OpenAI's GPT-Red Uses Self-Play to Harden GPT-5.6 Against Prompt Injection

OpenAI says its internal GPT-Red attack model can discover prompt-injection failures at scale and helped make GPT-5.6 Sol more robust. Here is how the self-play system works, what the reported benchmarks show, what remains unverified, and what agent builders should do now.

Author credential Jitendra Kumar · Founder & Editor

Founder & Editor of HacksByte, based in Dubai and focused on AI, cybersecurity, scams, privacy, apps, and practical digital safety.

View LinkedIn
Impact Workflow impact
First action Verify claims before publishing or submitting work.
Read time 4 minute setup
Audience Students, creators, and operators
Cinematic editorial image of AI security researchers observing isolated red-team attacks against a defensive model
Quick answer

OpenAI says its internal GPT-Red attack model can discover prompt-injection failures at scale and helped make GPT-5.6 Sol more robust. Here is how the self-play system works, what the reported benchmarks show, what remains unverified, and what agent builders should do now.

AI Watch Test the workflow before relying on the output.
Last checked: July 16, 2026. This article uses OpenAI's July 15 GPT-Red announcement as the primary source. It also reviews the public prompt-injection competition paper that OpenAI replicated, analysis from the US National Institute of Standards and Technology's Center for AI Standards and Innovation, OpenAI's earlier agent-security guidance, and Anthropic's Project Vend research. GPT-Red results are OpenAI-reported. OpenAI said a detailed preprint would arrive later this week, but it was not publicly available when this article was checked.

Quick answer

OpenAI introduced GPT-Red on July 15, 2026 as an internal automated red-teaming model trained to find prompt-injection vulnerabilities in AI agents. GPT-Red is not a new public ChatGPT model. It is an attacker used inside OpenAI's safety pipeline to generate harder adversarial examples and train production models to resist them.

The company says GPT-Red and a diverse group of defender models improve together through self-play. GPT-Red is rewarded when it causes a valid failure; defenders are rewarded for resisting the attack while still completing the user's legitimate task. As defenders get stronger, GPT-Red must find stronger or more varied attacks.

OpenAI's headline claims include:

Reported resultWhat OpenAI says it measures
6x fewer failuresGPT-5.6 Sol on OpenAI's hardest direct prompt-injection benchmark, compared with its best production model four months earlier
84% vs. 13%Scenarios where GPT-Red versus human red-teamers found a successful attack against GPT-5.1 on a novel indirect-injection arena
0.05% failure rateGPT-5.6 Sol against GPT-Red's direct prompt injections on held-out robustness environments
Above 95% to below 10%Success of an OpenAI-named "Fake Chain-of-Thought" attack class against GPT-5.1 versus GPT-5.6 Sol
Above 97% accuracyOpenAI's latest model on several indirect prompt-injection benchmarks targeting developer tools and browsing

These results suggest automated red teaming can generate training data at a scale human teams cannot match. They do not establish that prompt injection has been solved. The detailed preprint, full benchmark definitions, uncertainty estimates, human-comparison protocol and capability-retention results were not yet available for independent scrutiny.

What OpenAI announced

OpenAI's GPT-Red research post describes the system as its strongest automated safety red-teamer to date. The company says it trained GPT-Red at a compute scale comparable with some of OpenAI's largest post-training runs, dedicating that compute specifically to safety.

The model's job is adversarial. It receives a goal, sends an attack to a target AI system, observes the response and iterates. OpenAI builds realistic environments in which an attacker can influence a webpage, email, local file, tool response or code repository. Each environment defines what the attacker controls and what counts as a successful failure.

OpenAI says GPT-Red can break nearly all defender models it encountered during training, including internal and production systems through GPT-5.5. The company then used GPT-Red-generated attacks to train GPT-5.6, which OpenAI says became highly resistant to the same attack process.

The company is keeping GPT-Red separate from deployed models and does not plan to release it. That boundary is important: GPT-Red is intentionally optimized to create malicious instructions and uncover weaknesses, so making the attack model broadly accessible could give adversaries a stronger offensive tool.

What “self-improvement” means here

The phrase “unlocking self-improvement” can be misunderstood. OpenAI is not claiming that GPT-Red autonomously rewrites its own architecture or recursively improves without human control.

