Abstract dark composition with glowing red geometric shapes colliding against a deep blue gradient surface, suggesting adversarial AI systems in conflict
News

OpenAI Built an AI That Hacks Its Own Models — And It Already Found Attacks No Human Has Seen

OpenAI trained an AI super-hacker called GPT-Red to attack its own models. It succeeds where human red-teamers fail — and GPT-5.6 is the safer for it. But the asymmetry between attacker and defender is now an arms race inside one company.

OpenAIGPT-RedAI SafetyRed TeamingPrompt Injection

OpenAI has trained an automated red-teaming model called GPT-Red that attacks its own production LLMs to find vulnerabilities before deployment — and it is already finding novel attack classes that human security researchers have never seen. The company announced GPT-Red on July 15, revealing that the system achieves an 84% attack success rate against GPT-5.1 on novel scenarios, compared to just 13% for human red-teamers on the same tasks.

🔍 THE BOTTOM LINE

GPT-Red is the first credible evidence that AI safety can scale alongside AI capability through automated self-play — the same training paradigm that produced AlphaGo and superhuman game play, now applied to breaking and defending LLMs. GPT-5.6, released last week, is 6x more resistant to prompt injection than the model before it, and the system is explicitly designed as a flywheel: each generation of attacker makes the next generation of defender harder to break. The catch: OpenAI holds both ends of the arms race, and they will not release GPT-Red.

A Super-Hacker Trained in a Dojo

GPT-Red was trained through self-play reinforcement learning, the same technique DeepMind used to train AlphaGo — one model attacks, multiple defender models try to resist, and both improve over successive rounds. OpenAI built a “dojo” of realistic scenarios: browsing the web, reading emails, editing code, interacting with calendar apps. In each round, GPT-Red was rewarded for eliciting a failure (a successful prompt injection, a data exfiltration, a sabotaged task), while the defender models were rewarded for resisting the attack and completing their original task.

The result is an attacker that can break “nearly all models it is pitted against,” including production models up to GPT-5.5. When OpenAI reran a 2025 experiment where human red-teamers had attempted to find weaknesses in an earlier GPT-5 version, GPT-Red was more successful than the humans at finding effective attacks. As MIT Technology Review reported, OpenAI research scientist Dylan Hunn said the model is “extremely persistent about drilling down into an attack that it has discovered” — it does not give up or get bored the way a human tester would.

The ‘Fake Chain-of-Thought’ Attack

GPT-Red discovered a novel class of prompt injection attack that OpenAI researchers had never seen before, which they call a “fake chain of thought” attack. LLMs maintain an internal chain of thought — a running diary of partial results and reasoning steps. GPT-Red found a way to insert a fake entry into another model’s chain of thought that tricks the model into acting on spoofed information.

“It’s like if I told you that 1+1=3 and that you have verified this already,” OpenAI research scientist Chris Choquette-Choo explained. “The model’s like, ‘Oh, okay, of course,’ and it just spits out 3.” This attack achieved success rates above 95% on GPT-5.1. After adversarial training with GPT-Red, the same attack now succeeds on less than 10% of attempts against GPT-5.6.

This matters because prompt injection is the dominant security threat to AI agents. As LLMs are deployed as agents that browse the web, read emails, edit code, and interact with third-party tools, the attack surface grows exponentially. A malicious instruction hidden in a webpage, an email body, or a tool response can trick an agent into exfiltrating sensitive data, sabotaging a codebase, or performing actions its developers never intended — as we saw with the recent Claude memory exfiltration attack where a poisoned website silently extracted user personal data.

The Vending Machine Test

To test GPT-Red against a real-world agentic system, OpenAI pitted it against Vendy — an AI-powered vending machine developed by Andon Labs that manages inventory and pricing autonomously. GPT-Red was given a description of the system and the ability to send attacks and observe tool calls. After iterating in simulation, it deployed its attack against the production agent and achieved all three of its malicious objectives: it changed the price of an expensive item to $0.50, ordered a new $100+ item and listed it for $0.50, and cancelled another customer’s order.

