model can appear safer by doing less. For developers using agents in production workflows, safety that breaks normal tool use is a product failure, even when the refusal is well-intentioned.
The release also shows how OpenAI is positioning prompt injection as a first-order deployment risk for agents, not a niche jailbreak category. GPT-5.6's system card says the model family is a meaningful step up in cybersecurity capability while remaining below OpenAI's Critical threshold, and that OpenAI has taken a conservative approach to safeguards because adaptive attacks remain a live concern.
GPT-Red does not solve the incentive problem around model security. OpenAI is asking users and developers to trust a closed internal attacker, internal benchmarks, and undisclosed training details. But the architecture of the response is notable: OpenAI is putting real training compute into adversarial safety models and folding the resulting attacks directly into model development, rather than treating red teaming as a final pre-launch checklist.
That shift changes the cadence of AI security. Human red teams can find creative failures, but OpenAI's argument is that they cannot produce the volume or diversity of attacks needed to keep up with agentic models. GPT-Red is OpenAI's attempt to make that bottleneck computational: train an attacker, use it to harden a defender, then train a stronger attacker against the hardened model.
For customers building agents on top of GPT-5.6, the practical question is whether those internal gains hold up against messy production data, connected SaaS tools, permissioned documents, and adversaries that can adapt faster than a benchmark. OpenAI's own examples point to the risk: a vending machine agent can be manipulated into changing prices and cancelling orders, and a coding agent can be pushed toward data exfiltration. Those are business-process failures, not parlor tricks. OpenAI says it will continue scaling compute and data for future GPT-Red versions. The company has now put a name on the security flywheel it wants to build: stronger models attack current systems, those attacks train more robust models, and the cycle repeats before broader deployment.