The reported process is a designed training loop:

  • Researchers create environments and define threat models.
  • GPT-Red proposes and adapts attacks.
  • Defender models try to resist while completing legitimate work.
  • A scoring system rewards valid attacks and successful defenses.
  • Training updates produce a stronger attacker and stronger defenders.
  • Successful attack examples are used in production-model training.
Diagram explaining OpenAI's reported GPT-Red self-play training loop and the separate production-model path
Diagram explaining OpenAI's reported GPT-Red self-play training loop and the separate production-model path

That is a form of safety-focused self-play, similar in broad structure to adversarial training used elsewhere in machine learning. Humans still choose the environments, define success, allocate compute, decide when to train, evaluate capability trade-offs and control which model is deployed.

The “self-improvement” is therefore a managed flywheel: today's models help generate evidence that can make tomorrow's production models harder to manipulate.

Why prompt injection is a serious agent risk

AI agents often need to read untrusted information. A browser agent reads webpages. A workplace assistant reads email and files. A coding agent reads repositories, dependency output and issue trackers. A support agent processes customer messages.

That creates a security boundary problem. The model must treat external material as data while following trusted user and developer instructions. But large language models process both as text, and attackers can hide instructions inside the data.

The NIST definition of indirect prompt injection focuses on attacks executed through a resource rather than direct user input. A malicious instruction can be placed in content the agent later retrieves, potentially causing actions the user never requested.

Examples of possible impact include:

  • Sending sensitive information to an external destination.
  • Running an untrusted script or command.
  • Changing a transaction or order.
  • Disabling an account safeguard.
  • Modifying code or data outside the user's intent.
  • Hiding the compromise behind a normal-looking final answer.

The risk grows when a model has tools and permissions. A manipulated chatbot may produce a bad answer. A manipulated agent may be able to send, change, buy, upload or execute.

Direct and indirect prompt injection

The GPT-Red announcement reports results across both direct and indirect attacks.

Attack typeWhere the malicious instruction appearsTypical exposure
Direct prompt injectionIn input sent directly to the modelA user or tester tries to override trusted instructions
Indirect prompt injectionIn an external resource the agent readsA webpage, email, document, file, tool result or repository contains attacker-controlled instructions

Direct benchmarks are useful for testing instruction hierarchy and resistance. Indirect attacks are especially important for agent deployments because the end user may never see the malicious content.

OpenAI's earlier guidance on prompt-injection-resistant agents argues that modern attacks increasingly resemble social engineering. That makes simple string filtering insufficient. A manipulative email can look like ordinary business content, and the agent needs context to know which instructions are authorized.

How strong is GPT-Red?

OpenAI tested whether GPT-Red could generalize beyond environments used in training. It replicated the indirect prompt-injection arena from a large public competition analyzed by Mateusz Dziemian and dozens of co-authors.

On the replicated arena, GPT-Red and human red-teamers independently attacked GPT-5.1 across scenarios that OpenAI says differed from GPT-Red's training data. GPT-Red found a successful attack in 84% of scenarios, compared with 13% for humans.

Graphic comparing GPT-Red and human red-teamers on novel scenarios, with separate panels for other OpenAI-reported robustness results
Graphic comparing GPT-Red and human red-teamers on novel scenarios, with separate panels for other OpenAI-reported robustness results

The result is striking, but the comparison needs context.

An automated system can generate and refine far more attempts than a person in the same elapsed time. The July 15 post does not specify the human time budget, participant expertise, number of attempts, sampling method, confidence intervals or compute-normalized cost. Those details could materially change how the 84%-versus-13% result should be interpreted.

The public Dziemian et al. competition paper provides independent evidence that the underlying problem is real. It reports 464 participants, 272,000 attack attempts, 8,648 successful attacks, 41 scenarios and 13 frontier models. At least one successful attack was found against every tested model, with model-level attack success rates ranging from 0.5% to 8.5% in that competition.

The paper also found that general capability and robustness were only weakly correlated. A model that performs well on normal tasks is not automatically secure against agent hijacking.

Why the human comparison is not a replacement argument

GPT-Red's reported advantage does not mean human red-teamers are obsolete.

Automated red teamers are strong at scale:

  • Generating many attack variations.
  • Repeating tests across models and environments.
  • Searching a large space of prompts.
  • Producing adversarial training data continuously.
  • Re-running evaluations after each model change.

