OpenAI unveils GPT-Red to boost AI safety with internal red-teaming

OpenAI introduces GPT‑Red, a specialized internal system for uncovering vulnerabilities in AI models using advanced red-teaming and self-play learning.

· 2 min read
ChatGPT

OpenAI has unveiled GPT‑Red, its strongest automated safety red-teaming model, built to discover vulnerabilities in AI systems before deployment. The internal-only model targets prompt injections, including malicious instructions hidden inside emails, webpages, local files, code repositories, and tool outputs.

GPT‑Red learns through self-play reinforcement learning. It attacks a group of defender models across realistic scenarios while both sides are trained simultaneously. GPT‑Red receives rewards for causing valid failures, while defenders are rewarded for resisting attacks and completing the original task. As defenders grow more robust, GPT‑Red must develop stronger and more diverse attack methods.

OpenAI trained the system using compute comparable to some of its largest post-training runs. In tests involving previously unseen scenarios, GPT‑Red successfully attacked GPT‑5.1 in 84% of cases, compared with 13% for human red-teamers. It could also break nearly every tested OpenAI model through GPT‑5.5.

The model demonstrated attacks against real agentic systems. It manipulated an AI-operated vending machine to reduce product prices to $0.50, order an item worth more than $100 at that price, and cancel another customer’s order. In separate tests, it caused a Codex CLI agent powered by GPT‑5.4 mini to exfiltrate sensitive data across a custom set of scenarios.

OpenAI has incorporated attacks generated by GPT‑Red into the training of production models since GPT‑5.3. GPT‑5.6 Sol recorded six times fewer failures on the company’s hardest direct prompt-injection benchmark than its leading production model from four months earlier. Its failure rate against GPT‑Red’s direct prompt injections fell to 0.05%.

An earlier GPT‑Red version also discovered “Fake Chain-of-Thought” attacks, which succeeded more than 95% of the time against GPT‑5.1. That rate dropped below 10% with GPT‑5.6 Sol. OpenAI reports that these robustness gains did not reduce general model capabilities or cause broader refusal behavior.

GPT‑Red will remain separate from public production models because it was deliberately trained with malicious capabilities. It is not being released to ChatGPT users or API developers. OpenAI plans to continue scaling the system alongside human and third-party red-teaming, layered safeguards, and real-time monitoring, using attacks found by current models to train more robust future GPT releases.

Source