3 min Security

OpenAI uses AI to attack its own models

OpenAI uses AI to attack its own models

OpenAI has developed an internal AI model specifically trained to detect vulnerabilities in other AI models. The model, GPT-Red, is used to automatically carry out attacks such as prompt injections, so that these vulnerabilities can be addressed during the development of new models. According to OpenAI, this approach has significantly increased the resilience of GPT-5.6 Sol.

Prompt injections are considered one of the most significant security risks for AI systems that process external data. This involves hidden instructions embedded in, for example, emails, web pages, documents, or source code. When an AI agent follows such instructions, it can lead to undesirable actions, such as sending sensitive information or executing unauthorized commands.

OpenAI argues that traditional red-teaming by human security researchers is not scalable enough to keep pace with the development of increasingly powerful models. GPT-Red is designed to automate that process. The model deliberately attempts to deceive AI systems and, in doing so, continuously learns to develop new attack techniques. At the same time, the targeted models are trained to better recognize and resist such attacks. This form of training takes place through what is known as “self-play,” in which the attacker and defender continuously improve each other.

According to OpenAI, GPT-Red outperformed human red-teamers in an internal evaluation of indirect prompt injections. The model successfully carried out an attack in 84 percent of the tested scenarios, compared to 13 percent for human testers. In addition, GPT-Red was pitted against an autonomous AI agent managing an office vending machine and against a programming agent. In both cases, the model exposed vulnerabilities that, according to OpenAI, have since been addressed.

GPT-Red is designed to make AI models more robust

OpenAI has been using precursors to GPT-Red since GPT-5.3 during the training of its production models. According to the company, GPT-5.6 Sol is therefore six times more resistant to direct prompt-injection attacks than the best production model from four months earlier. A previously effective attack technique, in which a model is tricked with so-called fake chain-of-thought instructions, is now said to succeed in fewer than 10 percent of cases. OpenAI also states that it has not observed any deterioration in overall model performance or an increase in unjustified rejections of legitimate requests.

GPT-Red remains an internal tool and will not be released. OpenAI wants to prevent the attack techniques used to train the model from becoming publicly available. The knowledge GPT-Red gains during its attacks is used exclusively to better secure future models. According to SiliconANGLE , OpenAI does acknowledge that GPT-Red still has limitations. For example, the model is less effective against attacks that span multiple conversations. It also currently offers limited support for prompt injections via images. For this reason, human red-teaming remains part of the security process.