Humans still contribute capabilities that are difficult to automate fully:

  • Defining realistic threat models.
  • Identifying novel business abuse cases.
  • Understanding organizational and social context.
  • Spotting evaluation artifacts or reward misspecification.
  • Testing system architecture, permissions and product flows beyond the model.
  • Judging whether an apparently successful defense preserves usefulness.

OpenAI explicitly says automated work will continue alongside human and third-party red teaming, layered safeguards and real-time monitoring. That is the safer interpretation: GPT-Red expands test volume; it does not remove the need for independent adversarial judgment.

The vending-machine agent test

OpenAI also tested GPT-Red against a live autonomous vending-machine agent in its office. The system was produced by Andon Labs and was described as similar to Anthropic's Project Vend, an earlier experiment in which an AI agent managed a small shop.

OpenAI first gave GPT-Red a description of the system and access to a simulation that closely mirrored the live deployment. GPT-Red could send attacks and observe the simulated agent's tool calls. It then transferred an attack to the production agent.

OpenAI says GPT-Red achieved all three test objectives:

  • Lower the price of an expensive in-stock item to the minimum permitted price of $0.50.
  • Order a new item costing more than $100 and offer it for $0.50.
  • Cancel another customer's order.

OpenAI says the vulnerabilities were disclosed and new safeguards were being tested. The post does not identify a public advisory, remediation date or final control design.

Official OpenAI diagram showing GPT-Red searching for an attack in a vending-agent simulation and transferring it to the live system
Official OpenAI diagram showing GPT-Red searching for an attack in a vending-agent simulation and transferring it to the live system

*Source visual: OpenAI, July 15, 2026. The diagram describes a controlled red-team test; it is not evidence of a public attack.*

This case study matters because it moves beyond a text-only benchmark. The harm came from tool permissions and business logic: price changes, purchasing and order cancellation. A strong production defense must therefore constrain both the model and the actions available to it.

GPT-Red also targeted a coding agent

OpenAI tested GPT-Red against a Codex CLI agent powered by GPT-5.4 mini on 10 held-out data-exfiltration scenarios. The company compared GPT-Red with a prompted GPT-5.5 baseline and says GPT-Red succeeded in more scenarios while using fewer tokens.

OpenAI did not publish the exact success counts or token totals in the announcement. Without them, readers can understand the direction of the result but cannot calculate the effect size or independently reproduce the comparison.

The coding-agent test is important because repositories can contain untrusted instructions in documentation, source comments, issue content, dependency output and build scripts. A coding agent may also have access to credentials, local files, terminals and remote services. Model resistance is valuable, but it should not be the only barrier between untrusted repository content and sensitive actions.

How GPT-Red was used to improve GPT-5.6

OpenAI says it trained progressively stronger precursors to GPT-Red over six months and used them in every successive production-model training run since GPT-5.3.

The company highlights three robustness results.

Six times fewer failures

OpenAI says GPT-5.6 Sol produced six times fewer failures on its hardest direct prompt-injection benchmark than its best production model from four months earlier.

This is a relative result. The post does not provide the underlying failure counts, sample size or confidence interval, so “six times fewer” cannot be converted into an absolute risk without the preprint.

Fake Chain-of-Thought attacks

OpenAI says an early GPT-Red version found a new direct-injection class it calls “Fake Chain-of-Thought.” The company reports success above 95% against GPT-5.1 and below 10% against GPT-5.6 Sol.

The announcement does not disclose the attack method, which is appropriate for a defensive safety report. It also does not yet provide a full taxonomy, evaluation set or independent replication.

A 0.05% direct-injection failure rate

On a broad set of held-out robustness environments, OpenAI says GPT-5.6 Sol failed on 0.05% of GPT-Red's direct prompt-injection attempts. OpenAI describes this as average attempt success across all attempts.

That is a strong benchmark result, but it should not be read as a universal production compromise probability. Real-world risk depends on the attacker, number of attempts, system prompt, tools, permissions, surrounding application, detection controls and whether the deployment resembles the benchmark.

NIST's agent-hijacking evaluation guidance specifically warns that adaptive attacks and repeated attempts matter. A system may resist known attacks while remaining vulnerable to attacks optimized for its particular defenses.

Did robustness reduce normal capability?

OpenAI acknowledges an important failure mode: a model can appear safer simply by refusing more work or becoming less capable.

