OpenAI built GPT-Red, an AI hacker that attacks its own models to find security flaws

Reviewed byNidhi Govil

6 Sources

Share

OpenAI developed GPT-Red, an LLM super-hacker that hunts for prompt injection vulnerabilities in its AI systems before release. The automated red-teaming model outperformed human testers, succeeding in 84% of attack scenarios compared to 13% for humans. OpenAI used GPT-Red to train GPT-5.6, making it six times more robust against direct prompt injection attacks than GPT-5.5.

OpenAI Deploys GPT-Red to Automate AI Red Teaming

OpenAI has built GPT-Red, an automated red-teaming model designed to attack its own AI systems and uncover prompt injection vulnerabilities before they reach users. The company revealed this week that it used GPT-Red as a sparring partner during the development of GPT-5.6, its latest flagship model released last week, making it the most robust release against cyberattacks to date [1](https://www.technologyreview.com/2026/07/15/1140514/meet-gpt-red-an-llm-super-hacker-openai-built-to-make-its-models- safer/).

The LLM super-hacker automates the security evaluation process traditionally handled by human red-teamers, who deliberately attempt to break systems to identify weaknesses. As large language models become more complex and take on roles as autonomous agents that interact with files, websites, and third-party code, the attack surface expands dramatically. "The risk surface grows and the blast radius also grows," says Nikhil Kandpal, a research scientist at OpenAI who co-created GPT-Red

1

.

Source: Digit

Source: Digit

Self-Play Reinforcement Learning Powers Attack Discovery

GPT-Red was trained using self-play reinforcement learning, where it battles against multiple defender models in an adversarial loop. The system earns rewards for successful exploits while defender models are rewarded for resisting attacks and completing their original tasks

2

. Over many rounds, GPT-Red became increasingly skilled at finding attack vectors, while the defenders developed stronger safeguards.

Source: MIT Tech Review

Source: MIT Tech Review

OpenAI designed a training environment that mimics real-world scenarios where AI systems might be deployed, including browsing the web, reading emails or calendar apps, and editing code. When GPT-Red discovers a new type of attack, it explores multiple variations to identify the most efficient approach for specific scenarios. "Compared to a human red-teamer, the model is very, very good at finding exactly what will work, exactly what's most effective," says Dylan Hunn, a research scientist and co-creator of GPT-Red

1

. The company poured unprecedented compute resources into training the model, marking one of its largest investments in AI safety work

3

.

Fake Chain of Thought Attack Emerges as Novel Threat

GPT-Red uncovered a previously unknown class of attack called fake chain of thought, which targets the internal reasoning process that AI models use to work through problems. A chain of thought functions like a diary where an LLM makes notes and tracks partial results. GPT-Red found a way to insert false entries into another model's chain of thought, tricking it into acting on spoofed information. "It's like if I told you that 1+1=3 and that you have verified this already," explains Chris Choquette-Choo, another research scientist on the team. "The model's like, 'Oh, of course,' and it just spits out 3"

1

.

This discovery represents the kind of novel failure modes that automated systems can uncover at scale. Early versions of GPT-Red achieved success rates above 95% against GPT-5.1 using fake chain of thought attacks, but those rates have dropped below 10% for GPT-5.6 Sol after incorporating defenses

2

.

Real-World Testing Against Autonomous Agents

OpenAI put GPT-Red through practical tests against live systems. In one case study, the AI hacker targeted Vendy, a vending machine agent developed by Andon Labs that handles real transactions. After practicing in simulation, GPT-Red successfully lowered the price of an expensive item to the minimum allowed price of $0.50, ordered a new $100 item for that same amount, and canceled another customer's order

2

. The vulnerabilities were disclosed responsibly, and fresh safeguards are now being tested.

In another test, GPT-Red attacked a Codex command-line agent based on GPT-5.4 mini across 10 data-exfiltration tasks, causing sensitive data to be transmitted in more cases than a prompted GPT-5.5 baseline

2

. These real-world scenarios demonstrate how prompt injection attacks could manifest as AI systems gain more autonomy and access to sensitive operations.

Performance Metrics Show Dramatic Security Improvements

The numbers tell a striking story about GPT-Red's effectiveness. When OpenAI reran an experiment from 2025 where human red-teamers tried to find weaknesses in an earlier version of GPT-5, GPT-Red succeeded in 84% of scenarios compared to just 13% for human red-teamers

4

. More than 90% of GPT-Red's strongest attacks worked against GPT-5, released in August last year, but fewer than 23% succeeded against the new GPT-5.6

1

.

Source: Hacker News

Source: Hacker News

GPT-5.6 Sol achieves six times fewer failures against direct prompt injection benchmarks compared to GPT-5.5, which was released just four months earlier

2

. Several indirect prompt injection benchmarks targeting attacks in developer tools and browsing have been saturated by the latest model, with accuracy exceeding 97%

2

. Against GPT-Red's direct prompt injections specifically, GPT-5.6 Sol fails on only 0.05% of attempts

2

.

Model Kept Internal Due to Offensive Capabilities

OpenAI has decided not to release GPT-Red publicly, keeping it as an internal tool separate from deployed models. The company maintains this separation to prevent the offensive capabilities built into the system from reaching bad actors who constantly seek ways to bypass AI model safety measures

2

. "It's not a trivial thing that someone could easily do, just go and train a super-attacker using this idea," Choquette-Choo said

3

.

This marks a significant decision in the ongoing debate about AI safety disclosure. While OpenAI has previously shared research and models publicly, GPT-Red joins a growing category of AI systems that labs choose to keep locked down. The company feeds findings from GPT-Red back into training processes, and precursor versions have been used in training since GPT-5.3

5

.

Limitations and the Continued Need for Human Expertise

Despite its capabilities, GPT-Red has notable blind spots. The system struggles with multi-turn conversational attacks that unfold over several exchanges, something human attackers handle with ease. It also has limited effectiveness at using images to hide malicious instructions, an attack vector that remains largely the domain of human red-teamers

1

.

Jessica Ji, a senior research analyst who works on AI security at Georgetown University's Center for Security and Emerging Technology, views the self-play approach positively. "The results look very promising," she says, while emphasizing that "human expertise will still be very important"

3

. This suggests that GPT-Red functions best as a complement to human red-teamers, third-party testing, and other AI safety measures rather than a complete replacement.

Future-Proofing AI Safety at Scale

OpenAI built GPT-Red with an eye toward future challenges as models grow more capable. "As more capable models become available, we will have already designed the system that can discover new modes of attack," says Hunn

1

. The company frames this as creating a flywheel effect for AI safety, where today's models can be used to make tomorrow's models more robust, aligned, and trustworthy

4

.

This approach addresses a critical bottleneck in AI development. As model capabilities grow, safety and alignment must scale with them, but traditional red teaming approaches struggle to keep pace

4

. The disclosure comes as prompt injection remains one of the harder unsolved problems in AI security, particularly as agentic systems connect to third-party data sources through web browsers, connected apps, local files, and other tools that broaden the attack surface

2

. OpenAI plans to release a full research paper on GPT-Red later this week

3

.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved