OpenAI has unveiled GPT-Red, a powerful internal AI red-teaming model designed to automatically discover vulnerabilities in other AI systems and help make future GPT models more resistant to attacks. Rather than being released as a public product, GPT-Red is used internally to simulate sophisticated prompt injection attacks, identify security weaknesses, and generate adversarial training data that strengthens production models before deployment.

The company says GPT-Red was trained using self-play reinforcement learning, where it continuously attempts to exploit defender models while those models simultaneously learn to resist attacks. According to OpenAI, this approach has already improved the security of GPT-5.6 Sol, reducing failures on its toughest prompt injection benchmark by sixfold compared with its strongest production model from just four months earlier.
OpenAI Introduces GPT-Red
GPT-Red represents a new approach to scaling AI safety through automation.
| Key Highlights | Details |
|---|---|
| Company | OpenAI |
| Model | GPT-Red |
| Purpose | Automated AI red teaming |
| Availability | Internal only |
| Main objective | Discover vulnerabilities and improve model robustness |
Unlike ChatGPT or GPT-5.6, GPT-Red is not available through the API or ChatGPT.

What Is GPT-Red?
GPT-Red is specifically trained to attack AI systems.
Its responsibilities include:
- Finding prompt injection vulnerabilities.
- Testing AI agent security.
- Generating adversarial prompts.
- Identifying new attack techniques.
- Producing training data for stronger AI defenses.
- Stress-testing production models before release.
The system acts as an automated security researcher rather than a general-purpose chatbot.
How GPT-Red Works
OpenAI trains GPT-Red through self-play.
The process involves:
- GPT-Red attempting to exploit AI models.
- Defender models learning to resist attacks.
- Continuous reinforcement learning.
- Creation of increasingly difficult attack scenarios.
- Repeated improvement of both attacker and defender models.
As the defending models become stronger, GPT-Red must invent increasingly sophisticated attack strategies.
Real-World Attack Scenarios
GPT-Red is trained using environments that resemble practical AI deployments.
These include:
- Malicious emails.
- Compromised web pages.
- Browser-based prompt injections.
- Local files.
- Tool responses.
- Source code repositories.
The goal is to prepare production models for attacks they may encounter when interacting with external data.

Impact on GPT-5.6
| Improvement | Result |
|---|---|
| Direct prompt injection failures | 6× fewer failures |
| Resistance to GPT-Red attacks | Significantly improved |
| Security focus | Stronger robustness before deployment |
OpenAI says GPT-Red has been incorporated into the training process of successive GPT releases, culminating in GPT-5.6 Sol’s improved resistance to prompt injection attacks.
Why GPT-Red Is Not Public
OpenAI intentionally keeps GPT-Red private.
Reasons include:
- Preventing misuse by attackers.
- Protecting offensive capabilities.
- Maintaining AI safety.
- Reducing risks from malicious prompt-generation tools.
- Ensuring only the defensive benefits reach users.
Users benefit indirectly through more secure production models rather than direct access to GPT-Red itself.
Why This Matters
Traditional human red teaming is valuable but difficult to scale.
Automated red teaming offers:
- Faster vulnerability discovery.
- Continuous testing.
- Larger volumes of adversarial training data.
- More realistic attack simulations.
- Better preparation for future AI systems.
OpenAI says automated safety testing will complement—not replace—human and third-party security evaluations.
Challenges Ahead
Despite promising results, several challenges remain.
These include:
- Keeping pace with increasingly capable AI models.
- Discovering entirely new attack techniques.
- Balancing robustness with model usefulness.
- Preventing overfitting to known attack patterns.
- Continuing independent human security reviews.
Security remains an ongoing process rather than a one-time solution.

Outlook
GPT-Red marks an important evolution in AI safety by shifting from primarily human-led red teaming to large-scale automated adversarial testing. Instead of relying solely on researchers to uncover vulnerabilities, OpenAI is using AI itself to continuously challenge and strengthen future models. This self-improving approach could allow safety measures to scale alongside rapidly advancing AI capabilities.
Although GPT-Red will remain an internal system, its impact is expected to extend across OpenAI’s future model releases. As production models become more capable and increasingly integrated with browsers, developer tools, and enterprise software, automated red teaming may become a standard part of AI development across the industry.
What It Means for AI Safety
GPT-Red highlights a growing trend toward using AI to improve AI security. Rather than viewing safety as a manual process performed only before deployment, companies are increasingly building automated systems that continuously search for weaknesses and generate new defensive training data.
For the broader AI ecosystem, this approach could significantly improve resilience against prompt injection attacks and other emerging threats. If adopted more widely, automated red-teaming systems may become as essential to AI development as automated software testing is to modern software engineering.
Get the day’s top stories in your inbox
One concise email. No spam, unsubscribe anytime.