OpenAI's GPT-Red Slashes Prompt-Injection Success on GPT-5.6
TL;DR
- OpenAI built GPT-Red, an internal red-teaming LLM, and used it to adversarially train the newly released GPT-5.6.
- Attacks that worked more than 90% of the time on GPT-5 succeed under 23% of the time on GPT-5.6, per OpenAI.
- GPT-Red discovered a novel 'fake chain of thought' attack and compromised Vendy, a vending-machine agent from Andon Labs.
An unusual detail from OpenAI's latest security push: rather than only hardening its models against known jailbreaks, the company built a second model whose whole job is to attack the first. In a piece by MIT Technology Review, OpenAI calls it GPT-Red, and says the tool was central to training GPT-5.6, the version released this month.
GPT-Red is trained through self-play, an adversarial loop where the attacker tries to break defensive models in a simulated environment with web browsing, email access and code editing, while the defenders learn to resist. Over more than a year of development, OpenAI says GPT-Red got persistent at drilling into attacks and, more interestingly, surfaced a novel class of prompt injection the company is calling 'fake chain of thought,' which plants false reasoning steps a model treats as already verified. OpenAI's Chris Choquette-Choo describes the trick this way: "It's like if I told you that 1+1=3 and that you have verified this already." Colleague Dylan Hunn says the model is "very, very good at finding exactly what will work."
The headline figure is that attacks which worked on GPT-5, last summer's model, more than 90% of the time now succeed under 23% of the time on GPT-5.6. GPT-Red also compromised Vendy, a vending-machine agent built by Andon Labs, manipulating prices and canceling orders. On a 2025 benchmark GPT-Red found more effective attacks than the human red-teamers it was compared against, though MIT Technology Review doesn't publish a precise head-to-head figure to go with that claim, so take the ranking as reported, not settled.
The honest caveat is that GPT-Red still stumbles on multi-turn conversational attacks and image-based prompt injections, both of which are common surfaces for real agents. And OpenAI will not be releasing the model, which means the resulting defensive floor lives inside its own products; Georgetown CSET's Jessica Ji calls the results "very promising" but adds that "human expertise will still be very important." What the reporting doesn't spell out is how much compute this actually took, or how GPT-Red would fare if pointed at non-OpenAI models.
For anyone building on top of GPT-5.6, coding agents, browsing agents, the Andon Labs-style vending experiments, the useful takeaway is a new floor to plan against, not a solved problem. The more interesting question for the rest of the industry is whether adversarial self-play at this scale is a moat only the richest labs can dig, or a template everyone else will now try to copy.
Originally reported by technologyreview.com
Read the original article →Original headline: OpenAI Debuts 'GPT-Red' Automated Red-Teamer That Slashed Prompt-Injection Attack Success on GPT-5.6 to Under 23% From Over 90% on GPT-5 — 84% Success Rate vs 13% for Humans, Found Novel 'Fake Chain of Thought' Attack Class