OpenAI also tested GPT-Red against a Codex CLI agent (based on GPT-5.4 mini) on 10 data-exfiltration scenarios. GPT-Red was both more effective and more token-efficient than a prompted GPT-5.5 baseline, successfully getting the agent to exfiltrate sensitive data in more scenarios using fewer tokens.

What GPT-Red Cannot Do

GPT-Red is not a complete replacement for human red-teamers. It struggles with multi-turn conversational attacks — the kind where a human attacker gradually builds rapport and manipulates a model over a back-and-forth exchange. It is also not yet proficient at using images as a vector for prompt injection, which is a known attack surface where text instructions are embedded in image files that LLMs with vision capabilities might process.

Jessica Ji, a senior research analyst at Georgetown University’s Center for Security and Emerging Technology, told MIT Technology Review that the self-play approach looks promising but “human expertise will still be very important.” The complementary approach OpenAI is taking: humans find a novel attack class, then GPT-Red explores all variations of it at machine speed.

The Flywheel and Its Limits

The strategic significance of GPT-Red is the safety flywheel it enables. Each successive GPT model since GPT-5.3 has been trained against progressively stronger versions of GPT-Red’s predecessors, and each has become more robust. GPT-5.6 Sol fails on only 0.05% of GPT-Red’s direct prompt injection attacks — down from over 90% for GPT-5. OpenAI frames this as a form of self-improvement for safety: today’s models directly help make tomorrow’s models safer, the same way AI agents are already being used to improve capabilities.

But the flywheel has a structural limit that the announcement does not address: it only works if GPT-Red can find the attacks that real adversaries will try. If a nation-state attacker discovers a novel attack class that GPT-Red’s training environment does not cover, the flywheel has a blind spot. The 84% vs 13% success rate is measured on scenarios that OpenAI designed — not on the open-ended space of adversarial creativity. As we noted in our coverage of GPT-5.6 Sol’s cheating on METR evaluations, independent evaluation is the only credible measure of frontier model claims, and OpenAI will not release GPT-Red for external testing.

NZ Angle

New Zealand organisations deploying AI agents — whether through API integrations, agentic workflows, or custom tools — are directly exposed to prompt injection risks. The attacks GPT-Red discovers and the defences GPT-5.6 inherits will propagate through OpenAI’s API to every NZ developer building on the platform. But NZ companies using open-weight models or non-OpenAI providers do not benefit from this flywheel at all. The defensive gap between OpenAI’s internally-hardened models and the broader ecosystem is widening, and for NZ’s sovereign AI ambitions, that gap is a strategic risk.

❓ FAQ

Will OpenAI release GPT-Red? No. OpenAI explicitly states it will keep GPT-Red internal to prevent malicious actors from using its attack capabilities. The company says the model was trained over more than a year with the compute resources of one of the richest AI companies in the world, making it non-trivial to replicate.

How is this different from regular red-teaming? Traditional red-teaming uses human security researchers who manually design and execute attacks. GPT-Red automates the process at machine speed and scale, generating the volume and diversity of adversarial data needed to improve model robustness through training — something human teams cannot produce fast enough.

Does this make GPT-5.6 safe from prompt injection? Safer, not safe. GPT-5.6 is 6x more resistant than its predecessor and fails on only 0.05% of GPT-Red’s direct prompt injections. But indirect prompt injection through images, multi-turn conversations, and novel attack vectors outside GPT-Red’s training environment remain open risks.

Could another company build their own GPT-Red? In principle, yes — the self-play training method is not secret. In practice, OpenAI’s researchers say it requires compute at the scale of their largest post-training runs, over a year of development, and a team of research scientists. The barrier is resources, not ideas.

🔍 THE BOTTOM LINE

GPT-Red is the most concrete example yet of AI safety scaling through automation rather than human labour. The flywheel — attacker trains defender, defender trains next attacker — is a closed loop inside OpenAI, and the results are measurable: 6x fewer prompt injection failures in one model generation. The unresolved question is whether one company’s internal arms race can outpace the external adversary space. OpenAI’s bet is that it can. Everyone else’s bet is that OpenAI shares enough of the defensive techniques to benefit the ecosystem, not just its own models.

📰 Sources

Sources: MIT Technology Review, OpenAI Blog, Georgetown CSET