Meet GPT-Red: an LLM super-hacker OpenAI built to make its models safer

Disclosure: Some links in this article are affiliate links. AI Maestro may earn a commission if you make a purchase, at no…

By Vane July 15, 2026 3 min read
Meet GPT-Red: an LLM super-hacker OpenAI built to make its models safer

OpenAI has released GPT-5.6, a version of its flagship large language model that the company claims is its most secure yet. This improvement comes from training the model against GPT-Red, a new artificial intelligence tool designed to act as a digital sparring partner. OpenAI built GPT-Red to automate safety testing, a process known as red-teaming, which usually involves human testers trying to break software systems.

The goal is to identify ways to hijack or bypass a system before it goes live. As models become more complex and are used to interact with files, websites, and other agents, the number of potential attack vectors increases. Nikhil Kandpal, a research scientist at OpenAI who co-created GPT-Red, notes that the risk surface and the blast radius are expanding. Dylan Hunn, another co-creator, states that the system is designed to find new attack modes as more capable models emerge. The researchers report that GPT-Red has already discovered attack types previously unseen.

Prompt injection focus

The primary target for GPT-Red is prompt injection. This occurs when a hacker slips instructions into the text a model encounters, forcing it to perform unwanted actions like leaking confidential data or generating harmful output. These instructions can be hidden in code or on websites.

Training dojo

To build the tool, OpenAI researchers took a standard large language model and placed it in a self-play loop with several other models. One side attempted to attack, while the other tried to defend. Over many rounds, the attacker model improved its ability to breach systems, while the defenders learned to block them.

The training environment mimics real-world deployment scenarios, including web browsing, reading emails, and editing code. When GPT-Red identifies a new attack, it explores multiple variations to find the most efficient version for specific situations. Hunn describes the model as extremely persistent in drilling down into discovered attacks.

In particular, GPT-Red found a new type of prompt injection called a fake chain of thought. A chain of thought is an internal diary where a model tracks its partial results. GPT-Red learned to insert a fake entry that tricks the model into acting on false information.

“It’s like if I told you that 1+1=3 and that you have verified this already,” says Chris Choquette-Choo, a research scientist on the team. “The model’s like, ‘Oh, okay, of course,’ and it just spits out 3.”

Jessica Ji, a senior research analyst at Georgetown University’s Center for Security and Emerging Technology, considers the self-play loop a promising approach. OpenAI tested GPT-Red’s effectiveness by rerunning a 2025 experiment where human testers tried to find weaknesses in an earlier version of GPT-5. The AI was more successful than the human team.

The tool also faced Vendy, a vending machine agent developed by Andon Labs. GPT-Red successfully hacked Vendy to alter sale prices and cancel customer orders.

Defensive behavior

When OpenAI tested its models against the strongest attacks generated by GPT-Red, more than 90% worked against GPT-5. Fewer than 23% succeeded against the new GPT-5.6.

The tool is not without limits. It struggles with attacks requiring a back-and-forth conversation between a hacker and a target, an area where human attackers excel. It also has difficulty using images to pass text in prompt injection attacks.

OpenAI states that GPT-Red supplements human red-teamers. Humans can still find attacks the model misses, and the model can find variations of attacks humans identified. Ji notes that human expertise remains vital for distinguishing where human testing is most needed.

OpenAI will not release GPT-Red publicly. The company believes the tool is too strong for copycats to replicate easily. The researchers spent over a year developing the model, supported by the computing resources of one of the world’s wealthiest companies. Choquette-Choo argues that training a super-attacker using this idea is not a trivial task.

What it means

For developers and security teams, this shift means automated testing can now outperform human testers in finding technical flaws. However, human oversight remains necessary for complex social engineering and conversational attacks. The integration of AI into safety testing accelerates the patching cycle, but it does not eliminate the need for human judgment.

Scroll to Top