OpenAI’s GPT-Red beats humans at red-teaming GPT-5, raises the cyber defense bar
The super-hacker GPT-Red finds attacks automated beyond human testers, and OpenAI says GPT-5.6 benefits.

OpenAI built an LLM “super-hacker” called GPT-Red as a sparring partner for safety evaluation, and says training GPT-5.6 against it produced its most robust release yet. For decision-makers, the shift is that red-teaming is getting more automated and potentially harder for attackers to outpace.
OpenAI has built an LLM super-hacker named GPT-Red, and it’s not a lab toy. The company uses GPT-Red as a sparring partner to automate a safety evaluation process called red-teaming, which is typically done by human testers trying to break or hijack software systems before they ship. Last week, OpenAI released the latest version of its flagship LLM, GPT-5.6, and says training GPT-5.6 against GPT-Red made it its most robust release yet. That detail matters because red-teaming is one of the last gates between “cool demo” and “real-world deployment,” especially as models increasingly act through software and tools.
In one of OpenAI’s strongest benchmarks, it tested GPT-Red by rerunning an experiment from 2025 where human red-teamers tried to find weaknesses in an earlier version of GPT-5. When GPT-Red was set the same task, OpenAI says it was more successful at finding effective attacks than the humans had been. That flips a familiar assumption. For years, the default safety posture has been human experts iterating quickly on known failure modes. Now the system is designed to keep generating new ones. OpenAI’s researchers argue this is how you future-proof safety testing as models grow more capable and get deployed in broader settings, including agent-like systems that can interact with computer files, websites, third-party code, and even other agents.
The core problem is that the “risk surface” expands as capabilities and integration expand. OpenAI research scientist Nikhil Kandpal, co-creator of GPT-Red, puts it plainly: “The risk surface grows and the blast radius also grows.” In plain English, when an LLM can do more and touch more systems, attackers get more angles to poke. It becomes unrealistic for teams of people to keep up with every variant of what might go wrong. That’s the incentive behind GPT-Red’s design: build a system that can discover new modes of attack rather than only catching known ones.
OpenAI’s GPT-Red is built around a self-play loop. The researchers took an LLM that had not been trained as a hacker and set it up in what’s known as a self-play loop with several other models. The attacker role is GPT-Red, and the defenders are the other models. Over many rounds, GPT-Red gets better at attacking while the defending models get better at fending off those attacks. The training happens in a “dojo” OpenAI designed to mimic a range of real deployment scenarios, including browsing the web, reading emails or calendar apps, and editing code. When GPT-Red discovered a new kind of attack, it explored multiple different versions to find the most efficient one for specific scenarios. OpenAI says it found new types of attack that had not been seen before, which is exactly what you want from a safety system built for novelty, not repetition.
Prompt injection is where OpenAI says it focused most of its effort. Prompt injection is a type of attack where a hacker slips an LLM instructions to make it do things developers or users do not want, like copying confidential information, sabotaging a code base, or generating embarrassing or harmful output. In theory, the malicious instructions can be hidden in any text the LLM might encounter, whether that’s code or a website. GPT-Red’s work targeted not just surface-level tricks but deeper manipulations. OpenAI claims GPT-Red found a type of prompt injection attack the researchers had not seen before, which they call a “fake chain of thought.” A chain of thought is a kind of diary where an LLM makes notes to itself and keeps track of partial results while working through problems. GPT-Red found a way to insert a fake entry into another model’s chain of thought to trick that model into acting on spoofed information. Chris Choquette-Choo, another research scientist, used an analogy to explain the effect: “It’s like if I told you that 1+1=3 and that you have verified this already.” The point is that the model can treat the inserted steps as credible, even when they are wrong.
OpenAI also tested GPT-Red in ways that map to real agent behavior. It claims GPT-Red was able to hack Vendy, a vending machine agent developed by Andon Labs, a company that assesses how well agents perform real-world tasks. In that test, GPT-Red made Vendy change the prices of items on sale and cancel a customer’s order. Then OpenAI turned to defensive behavior claims. The company says that when it tried some of the strongest attacks GPT-Red came up with on its models, more than 90% of them worked against GPT-5 (released in August last year), and fewer than 23% worked against the new GPT-5.6. That gap suggests GPT-5.6 absorbed improvements that, at least against these attack types, made successful exploitation much harder.
Still, GPT-Red has limits, and OpenAI admits them. It is not great at attacks that involve a back-and-forth conversation between hacker and target, something human attackers would have few problems with. It is also not yet that great at using images, which can be used to pass text to models in prompt injection attacks. OpenAI positions GPT-Red as a supplement to human red-teamers, not a replacement. That matters for governance, because most organizations are still accountable for security and safety through human oversight, and regulators generally care about process, not just model outcomes. One approach OpenAI is taking is giving GPT-Red an attack that humans came up with and asking it to find all the variations. CSET’s Jessica Ji emphasizes the same point: human expertise remains important, particularly to distinguish where human testing is most needed.
Finally, there is an operational detail with strategic implications: OpenAI will not be releasing GPT-Red. The researchers say they have been working on the model for more than a year, backed by the compute resources of one of the richest companies in the world, and they argue it is not “a trivial thing” for someone to copy. For executives and boards, this raises a quiet but real tension in the AI security landscape. If the defenders are quietly training on an automated attacker that outperforms human red-teamers on certain tasks, then the defensive advantage is not just “better models,” it’s better adversarial evaluation pipelines. The companies that win next will likely be the ones that treat safety testing like an always-on product, not a pre-launch checkbox.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Technology

Skullcandy’s Crusher 1080 ANC adds Bose QuietControl for $279.99 starting today
A bass-first headphone gets QuietControl ANC and head-tracking spatial audio, aiming to fix the quality hit of heavy boosts.

AppleCare Plus for new Mac and iPad sign-ups rises $0.50 per month
AppleCare Plus pricing for Macs and iPads increases for new customers, while existing subscribers keep the old rates, per Mark Gurman.

Cadence’s AuraStack turns LLM prompts into high-precision PCB and packaging simulations
Michael Jackson says AI orchestrates test and simulation suites, aiming at a 15x productivity boost for engineers.

