OpenAI details GPT-Red automated red-teaming system for prompt-injection defenses

OpenAI details GPT-Red automated red-teaming system for prompt-injection defenses

OpenAI says GPT-Red uses automated red-teaming to improve prompt-injection defenses in production AI models.

Format News Brief
Read Time 2 min
Category AI & Technology
Updated Jul 17, 2026

OpenAI has published details of GPT-Red, an internal automated red-teaming system designed to find prompt-injection weaknesses before they reach widely deployed models. The July 15 publication frames the work as a way to make safety testing scale with more capable AI agents, especially as those agents handle web pages, files, emails, repositories and other third-party content that can carry malicious instructions.

The company says GPT-Red is trained through self-play reinforcement learning against a collection of defender models. In that setup, the red-team model is rewarded for producing a valid failure, while the defender models are rewarded for resisting the attack and completing the user’s original task. OpenAI says the environments include realistic places where hostile instructions may appear, such as a webpage banner, an email body, local file content or tool output.

Why It Matters

Prompt injection remains one of the hardest security problems for agentic AI because the attack can be hidden inside material the assistant is asked to read. OpenAI’s post argues that human red-team work is still important but cannot produce enough diverse adversarial examples by itself. GPT-Red is intended to generate attacks at training scale, then feed those examples back into production-model training.

OpenAI reports several benchmark and case-study results, while identifying them as its own evaluations. It says GPT-Red found successful attacks in 84 percent of scenarios on an internal mirror of an indirect prompt-injection arena, compared with 13 percent for human red-teamers. The company also says GPT-Red attacks were used while training GPT-5.6, and that GPT-5.6 Sol produced six times fewer failures on OpenAI’s hardest direct prompt-injection benchmark than its best production model from four months earlier.

The post includes more concrete demonstrations against agentic systems. In one case, OpenAI says GPT-Red moved from simulation to a live vending-machine agent and achieved objectives such as changing item prices and canceling an order. It also says GPT-Red was tested against a Codex CLI agent on held-out data-exfiltration scenarios and performed more efficiently than a prompted GPT-5.5 baseline.

OpenAI says GPT-Red is kept separate from deployed products so that the attack capabilities are not released directly to adversaries. The company plans to publish a preprint with more detail, which will be important for outside researchers assessing how broadly these robustness gains transfer beyond OpenAI’s internal benchmarks.

Sources

Cover photo by Brett Sayles on Pexels, used under the Pexels License.

Comments (0)

Leave a Comment

Loading comments...