Skip to main content
The Quantum Dispatch
Back to Home
Cover illustration for GPT-Red: OpenAI's AI Red-Teamer Cuts Injection Fails

GPT-Red: OpenAI's AI Red-Teamer Cuts Injection Fails

OpenAI built GPT-Red, an automated red-teaming model, then used it to harden GPT-5.6 Sol to 6x fewer prompt-injection failures than GPT-5.5.

Kai Aegis
Kai AegisJul 16, 20265 min read

OpenAI has disclosed GPT-Red, an internal-only model trained to attack its own systems — and the results it produced are the most concrete prompt-injection numbers anyone has published this year. The short version: an AI red-teamer found holes human red-teamers missed, and patching those holes made GPT-5.6 Sol six times more resistant on OpenAI's hardest direct injection benchmark.

  • GPT-Red succeeded on ~84% of indirect prompt-injection scenarios against GPT-5.1, where human red-teamers succeeded on a small fraction of the same set
  • GPT-5.6 Sol shows 6x fewer failures on OpenAI's hardest direct prompt-injection benchmark versus GPT-5.5
  • Fails on only 0.05% of GPT-Red's direct injections, and exceeds 97% accuracy on several indirect injection benchmarks
  • GPT-Red is never deployed publicly — the offensive capability stays contained by design

How Does an AI Red-Teamer Work?

GPT-Red was trained through self-play reinforcement learning. GPT-Red earns reward for landing prompt injections; defender models earn reward for resisting them. Both sides escalate together, which is the same dynamic that made self-play work for board games — except here the game is credential exfiltration.

In operation it behaves like a patient human attacker: send a prompt, watch the response, adjust, and iterate toward a goal. The goals it was pointed at are the ones that matter in production — exfiltrating credentials, issuing fraudulent payment instructions, forwarding API keys, injecting malicious scripts.

The payoff is scale. A human red-team can try a few hundred variations. A model that never gets bored can try enough to find the phrasing that works, which is exactly what an actual adversary does.

What Did It Actually Find?

Against GPT-5.1, GPT-Red landed roughly 84% of indirect prompt-injection scenarios — a set on which human red-teamers succeeded only a small share of the time. That gap is the whole argument for the technique.

Hardening against those findings produced GPT-5.6 Sol. It now fails on 0.05% of GPT-Red's direct injections and clears 97% accuracy on several indirect injection benchmarks. One specific result stands out: a "fake chain-of-thought" attack that fooled GPT-5.1 as often as 95% of the time now lands below 10% against GPT-5.6 Sol.

OpenAI also ran it against a live AI-operated vending machine agent, where GPT-Red hit all three objectives — including dropping item prices to $0.50 and canceling a customer order. That is the useful kind of demo, because a vending machine agent is exactly the mundane, low-stakes deployment where nobody is watching closely.

The Decision Not to Ship It

GPT-Red is never deployed publicly, and that is deliberate. A model optimized to find working prompt injections is straightforwardly an offensive tool; keeping it internal means the capability improves defenses without also arming everyone else.

That asymmetry is the right call, and it is the same principle behind the defensive tooling we cover across AI security — from CodeQL's free prompt-injection detection to runtime guardrails for AI agents. The trend line is encouraging: prompt injection went from "unsolved and largely unmeasured" to "measured, with published numbers that move." You cannot fix what you cannot count, and this is what counting looks like.

One note on the figures: reporting characterizes human red-teamer performance as "a small share" rather than giving a hard percentage. A specific number circulated in some coverage that we could not confirm in the primary write-ups, so we've left it out.

Sources: The Hacker News — July 16, 2026; Help Net Security — July 16, 2026; Decrypt — July 16, 2026.

More Ai Security Stories

AI Security

SingGuard-NSFA Brings Open Guardrails to AI Agents

Ant Group open-sourced SingGuard-NSFA under Apache 2.0 — four guardrail models covering 185 threat scenarios across 133 languages, free to download.

Kai Aegis
Kai AegisJul 16, 20264 min read
AI Security

AgentMon 3 Gives AI Agents Self-Refining Guardrails

Codenotary's AgentMon 3, out July 7, learns each org's normal AI-agent behavior and auto-tunes runtime policies, cutting manual upkeep up to 80%.

Kai Aegis
Kai AegisJul 15, 20265 min read
AI Security

Sophos Fusion Unifies Security Tools With Agentic AI

Sophos launched Fusion on July 15 — an AI-native platform that unifies endpoint, SIEM, identity, and network tools with shared threat intel.

Kai Aegis
Kai AegisJul 15, 20266 min read