OpenAI Details GPT-Red: An Internal Automated Red-Teaming Model That Beat Human Red-Teamers 84% To 13% On Prompt Injection
This week, OpenAI published details of GPT-Red , an internal-only automated red-teaming model.

This week, OpenAI published details of GPT-Red , an internal-only automated red-teaming model. Its job is to attack OpenAI’s own models and find prompt injection vulnerabilities.
OpenAI gives two reasons. Human red-teaming is time-intensive and does not scale. Commonly used robustness evaluations are already saturated by its latest models.
Meanwhile, the attack surface grows. Agents read third-party data through browsers, connected apps, local files, and tools. Those affordances are necessary for real work. They also let an attacker plant a crafted instruction in that data.
GPT-Red is a model, not a static benchmark or a prompt library. It works like a human red-teamer. It sends a prompt, observes the response, and iterates toward a goal.
OpenAI team trained it at the compute scale of some of its largest post-training runs, purely for safety.
Two deployment decisions matter. First, GPT-Red is kept separate from deployed models. That keeps its malicious capabilities away from adversarial actors. Second, it does two jobs. It uncovers vulnerabilities before deployment, and generates attacks during training.
The second job depends on the training loop below.
GPT-Red is trained using self-play reinforcement learning. The attacker and a collection of diverse defender LLMs train simultaneously across a broad set of red-teaming scenarios.
That second clause matters. A defender cannot win by refusing everything, since it must still finish the task.
Each environment carries a threat model. It specifies what GPT-Red controls and what counts as success. GPT-Red might control part of a local file, a webpage banner, an email body, or a tool’s output.
As defenders harden, GPT-Red is forced to discover stronger and more diverse attacks. By the end of training, it breaks nearly all models it is pitted against. That includes internal and production models up to and including GPT-5.5.
Along the way, it also found something new.
A chain of thought is the running note an LLM keeps while solving a problem. An early GPT-Red learned to insert a fake entry into that note. The target then acts on spoofed information it thinks it verified.
OpenAI calls it a novel class of direct prompt injection attack, unseen by its researchers.
Consequently, that class became a training target.
OpenAI team tested GPT-Red on novel safety environments and unseen target models. The result replicates the indirect prompt injection arena from Dziemian et al. (2025) . Humans and GPT-Red independently proposed attacks against GPT-5.1 there.
Source: MarkTechPost