OpenAI Unveils GPT-Red to Automate Security Testing and Fortify GPT-5.6
The automated system uses adversarial self-play to find vulnerabilities at a scale that human red teamers cannot match.


As artificial intelligence models grow increasingly complex and deeply integrated into automated systems, securing them against malicious exploitation has become a paramount challenge. Addressing this critical bottleneck, OpenAI has introduced GPT-Red, an automated AI system designed to find security vulnerabilities in its language models before they are deployed to the public.
The tool takes its name from cybersecurity red teaming, a practice where security professionals deliberately attempt to break a system to identify weaknesses before real-world attackers can exploit them. In a public post on Wednesday, OpenAI revealed that the tool has already been put to work, helping make its upcoming GPT-5.6 model significantly more resistant to prompt injection attacks before deployment.
“As model capabilities grow, safety and alignment must scale with them,” OpenAI wrote on X. “Red-teaming is essential, but today’s approaches are difficult to scale, creating a critical bottleneck. GPT‑Red is one way we’re addressing it.”
How GPT-Red Works: Adversarial Self-Play
Traditionally, red teaming has been a highly manual, labor-intensive process reliant on human security researchers. To overcome the scalability limits of human testing, OpenAI trained GPT-Red through self-play reinforcement learning. In this setup, the system generates progressively stronger prompt injection attacks while defender models learn to resist them in a continuous feedback loop.
“GPT‑Red learns through adversarial self-play, where its goal is to prompt inject a variety of challenging defender models,” OpenAI explained. “Every successful attack that GPT-Red finds is used to improve these defenders, pushing GPT‑Red to continuously find broader and more complex failures.”
These automated attacks were directly incorporated into the training process for GPT-5.6. According to OpenAI, GPT-Red succeeded in 84% of internal evaluation scenarios, whereas human red teamers only managed a 13% success rate in the same tests. This stark difference highlights the efficiency of automated adversarial testing in uncovering edge cases that human eyes might miss.
To demonstrate the real-world risks of unpatched vulnerabilities, OpenAI shared a case study involving an autonomous vending machine agent. In this simulation, GPT-Red successfully manipulated the autonomous vending machine agent into lowering prices, ordering discounted inventory, and canceling another customer’s order. By identifying these flaws in a sandboxed environment, developers were able to address the vulnerabilities before the agent could be manipulated in a live deployment.
The Evolution of AI Red Teaming
The launch of GPT-Red represents a major evolution in OpenAI’s security methodology. In 2023, the company established the OpenAI Red Teaming Network, recruiting outside cybersecurity researchers and domain experts to probe ChatGPT and other models for security flaws before release. While that human-centric network remains active, GPT-Red expands on those efforts by automating the process, generating adversarial tests at a scale that would be impossible for human researchers to match.
This shift reflects a broader, cross-industry trend of using AI to secure AI. The intersection of artificial intelligence and cybersecurity is rapidly expanding, not just in centralized AI development but also within the decentralized web.
Earlier this month, the Ethereum Foundation revealed that it had deployed AI agents to red-team critical network infrastructure. The automated agents successfully uncovered a vulnerability in software used by Ethereum consensus clients. While researchers noted that AI agents can search vastly larger codebases than humans, they also pointed out that the primary challenge has shifted from finding potential bugs to proving which ones are actually exploitable.
Keeping the Offensive Tools Under Lock and Key
Because GPT-Red possesses highly optimized, intentionally developed offensive capabilities, OpenAI stated that the system will remain an internal-only tool. Releasing such an effective automated attacking agent to the public could pose significant security risks to other AI systems currently in production.
Instead, OpenAI plans to keep the system behind closed doors to continuously harden its own models, viewing the automated loop as a self-improving safety mechanism.
“We believe with GPT-Red that we have started to unlock a similar flywheel for safety, where today’s models can be used to make tomorrow’s models more robust, aligned, and trustworthy,” the company stated.









