SECURITY
SECURITY
SECURITY
OpenAI Group PBC today detailed GPT-Red, an internal artificial intelligence system it built to attack its own models and surface prompt injection vulnerabilities before they reach users.
Red teaming is the job of hammering software to find its weak points, work that normally falls to human security teams. GPT-Red does it on its own, running far more attacks than any team could by hand. I
t fires a prompt at a target model and reads the response. Then it tries again and again, adjusting each time toward whatever malicious result it’s after. Attacks that fail get discarded. The ones that work get pushed harder.
OpenAI trained it using self-play reinforcement learning. GPT-Red acts as the attacker against defender models across varied scenarios, earning rewards for successful exploits, while the defenders are rewarded for holding firm and finishing their tasks. As the defenses improve, the attacker is forced to invent harder attacks and the loop repeats.
The company said the approach outpaces its human counterparts. GPT-Red succeeds on 84% of scenarios against 13% for human red-teamers and cuts direct prompt injection failures to a sixth of the rate in its best production model from four months earlier. A class of “fake chain-of-thought” attacks that worked more than 95% of the time against GPT-5.1 now succeeds less than 10% of the time against GPT-5.6.
The tool has also broken autonomous agents. In testing, it hijacked a Vendy vending machine agent to change prices and cancel orders. It also compromised command-line coding agents, the kind of real-world targets that draw attackers as AI systems gain the ability to act on their own.
“Compared to a human red-teamer, the model is very, very good at finding exactly what will work,” Dylan Hunn, a research scientist and co-creator of GPT-Red, told MIT Technology Review. Fellow co-creator Nikhil Kandpal said the stakes climb as models take on more autonomy. “The risk surface grows and the blast radius also grows,” he said.
GPT-Red is not a product and will not be released. OpenAI is keeping it internal and separate from its deployed models so the attack capabilities it develops cannot reach the public, feeding the findings back into training instead. Precursor versions have been used in training since GPT-5.3, the company said.
It has limits. GPT-Red is weak at multi-turn conversational attacks that unfold over several exchanges and has limited reach against image-based prompt injection, gaps OpenAI said human testers will keep covering.
The disclosure comes weeks after OpenAI released GPT-5.6, which it positioned against Anthropic PBC’s Claude and as prompt injection remains one of the harder unsolved problems in AI security.
“The results look very promising,” said Jessica Ji, a senior research analyst at Georgetown University’s Center for Security and Emerging Technology, who added in the same MIT Technology Review report that human expertise remains critical to the work.
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.