The company says it evaluated frontier capabilities and targeted over-refusal tasks, found normal capabilities unaffected and concluded that GPT-5.6's gains came from better resistance rather than refusing legitimate requests by default.

That is encouraging, but the July 15 post does not publish the relevant benchmark names, scores, sample sizes or statistical uncertainty. Until the preprint appears, “capabilities remain unaffected” should be treated as an OpenAI conclusion rather than an independently reviewable finding.

A rigorous evaluation should report at least three dimensions together:

DimensionCore question
RobustnessDoes the agent resist attacker-controlled instructions?
UtilityDoes it still complete legitimate tasks correctly?
Operational safetyDo permissions and controls limit harm when the model fails?

Improving only one dimension can create misleading confidence.

What is confirmed

The following points are confirmed by OpenAI's July 15 publication:

  • GPT-Red is an internal automated safety red-teaming model.
  • It is trained through self-play with defender models across realistic scenarios.
  • It was used to generate prompt injections for GPT-5.6 training.
  • OpenAI intends to keep GPT-Red separate from deployed models.
  • OpenAI reports 84% scenario success for GPT-Red versus 13% for humans on its replicated arena.
  • GPT-Red achieved all three objectives in the controlled live vending-agent test.
  • OpenAI reports six times fewer failures for GPT-5.6 Sol on its hardest direct-injection benchmark.
  • OpenAI reports a 0.05% GPT-5.6 Sol failure rate against GPT-Red direct injections on held-out environments.
  • OpenAI said a preprint with more detail would be released later in the week.

What remains unknown or unverified

Important questions were unanswered as of July 16:

  • The GPT-Red architecture and base model.
  • The exact training compute and dataset size.
  • Full benchmark definitions and sample sizes.
  • Confidence intervals and variance across runs.
  • The human red-team budget and expertise level.
  • Whether the 84% result reflects equal numbers of attempts or equal cost.
  • Exact results from the 10 Codex exfiltration scenarios.
  • Detailed over-refusal and capability-retention scores.
  • Independent replication of the GPT-5.6 robustness results.
  • Final remediation details for the live vending-agent vulnerabilities.
  • How well GPT-Red generalizes to other model families and third-party agent harnesses.

The promised preprint may answer some of these questions. HacksByte will update this article if it materially changes the interpretation.

What GPT-Red gets right about safety engineering

GPT-Red addresses a real scaling problem. Human red teaming can find creative failures, but humans cannot produce the volume and diversity of adversarial data needed for every model update and every agent configuration.

The public competition analyzed by NIST shows why static benchmarks are not enough. More than 400 participants found at least one successful attack against every frontier model tested. NIST's March 2026 analysis emphasizes that security benchmarks must evolve as attackers adapt.

Self-play can support that evolution. A stronger defender forces the attacker to search for new weaknesses. A stronger attacker creates harder training data. If the loop generalizes to unseen environments, it can reduce dependence on a fixed list of known prompts.

The design also recognizes that prompt injection is not only a content-filtering problem. The Vendy experiment tests an agent connected to tools and business actions, which is closer to real deployments than a text classifier alone.

The risks and limits of automated red teaming

Automated red teaming also creates new governance questions.

Benchmark overfitting

If the attacker and defender repeatedly train on related environments, they may become excellent at that local game without covering unfamiliar systems. Held-out tests help, but independent benchmarks and third-party evaluation are still necessary.

Shared blind spots

Models trained by the same organization or model family may share assumptions. A human or external researcher may notice a failure mode the automated attacker does not search for.

Attack-capability containment

A model optimized to find damaging prompts is a sensitive security asset. Access control, logging, isolation and review around GPT-Red matter even if the model itself is never released.

Reward misspecification

The result depends on what counts as a successful attack or defense. A defender might earn a high score by refusing legitimate tasks unless utility is measured carefully.

Application risk beyond the model

Prompt-injection resistance cannot repair excessive permissions, insecure tool design, missing confirmations or weak transaction controls. The surrounding application must assume the model can still fail.

What AI agent builders should do now

GPT-Red's results do not remove the need for layered defenses. Organizations deploying agents should:

1. Separate trusted instructions from untrusted data

Track the origin of webpages, emails, files and tool responses. Do not silently treat retrieved content as authorized instructions.

2. Minimize agent permissions

Give each workflow only the tools, records and actions it needs. Avoid broad service credentials and unrestricted network access.

