OpenAI has disclosed GPT-Red, an internal LLM built to attack the company's own models and surface prompt injection vulnerabilities before they reach users1,2. The system automates red-teaming — the practice of hammering software to find weak points, work traditionally performed by human security teams. OpenAI says GPT-Red was used as a sparring partner during the development of GPT-5.6, the latest version of its flagship model released last week, and that training against GPT-Red made GPT-5.6 its most robust release yet.

GPT-Red has been in development for more than a year, according to OpenAI. Researchers trained it in a self-play loop with several other models inside what the company calls a "dojo" — an environment designed to mimic real-world deployment scenarios such as browsing the web, reading emails or calendar apps, and editing code. OpenAI focused most of its red-teaming efforts on prompt injection attacks.

To benchmark GPT-Red's effectiveness, OpenAI reran a 2025 experiment in which human red-teamers had attempted to find weaknesses in an earlier version of GPT-5. When GPT-Red was given the same task, it found effective attacks more successfully than the human testers had. OpenAI says more than 90% of GPT-Red's strongest attacks worked against GPT-5, while fewer than 23% of those same attacks worked against GPT-5.6.

The system has also discovered novel attack vectors. OpenAI says GPT-Red found a prompt injection technique called a "fake chain of thought" — a method of inserting a spoofed entry into another model's chain of thought to trick it into acting on false information. Researchers say this attack type had not been seen before GPT-Red surfaced it.

In one external test, OpenAI pitted GPT-Red against Vendy, a vending machine agent developed by Andon Labs. GPT-Red hacked Vendy to change item prices and cancel a customer's order.

"The risk surface grows and the blast radius also grows," said Nikhil Kandpal, a research scientist at OpenAI who co-created GPT-Red, explaining the motivation for automating red-teaming as LLMs are deployed in agentic settings that interact with files, websites, third-party code, and other agents. Fellow co-creator Dylan Hunn, also a research scientist at OpenAI, said the system was built to future-proof safety testing: "As more capable models become available, we will have already designed the system that can discover new modes of attack".

OpenAI says GPT-Red supplements rather than replaces its human red-teamers. The company is also feeding GPT-Red attacks that humans devised and asking it to find all variations.

The system has acknowledged limitations. OpenAI says GPT-Red is not yet effective at attacks involving back-and-forth conversation between hacker and target, and it is not yet proficient at using images in prompt injection attacks.

OpenAI will not be releasing GPT-Red externally.

ANALYSIS The quantitative gap between GPT-5 and GPT-5.6 attack success rates — from above 90% to below 23% — provides a concrete, if self-reported, measure of the iterative hardening loop OpenAI is describing.