system: OPERATIONAL
← back to all hacks
DEFENSE LOW NEW

GPT-Red: training an attacker model to harden defenders against injection

On July 15, 2026, OpenAI described GPT-Red, an internal red-teaming model trained by self-play to find prompt injections. It beat humans 84% to 13% — and was then used to make GPT-5.6 more robust.

2026-07-16 // 6 min affects: gpt-5-6, gpt-5-5, gpt-5-1, llm-agents, codex

What is this?

On July 15, 2026, OpenAI published a description of GPT-Red, an internal-only model trained specifically to red-team its own systems for prompt injection weaknesses. GPT-Red operates the way a human red-teamer does: it sends a prompt, watches how the target model responds, and iterates toward a goal such as exfiltrating a file or forwarding an API key. The notable part is not the attacker itself but the loop around it — OpenAI feeds GPT-Red’s discovered attacks back into the training of production models, and reports that this made GPT-5.6 Sol its most injection-resistant release to date.

This matters to defenders because it is a concrete data point on where automated adversarial red-teaming now sits, and because the same self-play recipe is public enough to be replicated. OpenAI says it will release a preprint with more detail later in the week of publication.

How it works

GPT-Red is trained with self-play reinforcement learning. The attacker model and a population of diverse “defender” LLMs are trained at the same time inside a set of simulated deployment scenarios — browsing a webpage, reading an email, processing a tool result, editing code. Each scenario carries a threat model that defines what the attacker controls (a webpage banner, an email body, part of a local file, a tool’s output) and what counts as a successful compromise.

The reward is adversarial: GPT-Red earns credit for eliciting a valid failure, while defenders earn credit for resisting the attack and still completing their original task. As defenders harden, the attacker is pushed to find stronger and more varied techniques. OpenAI says it ran this at the compute scale of some of its largest post-training jobs, and deliberately keeps GPT-Red separate from anything it ships so the offensive capability stays out of adversaries’ hands.

Two results stand out. On a replicated version of the indirect-injection arena from Dziemian et al. (2025), GPT-Red and human red-teamers independently attacked GPT-5.1 on held-out scenarios; GPT-Red succeeded on 84% of them versus 13% for the humans. And an early version independently discovered a direct-injection technique OpenAI calls “Fake Chain-of-Thought” — inserting spoofed reasoning steps into the target’s own thinking — which reached roughly 95% success on GPT-5.1.

Why it matters

The defensive payoff is real but bounded. OpenAI reports that GPT-5.6 Sol now fails on only 0.05% of GPT-Red’s direct injections, that Fake Chain-of-Thought is below 10% against it, and that several developer-tool and browsing injection benchmarks are above 97% accuracy — with frontier capability and over-refusal scores unchanged, which is the harder thing to get right.

But the case studies are the reminder that model robustness is not system security. GPT-Red was pointed at a live vending-machine agent in OpenAI’s office and met all three of its goals: dropping an in-stock item to the $0.50 floor, listing a $100+ item for that same price, and cancelling another customer’s order. Against a Codex command-line agent backed by a smaller model, it exfiltrated data in more of ten held-out scenarios than a prompted baseline. In other words, a well-trained attacker still breaks agentic systems built on strong models when those systems grant real tool authority over untrusted input.

Defenses

  • Read vendor robustness numbers as in-distribution, not as guarantees. A “0.05% failure” figure is measured against one attacker’s distribution on held-out environments; it does not bound what a different attacker, a fine-tune, or next month’s technique will do. Treat it as a floor that erodes, not a ceiling.
  • Keep the lethal trifecta out of single-context agents. The vending-machine and Codex results land because the agent combined untrusted input, sensitive access, and an exfiltration or action channel. Separate those; a more robust base model does not remove the need to.
  • Enforce action limits outside the model. Deterministic gates on price changes, order cancellation, outbound POSTs, and credential access are what would have blunted every case study, regardless of how the injection was phrased.
  • Adopt adversarial self-play as an internal practice, at your scale. You do not need OpenAI’s compute to stand up an attacker-vs-defender loop over your own agent harness and catch injection paths before deployment; the value is the coverage and diversity, not the model size.
  • Watch for reasoning-channel spoofing. Fake Chain-of-Thought shows that injected text mimicking the model’s own thinking is a distinct class; log and constrain how tool output is interleaved with reasoning rather than trusting apparent “internal” steps.

Status

ItemValue
WhatGPT-Red — internal automated red-teamer trained by self-play RL
DisclosedJuly 15, 2026 (OpenAI); preprint promised the same week
Attacker result84% vs 13% (human) on a replicated Dziemian et al. injection arena vs GPT-5.1
Defender resultGPT-5.6 Sol fails 0.05% of GPT-Red direct injections; Fake CoT <10%
CaveatLive agent case studies (vending machine, Codex CLI) still fully compromised
ScopeResearch/defense advance; no CVE, no product patch

Key dates: July 15, 2026 — OpenAI publication; July 16, 2026 — press coverage. Baseline arena: Dziemian et al., “How Vulnerable Are AI Agents to Indirect Prompt Injections?” (arXiv, March 2026). A preprint with fuller methodology was announced for the same week.

Sources