OpenAI Builds GPT-Red (An Internal AI Hacker) to Attack Its Own Systems
OpenAI built an internal software tool called GPT-Red to systematically launch cyberattacks against its own artificial intelligence models. The software discovers security flaws and structural weaknesses like a Team Red before the company deploys those models to public users.

The automated hacker focuses on prompt injections, an exploit in which malicious instructions hide within standard web pages, emails, or data files. When a target AI agent reads these infected documents, the hidden commands override the original programming and force the system to follow the attacker's goals.
OpenAI engineers trained the security tool using self-play reinforcement learning. GPT-Red acts as the adversary against a group of defender models inside a simulated digital workspace.
The red-teaming model, or I would say the offensive model, receives programmatic rewards when it successfully breaches a defense, and the defending models receive points for blocking the attack and completing their assigned tasks.
During a standard evaluation, the system outperformed human security professionals by a wide margin. OpenAI replicated a 2025 cybersecurity experiment to measure performance against a previous version of its GPT-5 model. GPT-Red broke through the system defenses in 84% of scenarios, while human security team members achieved only a 13% success rate on the same tests.
The automated testing loop exposed an entirely new style of attack that engineers had not previously documented. The system inserts spoofed reasoning steps directly into the private working memory of a target AI, tricking the target into believing it already verified the false data.
OpenAI researcher Chris Choquette-Choo detailed the fake reasoning method to MIT Technology Review.
"It's like if I told you that 1+1=3 and that you have verified this already."
"The model's like, 'Oh, okay, of course,' and it just spits out 3."
OpenAI also tested the tool on physical systems inside its corporate headquarters. Engineers pointed GPT-Red at a connected vending machine agent named Vendy, which was built by the evaluation firm Andon Labs. The AI hacker manipulated the machine's software, slashed purchase prices to a 50-cent minimum, added a premium item at that low price point, and canceled an active order from another customer.
OpenAI research scientist and co-creator Dylan Hunn discussed the system's focus during testing.
"Compared to a human red-teamer, the model is very, very good at finding exactly what will work."
Co-creator Nikhil Kandpal described the expanding security issues that come with highly autonomous AI systems.
"The risk surface grows and the blast radius also grows,"
OpenAI used the vulnerabilities discovered by GPT-Red to train its newest public model, GPT-5.6 Sol. The company reported that the continuous adversarial training cut prompt injection failures sixfold compared to its previous best model from four months ago. Attacks that successfully broke through older GPT-5 models 90 percent of the time now succeed less than 23 percent of the time against GPT-5.6 Sol.
The developer intends to keep GPT-Red strictly internal and will not release the model to customers or the open-source community. Executives stated that keeping the offensive tool locked away prevents real-world malicious actors from studying or deploying its automated hacking strategies.
The system still exhibits specific operational limitations. It struggles to execute complex attacks that require a long, back-and-forth conversation, and it fails to identify malicious prompts hidden inside graphic images.
Jessica Ji, a senior research analyst at Georgetown University’s Center for Security and Emerging Technology, commented on the development.
"The results look very promising,"
Ji added that human security expertise remains critical because human testers continue to catch vulnerabilities that the automated system misses.