OpenAI’s GPT-Red Turns AI Against Itself to Outpace Tomorrow’s Hackers

OpenAI built GPT-Red, an automated red-teamer that uses self-play to discover prompt injection attacks including a novel fake chain-of-thought technique. The model outperformed humans in tests and helped harden GPT-5.6. This internal system signals a new era of AI defending against AI.
OpenAI’s GPT-Red Turns AI Against Itself to Outpace Tomorrow’s Hackers
Written by Juan Vasquez

OpenAI just released details on a secret weapon. It’s an AI model built to attack other AI models. The goal? Make its own systems harder to break.

GPT-Red doesn’t chat politely. It probes for weaknesses. It finds ways to slip harmful instructions past safeguards. And it does so at a scale no team of humans could match. The company detailed the project today in a blog post and a companion piece in MIT Technology Review.

Why build a hacker? Because the stakes keep rising. Modern AI agents don’t just answer questions. They browse the web. They read emails. They edit code. They interact with other agents. Each new capability opens fresh attack paths. “The risk surface grows and the blast radius also grows,” says Nikhil Kandpal, a research scientist at OpenAI who co-created GPT-Red.

Traditional red-teaming relies on people. Smart people. Creative people. But even the best teams can’t test every scenario fast enough. GPT-Red changes that equation. It automates the hunt. It learns from its own successes and failures. The result is a relentless adversary that sharpens defenses before real threats appear.

The approach relies on self-play. Researchers took a capable but unaligned model. They placed it in a simulated environment. One model tries to inject malicious prompts. Others try to resist. Round after round, the attacker improves. The defenders improve too. Over time, GPT-Red mastered prompt injection attacks. These tricks hide instructions in web pages, documents, or code that an AI might encounter.

One discovery stands out. GPT-Red invented a new technique called fake chain-of-thought. Large language models often reason step by step. They generate internal notes that guide their final answer. The new attack spoofs those notes. It tricks the target model into accepting false information as already verified.

“It’s like if I told you that 1+1=3 and that you have verified this already,” explains Chris Choquette-Choo, another OpenAI research scientist on the team. “The model’s like, ‘Oh, okay, of course,’ and it just spits out 3.” Simple. Effective. And previously unseen.

Tests back the claims. When GPT-Red faced the same challenges human red-teamers tackled in 2025 against an earlier GPT-5 version, it found more successful attacks. It also targeted Vendy, a vending-machine agent built by Andon Labs to benchmark real-world AI performance. GPT-Red made the machine change item prices and cancel customer orders.

The payoff shows in OpenAI’s newest release. Last week the company rolled out GPT-5.6. Training this model against GPT-Red produced the firm’s strongest defenses yet. Strong attacks that succeeded more than 90 percent of the time against GPT-5 dropped below 23 percent against the updated version.

The Self-Improvement Flywheel

That progress points to something bigger. OpenAI sees a virtuous cycle. Better models create better red-teamers. Those red-teamers produce even stronger models. Dylan Hunn, who co-created GPT-Red with Kandpal, puts it plainly. “As more capable models become available, we will have already designed the system that can discover new modes of attack.”

The training environment mimics real deployments. Web browsing. Email reading. Calendar management. Code editing. GPT-Red doesn’t just throw random prompts. It studies what works. It refines attacks. It persists where humans might move on. “Compared to a human red-teamer, the model is very, very good at finding exactly what will work, exactly what’s most effective,” Hunn adds. “It’s extremely persistent about drilling down into an attack that it has discovered.”

Yet limits remain. GPT-Red struggles with multi-turn conversations. Humans excel at those back-and-forth exchanges that build trust before striking. The model also lags when attacks involve images that hide text instructions. These gaps explain why OpenAI still relies on human experts.

Jessica Ji, a senior research analyst at Georgetown University’s Center for Security and Emerging Technology, reviewed the results. “The results look very promising,” she says. She also cautions that people stay essential. “I think human expertise will still be very important. It would be really useful to be able to distinguish where human testing is most needed.”

OpenAI won’t release GPT-Red. The firm spent more than a year and significant compute building it. Choquette-Choo doubts others could replicate the feat quickly. “It’s not a trivial thing that someone else could easily do—you know, just go and train a super-attacker using this idea.”

Instead, the company plans to keep evolving the system. GPT-Red can take a human-discovered attack and generate dozens of variations. It supplements human creativity rather than replacing it. The combination matters. As agents grow more autonomous, the cost of failure climbs. A single successful injection could leak data, alter decisions, or trigger actions no one intended.

Industry watchers took notice quickly. On X, users described the system as an “AI attacking AI” and a “self-hunting predator.” One post highlighted how GPT-Red uncovered a new attack class involving deceptive reasoning traces that existing output-only evaluations would miss. The conversation underscores growing recognition that traditional safety tests fall short for agentic systems.

OpenAI’s move fits a broader pattern. Frontier labs race to secure their models before deployment. They also race to stay ahead of each other. GPT-Red represents one answer to that pressure. Scale the red team. Let models teach models. Fix flaws before they reach customers.

But questions linger. How well will this approach transfer beyond OpenAI’s own stack? Can smaller organizations adopt similar techniques without comparable resources? And what happens when attackers train their own GPT-Red equivalents?

For now, the company reports clear gains. GPT-5.6 emerged tougher because of it. Future releases will likely follow the same path. The super-hacker stays behind the curtain. Its lessons shape what users actually see. Safer models. Fewer surprises. At least that’s the plan.

The announcement arrives amid heightened scrutiny of AI security. Recent weeks saw fresh warnings about prompt injection risks in production agents. GPT-Red shows one lab’s serious response. It treats the problem as solvable through iteration and compute. Whether that confidence holds as capabilities advance remains to be tested. But the flywheel is spinning. And OpenAI intends to keep it turning.

Subscribe for Updates

AISecurityPro Newsletter

A focused newsletter covering the security, risk, and governance challenges emerging from the rapid adoption of artificial intelligence.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us