Crypto

OpenAI says GPT-Red helped harden GPT-5.6 before release

OpenAI says its automated red-team system found prompt-injection weaknesses and fed the results into GPT-5.6 training.

Dev Ramirez

By Dev Ramirez · Crypto Correspondent

· 3 min read

OpenAI says GPT-Red helped harden GPT-5.6 before release
Photo: Decrypt

OpenAI says it used an AI system called GPT-Red to find security holes in GPT-5.6 before the model was released. For investors watching the AI race, the update shows how model makers are trying to reduce safety risks as their products become more capable and more widely used.

GPT-Red is built for red teaming, a cybersecurity practice where testers deliberately try to break a system so developers can fix weaknesses first. In this case, OpenAI said the system focused on prompt injection attacks, a type of attack where a user or hidden instruction tricks an AI model into ignoring its rules or taking an unintended action.

OpenAI introduced GPT-Red in a Wednesday post and said it helped make GPT-5.6 more resistant to those attacks before deployment. In a post on X, the company wrote that as model capabilities grow, safety and alignment need to scale too, adding that red teaming remains essential but can be hard to expand with current methods.

How GPT-Red works

OpenAI said GPT-Red was trained through self-play reinforcement learning. That means the system improves by competing against defender models: GPT-Red tries to create stronger attacks, while the defender models learn from successful failures and become harder to trick.

The company said every successful attack found by GPT-Red was used to improve the defender models, forcing GPT-Red to search for broader and more complex weaknesses over time. OpenAI described this as a safety feedback loop where current models help strengthen future ones.

OpenAI reported that GPT-Red succeeded in 84% of internal evaluation scenarios, compared with 13% for human red teamers in the same tests. The company said the attacks generated by GPT-Red were added to GPT-5.6’s training process and reduced failures on one of its hardest prompt injection benchmarks.

The company framed GPT-Red as a complement to human testers, outside review and other safety work. That distinction matters because automated testing can run at a scale human teams cannot match, while human experts can still judge context, real-world impact and edge cases.

A vending machine test case

In one case study, OpenAI said GPT-Red found a way to manipulate an autonomous vending machine agent. The company said the system induced the agent to lower prices, order discounted inventory and cancel another customer’s order. OpenAI said those vulnerabilities were later disclosed and addressed.

The example points to a practical concern for AI agents, which are systems designed to take actions on behalf of users. If an agent can place orders, change prices or cancel transactions, a prompt injection flaw can move from a chat problem into a business operations problem.

GPT-Red builds on OpenAI’s earlier security efforts. In 2023, the company launched the OpenAI Red Teaming Network, bringing in outside cybersecurity researchers and domain experts to test ChatGPT and other models before release.

OpenAI said GPT-Red will remain an internal tool because it includes offensive capabilities developed to attack AI systems. The company said it believes the approach can help make future models more robust, aligned and trustworthy.

The move also fits a wider push to use AI systems to test other AI and software systems. Earlier this month, the Ethereum Foundation said it had deployed AI agents to red-team critical network infrastructure and found a vulnerability in software used by Ethereum consensus clients.

This story draws on original reporting from Decrypt.

More from Crypto

All Crypto