OpenAI details GPT-Red, an AI that attacks its own models to find flaws
OpenAI Group PBC today detailed GPT-Red, an internal artificial intelligence system it built to attack its own models and surface prompt injection vulnerabilities before they reach users.
Red teaming is the job of hammering software to find its weak points, work that normally falls to human security teams. GPT-Red does it on its own, running far more attacks than any team could by hand. It fires a prompt at a target model and reads the response. Then it tries again and again, adjusting each time toward whatever malicious result it is after. Attacks that fail get discarded. The ones that work get pushed harder.
OpenAI trained it using self-play reinforcement learning. GPT-Red acts as the attacker against defender models across varied scenarios, earning rewards for successful exploits while the defenders are rewarded for holding firm and finishing their tasks. As the defenses improve, the attacker is forced to invent harder attacks and the loop repeats.
The company said the approach outpaces its human counterparts. GPT-Red succeeds on 84% of scenarios against 13% for human red-teamers and cuts direct prompt injection failures to a sixth of the rate in its best production model from four months earlier. A class of “fake chain-of-thought” attacks that worked more than 95% of the time against GPT-5.1 now succeeds less than 10% of the time against GPT-5.6.










