OpenAI has started training its production models against an AI built specifically to attack them. The system is called GPT-Red. It is an automated red-teamer, trained through self-play reinforcement learning against a roster of defender models. OpenAI reports that GPT-Red finds successful prompt-injection attacks in 84 percent of held-out test scenarios, compared with 13 percent for its human red-teaming staff.

That gap matters. Prompt injection, hiding malicious instructions inside an email, webpage, or tool output to hijack an AI agent, has become the primary attack surface as models gain browsing, file access, and API-calling abilities. Human red-teamers still catch real vulnerabilities. They just cannot generate the volume or variety of attacks needed to train robustness into a model at scale.

GPT-Red trains alongside a diverse set of defender models in scenarios where it controls a slice of the environment: a webpage banner, part of a local file, or a tool’s output. It earns reward for eliciting a genuine failure, such as getting a defender to exfiltrate data or bypass a safeguard, while the defenders are rewarded for resisting. The setup forces GPT-Red to keep inventing new attack classes as its opponents adapt.

Two case studies show what that produces. OpenAI set GPT-Red against a vending-machine agent built by Andon Labs and running inside its own office, similar to the earlier Project Vend experiment, and gave it three objectives. GPT-Red hit all three:

Against a Codex CLI coding agent built on GPT-5.4 mini, GPT-Red also outperformed a prompted GPT-5.5 baseline across ten held-out data-exfiltration scenarios, succeeding more often and using fewer tokens to do it.

OpenAI then folded GPT-Red’s attacks directly into the post-training of GPT-5.6. The resulting model, GPT-5.6 Sol, fails six times less often on the company’s toughest direct-injection benchmark than the production model it shipped four months prior. It also resisted all but 0.05 percent of the direct injection attempts GPT-Red threw at it. An earlier GPT-Red precursor surfaced a previously unknown attack class, which OpenAI calls “Fake Chain-of-Thought,” that broke GPT-5.1 on more than 95 percent of attempts. That rate is now under 10 percent against Sol.

Every one of those figures comes from OpenAI’s own evaluation suite, tested against OpenAI’s own prior models. GPT-Red itself never ships. OpenAI is keeping it internal-only because the exploit-finding capability trained into it would be dangerous in an adversary’s hands. That also means outside researchers cannot independently reproduce the 84 percent figure or the vending-machine and Codex CLI exploits described in the post. OpenAI frames GPT-Red as one input alongside human red-teaming, layered safeguards, and monitoring, not a replacement for any of them, and says a fuller pre-print is coming later this week.

Teams building agents on GPT-5.6 Sol should treat the 0.05 percent failure rate as a floor, not a guarantee. It measures resistance to one lab’s internal attacker, not a live adversary with unlimited time to iterate. Any product that lets an agent read untrusted webpages, emails, or tool output should still test against the categories OpenAI disclosed: credential exfiltration, payment tampering, and unauthorized order cancellation.

OpenAI published these findings in a July 15, 2026 blog post titled “GPT-Red: Unlocking Self-Improvement for Robustness.”