
GPT-Red: OpenAI's AI Red-Teamer Cuts Injection Fails
OpenAI built GPT-Red, an automated red-teaming model, then used it to harden GPT-5.6 Sol to 6x fewer prompt-injection failures than GPT-5.5.
OpenAI has disclosed GPT-Red, an internal-only model trained to attack its own systems — and the results it produced are the most concrete prompt-injection numbers anyone has published this year. The short version: an AI red-teamer found holes human red-teamers missed, and patching those holes made GPT-5.6 Sol six times more resistant on OpenAI's hardest direct injection benchmark.
- GPT-Red succeeded on ~84% of indirect prompt-injection scenarios against GPT-5.1, where human red-teamers succeeded on a small fraction of the same set
- GPT-5.6 Sol shows 6x fewer failures on OpenAI's hardest direct prompt-injection benchmark versus GPT-5.5
- Fails on only 0.05% of GPT-Red's direct injections, and exceeds 97% accuracy on several indirect injection benchmarks
- GPT-Red is never deployed publicly — the offensive capability stays contained by design
How Does an AI Red-Teamer Work?
GPT-Red was trained through self-play reinforcement learning. GPT-Red earns reward for landing prompt injections; defender models earn reward for resisting them. Both sides escalate together, which is the same dynamic that made self-play work for board games — except here the game is credential exfiltration.
In operation it behaves like a patient human attacker: send a prompt, watch the response, adjust, and iterate toward a goal. The goals it was pointed at are the ones that matter in production — exfiltrating credentials, issuing fraudulent payment instructions, forwarding API keys, injecting malicious scripts.
The payoff is scale. A human red-team can try a few hundred variations. A model that never gets bored can try enough to find the phrasing that works, which is exactly what an actual adversary does.
What Did It Actually Find?
Against GPT-5.1, GPT-Red landed roughly 84% of indirect prompt-injection scenarios — a set on which human red-teamers succeeded only a small share of the time. That gap is the whole argument for the technique.
Hardening against those findings produced GPT-5.6 Sol. It now fails on 0.05% of GPT-Red's direct injections and clears 97% accuracy on several indirect injection benchmarks. One specific result stands out: a "fake chain-of-thought" attack that fooled GPT-5.1 as often as 95% of the time now lands below 10% against GPT-5.6 Sol.
OpenAI also ran it against a live AI-operated vending machine agent, where GPT-Red hit all three objectives — including dropping item prices to $0.50 and canceling a customer order. That is the useful kind of demo, because a vending machine agent is exactly the mundane, low-stakes deployment where nobody is watching closely.
The Decision Not to Ship It
GPT-Red is never deployed publicly, and that is deliberate. A model optimized to find working prompt injections is straightforwardly an offensive tool; keeping it internal means the capability improves defenses without also arming everyone else.
That asymmetry is the right call, and it is the same principle behind the defensive tooling we cover across AI security — from CodeQL's free prompt-injection detection to runtime guardrails for AI agents. The trend line is encouraging: prompt injection went from "unsolved and largely unmeasured" to "measured, with published numbers that move." You cannot fix what you cannot count, and this is what counting looks like.
One note on the figures: reporting characterizes human red-teamer performance as "a small share" rather than giving a hard percentage. A specific number circulated in some coverage that we could not confirm in the primary write-ups, so we've left it out.
Sources: The Hacker News — July 16, 2026; Help Net Security — July 16, 2026; Decrypt — July 16, 2026.
More Ai Security Stories
SingGuard-NSFA Brings Open Guardrails to AI Agents
Ant Group open-sourced SingGuard-NSFA under Apache 2.0 — four guardrail models covering 185 threat scenarios across 133 languages, free to download.
AgentMon 3 Gives AI Agents Self-Refining Guardrails
Codenotary's AgentMon 3, out July 7, learns each org's normal AI-agent behavior and auto-tunes runtime policies, cutting manual upkeep up to 80%.
Sophos Fusion Unifies Security Tools With Agentic AI
Sophos launched Fusion on July 15 — an AI-native platform that unifies endpoint, SIEM, identity, and network tools with shared threat intel.



