Models & Research

OpenAI Details GPT-Red: An Internal Automated Red-Teaming Model That Beat Human Red-Teamers 84% To 13% On P…

· July 16, 2026
OpenAI Details GPT-Red: An Internal Automated Red-Teaming Model That Beat Human Red-Teamers 84% To 13% On P…

What happened

OpenAI developed GPT-Red, an internal automated attacker model designed to test other large language models by simulating red-team attacks. Using self-play reinforcement learning, GPT-Red was trained against multiple defender LLMs to identify prompt injection vulnerabilities. On a replicated indirect prompt injection test, GPT-Red outperformed human red-teamers, achieving an 84% success rate compared to the humans’ 13%. It also uncovered a new attack type called “Fake Chain-of-Thought.” Furthermore, GPT-Red reduced failures on OpenAI’s toughest direct injection benchmark by a factor of six when targeting GPT-5.6 Sol. Despite these advances, OpenAI acknowledged the model still struggles with multi-turn and image-based prompt injections.

Why it matters

Automated red-teaming using GPT-Red changes how prompt injection vulnerabilities can be found and fixed at scale. Relying on human red-teamers alone is slower, costlier, and less effective, especially against novel attack types. GPT-Red’s success at uncovering a previously unknown “Fake Chain-of-Thought” attack exposes blind spots defenders might miss. It also forces developers and security teams to reassess risk, knowing automated adversaries can discover exploits human efforts overlook. The jump in attack coverage and efficiency pressures other AI builders to adopt similar tools or fall behind on securing their models. At the same time, GPT-Red’s limits on multi-turn and image-based injections highlight areas where AI safety remains fragile and calls for continued defenses beyond automation.

What to watch next

Expect OpenAI and other AI developers to expand automated red-teaming capabilities to handle more complex threat vectors, such as multi-turn conversations and visual inputs. The new “Fake Chain-of-Thought” attack will likely inspire closer scrutiny of reasoning prompts in AI applications, raising the bar for prompt sanitization and filtering. Investors and customers should monitor how this automated testing influences model safety certifications and regulatory compliance. Builders will want to track OpenAI’s next moves with GPT-5.6 and beyond, especially if automated red-teaming becomes a standard pre-release practice that accelerates model hardening and shifts competitive dynamics around AI reliability.

AI Quick Briefs Editorial Desk

Stay ahead of AI Get the most important AI news delivered to your inbox — free.