3. Put deterministic controls around dangerous actions

Use hard limits and policy checks for payments, refunds, price changes, data export, credential access, code execution and security-setting changes. A model decision should not be the only gate.

4. Require confirmation at high-risk boundaries

Show the user what data will be sent, what transaction will occur and which system will change. Confirmation should occur close to the action.

5. Test adaptive and repeated attacks

Do not rely only on a static prompt list. Re-run tests after model, tool, prompt, permission and workflow changes. Measure both single-attempt and repeated-attempt performance.

6. Measure utility with robustness

Track legitimate task completion and over-refusal. A secure agent that cannot do useful work is not a successful deployment.

7. Log and monitor tool actions

Retain enough evidence to reconstruct which content the agent read, which tools it called, what it tried to change and which approvals occurred.

8. Use independent review

Combine internal automated testing with human red teams, external researchers, bug bounties and shared benchmarks. Independence helps surface common blind spots.

What changes for ChatGPT users?

OpenAI did not announce a new GPT-Red product, API or user setting. GPT-Red remains internal.

The main claimed user impact is indirect: OpenAI says adversarial examples from GPT-Red contributed to GPT-5.6 Sol's prompt-injection resistance. That does not mean users should assume every ChatGPT or Codex session has the same protection. Model version, product surface, tools and surrounding safeguards all matter.

Users should continue to review sensitive actions, avoid granting unnecessary permissions and treat external content as potentially hostile when an agent can act across email, files, code or business systems.

Bottom line

GPT-Red is a significant attempt to make AI safety testing scale with model capability. The approach turns red teaming into an adversarial training loop: an automated attacker finds failures, defenders learn to resist, and the resulting attacks strengthen the next production model.

OpenAI's reported results are impressive, especially the 84%-versus-13% scenario result and the claimed 0.05% direct-injection failure rate for GPT-5.6 Sol. They are also incomplete without the promised preprint, full methods and independent replication.

The right conclusion is not that prompt injection is solved. It is that automated red teaming may become a core part of frontier-model training—but it must sit inside a broader security architecture that assumes models can still be manipulated and limits the damage when they are.

FAQ

What is GPT-Red?

GPT-Red is OpenAI's internal automated safety red-team model. It searches for prompt-injection attacks and generates adversarial examples used to train production models.

Can people use or download GPT-Red?

No. OpenAI says it keeps GPT-Red separate from deployed models so the attack capabilities intentionally trained into it are not made available to adversaries.

Is GPT-Red a version of GPT-5.6?

OpenAI has not disclosed GPT-Red's architecture or base model. GPT-Red was used to generate training attacks for GPT-5.6, but it is a separate internal system.

Does GPT-Red make GPT-5.6 immune to prompt injection?

No. OpenAI reports strong performance on its evaluations, including a 0.05% direct-injection failure rate in one held-out set. That does not prove immunity across all applications, tools, attackers or repeated attempts.

What is indirect prompt injection?

It is an attack delivered through an external resource an AI agent reads, such as a webpage, email, file, tool result or code repository. The hidden instruction tries to redirect the agent away from the user's intent.

Did GPT-Red outperform human red-teamers?

OpenAI says GPT-Red found successful attacks in 84% of novel scenarios versus 13% for humans on its replicated arena. The announcement does not yet provide enough protocol detail to determine whether the comparison used equal attempts, time, expertise or cost.

Is this recursive AI self-improvement?

Not in the uncontrolled sense. It is a designed self-play and adversarial-training process managed by researchers, with defined environments, rewards, evaluation and deployment boundaries.

Sources and methodology

HacksByte compared the primary claims with the public benchmark paper and NIST analysis, distinguished model robustness from system security, created original explanatory graphics from the reported numbers, and reproduced one official OpenAI case-study visual with source attribution. We omitted actionable prompt-injection payloads. No source paid for or reviewed this article before publication. See our Editorial Policy and Corrections Policy.

Reader protocol

Before you move on

Global AI workflow guidance. Use this short checklist to turn the article into action.

  • Check whether the tool can access private files or account data.
  • Verify factual claims against primary sources before publishing.
  • Keep a human review step for work that affects money, school, or customers.
HacksByte editorial standard

This guide is written for practical user safety. For account, platform, or legal decisions, confirm critical steps with the official help center or your service provider.