OpenAI introduces GPT-Red, an automated red-teaming agent designed to find vulnerabilities before models reach the public. Why should you care? Because when AI interacts with browsers, local files, and tools, it opens a lot of doors for malicious instructions hidden inside third-party content.
The problem: the scale of red-teaming
Human red-teaming is indispensable, but it’s slow and doesn’t scale fast enough to keep up with increasingly capable models. Designing realistic attacks takes time, and while those human examples are valuable, they don’t produce the volume or diversity of adversarial data needed to train robustness at scale.
Also, many traditional robustness evaluations are already saturated by the latest models. That means we need new ways to discover and fix failures that slip past current tests.
The central idea: if models get better, red-teaming has to scale with them.
GPT-Redaims to turn that intuition into practice.
What GPT-Red is and what it achieved
GPT-Red is an internally trained model that acts as an automated red-teamer. It learns to devise attacks, observe target model responses, and iterate to improve its strategies. OpenAI devoted unprecedented compute to this: aggressively training offensive capabilities with the single goal of improving safety.
Key results:
GPT-Redcan break almost every model it was tested against, including versions up toGPT-5.5.- Using attacks generated by
GPT-Redduring adversarial training ofGPT-5.6 Sol, the model had 6x fewer failures on the hardest direct benchmark compared to the best production model from four months earlier. - In a replicated experiment of the indirect injection challenge (Dziemian et al., 2025),
GPT-Redfound successful attacks in 84% of scenarios versus 13% for humans. - In internal evaluations,
GPT-5.6 Solfails on only 0.05% of the direct injections generated byGPT-Red.
How it works (in practical terms)
Training uses self-play with reinforcement: GPT-Red is rewarded for producing valid failures (for example, successful prompt injections) while a diverse set of defender models is trained simultaneously to resist those attacks and complete their tasks.
To do this, realistic environments with threat models are created: GPT-Red can control parts of a local file, the body of an email, a webpage banner, or the output of a tool. Each environment defines what the attacker controls and what counts as success.
As defenders improve, GPT-Red is forced to discover stronger and more varied attacks. That cycle generates large amounts of adversarial examples useful for adversarial training of production models.
Concrete examples and worrying findings
One experiment put GPT-Red against a vending-machine–style agent in an environment that mirrors the real world. After iterating attacks, GPT-Red achieved three malicious objectives:
- Change the price of an expensive item to the minimum allowed of 0.50.
- Order an item worth more than 100 and offer it for 0.50.
- Cancel another customer’s order.
Those issues were disclosed and new safeguards are being tested.
Another finding was a class of direct attacks called “Fake Chain-of-Thought.” Those attacks had success rates above 95% in GPT-5.1, and are now below 10% in GPT-5.6 Sol thanks to the red-teaming cycle and adversarial training.
Operational security and limits
Important: GPT-Red is kept separate from deployed models. The goal is to leverage its offensive capabilities internally to strengthen defenses without releasing the malicious agent to the public.
They also check that improved robustness doesn’t come from making the model less capable or simply more reluctant to respond. Their evaluations show normal capabilities are maintained while resistance to malicious instructions improves, indicating real robustness gains rather than just more defaults to refuse.
What’s next?
OpenAI plans to keep scaling compute and data, and to improve algorithms for future versions of GPT-Red. The goal is a feedback loop where current models help create future models that are safer.
They also say they will publish a preprint with more details soon.
To be frank: this approach shows that AI can help scrub AI itself, but it demands transparency, controls, and strict operational limits to prevent abuse. Does it surprise you that one model can teach another not to fall for tricks? It doesn’t surprise me, but it does remind me that AI security is a race we need to run very carefully.
