Skip to content
AI Primer
breaking

OpenAI introduces GPT-Red for prompt-injection red teaming

OpenAI described GPT-Red as an automated red-teaming model for finding prompt-injection vulnerabilities. Posts say it was used in self-play-style training to improve GPT-5.6 robustness.

5 min read
OpenAI introduces GPT-Red for prompt-injection red teaming
OpenAI introduces GPT-Red for prompt-injection red teaming

TL;DR

  • OpenAI built GPT-Red as an internal automated red-teamer for prompt-injection attacks, and OpenAI's launch thread says its attacks are used to train stronger defender models.
  • The training loop is self-play: WesRoth's self-play note describes one model attacking, one model defending, and both improving through the process.
  • GPT-5.6 Sol is the first named beneficiary, with WesRoth's robustness note citing GPT-5.1 failing 95% of the time on one class of attacks while GPT-5.6 Sol fails under 10%.
  • GPT-Red beat human red-teamers on OpenAI's mirrored prompt-injection arena, where WesRoth's benchmark note gives GPT-Red an 84% attack success rate versus 13% for humans.
  • The weirdest buried detail is a hidden browser game: btibor91's find shows “GPT-RED // Invader Patrol” inside the article.

The OpenAI writeup includes a Rockset file-search prompt-injection transcript, a Vendy vending-machine attack, and a Codex CLI data-exfiltration test. MIT Technology Review's interview adds the practical caveat: GPT-Red is still weak at back-and-forth attacks and image-based injections. The benchmark OpenAI mirrored comes from the Indirect Prompt Injection Arena paper, which described 464 participants, 272,000 attack attempts, and 8,648 successful attacks across 41 scenarios.

Self-play red teaming

In OpenAI's writeup, GPT-Red is trained with a collection of defender LLMs across red-teaming scenarios. OpenAI says GPT-Red receives reward for valid failures, while defenders receive reward for resisting the attack and completing the original task.

The loop is simple enough to matter:

  • GPT-Red sends an attack prompt.
  • The target model responds inside a task environment.
  • GPT-Red observes the response and iterates.
  • Defenders are trained on successful attacks.
  • Stronger defenders force GPT-Red to find stronger attacks.

The environments are built around concrete threat models. OpenAI says GPT-Red may control part of a local file, a webpage banner, an email body, or a tool output, which maps closely to the places agentic systems ingest untrusted text.

OpenAI also resurfaced the same launch link in its follow-up post, while gdb's post framed GPT-Red as model-security work rather than a general capability demo.

Prompt-injection arena

The headline attack number is 84% versus 13%. OpenAI says GPT-Red reached 84% attack success against GPT-5.1 in a replicated version of the indirect prompt-injection arena, while human red-teamers reached 13%.

The Indirect Prompt Injection Arena paper gives useful context for that arena: the public competition targeted tool use, coding, and computer-use scenarios where adversarial instructions appear in external data. That matters for agents because the user may only see the final answer, not the poisoned email, page, repo, or tool output that steered it.

GPT-5.6 Sol hardening

OpenAI says GPT-5.6 Sol had 6x fewer failures on its hardest direct prompt-injection benchmark than its best production model from four months earlier. The stronger claim is narrower: GPT-5.6 Sol fails on only 0.05% of GPT-Red's direct prompt injections across OpenAI's broad robustness environments.

The model-to-model spread is brutal:

  • GPT-Red can break nearly all internal and production models up to GPT-5.5, according to OpenAI.
  • Fake Chain-of-Thought attacks succeeded upward of 95% on GPT-5.1, according to OpenAI.
  • The same Fake Chain-of-Thought class is now below 10% on GPT-5.6 Sol, as nptacek's screenshot quotes from the article.
  • Several indirect prompt-injection benchmarks for developer tools and browsing are now above 97% accuracy, according to OpenAI.

Fake Chain-of-Thought attacks

MIT Technology Review reports that GPT-Red found a prompt-injection class OpenAI calls Fake Chain-of-Thought. Chris Choquette-Choo, an OpenAI research scientist on the team, described it as telling a model “1+1=3” and also telling it that it had already verified the false result.

The attack is interesting because it targets the model's working context, not the final answer surface. In OpenAI's sample transcript, GPT-5.1 follows a malicious file-search tool result and attempts to upload internal diagnostics, while GPT-5.6 resists the injected instruction.

Real agent case studies

OpenAI tested GPT-Red against Vendy, an autonomous vending-machine agent built by Andon Labs in the same family as Project Vend. GPT-Red first tested attacks in simulation, then transferred them to the live production agent.

OpenAI says GPT-Red achieved three malicious objectives against Vendy:

  • Changed an expensive in-stock item to the minimum allowed price of $0.50.
  • Ordered a new $100-plus item and offered it for $0.50.
  • Canceled another customer's order.

OpenAI also ran GPT-Red against a Codex CLI agent backed by GPT-5.4 mini on 10 held-out data-exfiltration scenarios. GPT-Red succeeded in more scenarios than a prompted GPT-5.5 baseline and used fewer tokens, according to OpenAI.

Internal-only attacker

OpenAI says GPT-Red is kept separate from deployed models so the malicious capabilities trained into it are not shipped to users. MIT Technology Review reports that OpenAI does not plan to release GPT-Red and that the team has worked on it for more than a year.

The same MIT interview lists two gaps OpenAI still sees:

  • GPT-Red is not strong at attacks that require back-and-forth conversation with the target.
  • GPT-Red is not strong at using images, which can carry prompt-injection text into multimodal systems.

OpenAI says a preprint with more details is coming later this week.

Connect 4 roots

GPT-Red's origin story started smaller than the launch suggests. kaicathyc said the effort began after she and Eric Wallace spent time teaching reasoning models to play games through self-play while between projects.

The early experiments involved Connect 4. The infrastructure, methods, and algorithms later evolved into a red-teaming system that OpenAI trained at the compute scale of some of its largest post-training runs.

Invader Patrol

OpenAI hid a retro “GPT-RED // Invader Patrol” game in the article. btibor91's video shows the page launching a space-shooter where the player destroys pixelated enemies under the GPT-RED banner.

Further reading

Discussion across the web

Where this story is being discussed, in original context.

On X· 4 threads
Self-play red teaming2 posts
GPT-5.6 Sol hardening1 post
Fake Chain-of-Thought attacks1 post
Internal-only attacker1 post
Share on X