OpenAI Keeps GPT-Red Attack Model Private After Prompt-Injection Tests
The Next Web reported that OpenAI has built GPT-Red, an internal automated red-team model for prompt-injection attacks, but is keeping the attacker private. The report cited attack success rates above 90% against an older GPT-5 and below 23% against GPT-5.6, while noting that human testers still catch cases GPT-Red misses.

GPT-Red is OpenAI's internal automated red-team model for attacking other AI systems, and The Next Web reported that the company is not releasing it publicly.
The tool is aimed at prompt injection, where hidden instructions in files, webpages or messages can push an AI agent into actions its operator did not intend.
OpenAI described GPT-Red as a safety system rather than a public product.
The model is trained to find ways to hijack or sabotage AI systems so that developers can patch weaknesses before release, the outlet reported.
GPT-Red Targets Prompt-Injection Attacks
GPT-Red trains through self-play against defender models, according to the outlet.
The attacker receives rewards when an exploit succeeds, and the defenders receive rewards for blocking the attempt.
OpenAI said the training used some of its largest compute runs for safety work.
The account did not put a dollar cost or hardware count on the training run.
The model also found a prompt-injection method that OpenAI researchers described as a fake chain of thought.
Chris Choquette-Choo told MIT Technology Review that the attack plants a false note in a model's private working memory, making the target treat an untrue statement as already verified.
Vendy Test Gave GPT-Red A Physical Target
One test moved beyond text-only examples.
The outlet reported that GPT-Red attacked Vendy, an AI agent built by Andon Labs to run a real vending machine in OpenAI's office.
The outlet said the attack changed prices, pushed one expensive item down to the 50-cent minimum and cancelled a customer order.
The company disclosed the flaws after the test.
The result set separated older GPT-5, GPT-5.6 and human testers by large margins.
The outlet said more than 90% of GPT-Red's strongest attacks worked against an older GPT-5, while fewer than 23% succeeded against GPT-5.6.
The same account said a rerun of a 2025 test had GPT-Red cracking 84% of scenarios compared with 13% for human red-teamers.
Human Testers Still Catch Missed Cases
OpenAI trained GPT-5.6 against GPT-Red and called the newer model its most robust system against prompt injection, according to the outlet.
The company is using the attacker to harden later models rather than distributing it as a tool for outside researchers.
GPT-Red is weaker in extended back-and-forth attacks and in attempts that hide instructions in images, the outlet reported.
Jessica Ji, an AI security analyst at Georgetown's CSET, told the outlet that human expertise will still be very important.
OpenAI has not released GPT-Red.
The report did not identify a GPT-Red release date, external researcher access terms, complete image-hiding test results or the full paper text.


















