← all news

OpenAI trains GPT-Red to attack its own models at scale

AI · · · source (openai.com)

OpenAI introduced GPT-Red, an automated red-teaming model whose job is to find ways to break other models before those models ship. It works the way a human red-teamer does: send a prompt, watch how the target model responds, then adjust and try again, iterating toward a goal such as bypassing a safety rule or slipping through a prompt injection. The difference is scale. OpenAI says GPT-Red was trained at the compute scale of some of its largest post-training runs, which the company frames as an unusual amount of compute spent purely on safety rather than capability.

The point OpenAI is making is about self-improvement. Instead of waiting for outside researchers to report failures, it uses today's models to generate attacks that harden the next generation, then folds those attacks directly into training. GPT-Red was used to adversarially train GPT-5.6, which OpenAI describes as much more robust to prompt injection as a result. You can read OpenAI's writeup here, though the amount of concrete evaluation detail released so far is limited, so the strength of the robustness gains is mostly the company's own characterization for now.

There is a familiar tension underneath. A model good enough to reliably attack other models is itself a dual-use artifact, and the same self-play loop that patches known weaknesses can only cover the attack surface the attacker model already imagines. Automated red teaming widens coverage, but it does not turn adversarial robustness into a solved problem.

Why it matters

If you deploy agents on top of frontier models, prompt injection is your problem too, and labs are now treating automated attack generation as part of the training pipeline rather than an afterthought. Watch for independent evaluations of GPT-5.6's injection robustness before trusting the claim, and expect this self-play red-teaming approach to spread to other labs.

OpenAISecuritySafety