-
Notifications
You must be signed in to change notification settings - Fork 330
Add GPT-Red automated red-teaming blog post #3107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
atharvadeosthale
merged 10 commits into
main
from
blog/2026-07-16-1-introducing-gpt-red-an-internal-automated
Jul 17, 2026
Merged
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
f311175
Add GPT-Red automated red-teaming blog post
codex dda11ac
chore: optimize GPT-Red blog assets
Copilot 5572242
Apply suggestion from @aishwaripahwa12
aishwaripahwa12 dd66cd7
Apply suggestion from @aishwaripahwa12
aishwaripahwa12 aa929c6
chore: reuse GPT-5.6 cover for GPT-Red blog
atharvadeosthale 688f7e7
Update +page.markdoc
aishwaripahwa12 e9f8644
Apply suggestion from @aishwaripahwa12
aishwaripahwa12 f4a512e
Apply suggestion from @aishwaripahwa12
aishwaripahwa12 7687444
Apply suggestion from @aishwaripahwa12
aishwaripahwa12 1db3dbe
Apply suggestion from @aishwaripahwa12
aishwaripahwa12 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
106 changes: 106 additions & 0 deletions
106
src/routes/blog/post/gpt-red-automated-red-teaming/+page.markdoc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| --- | ||
| layout: post | ||
| title: "GPT-Red automates prompt injection red-teaming" | ||
| description: "GPT-Red uses adversarial self-play to find prompt injection failures at scale. See OpenAI's results, training loop, and lessons for agent builders." | ||
| date: 2026-07-16 | ||
| cover: /images/blog/gpt-56-is-here-openais-efficient-frontier-model/cover.avif | ||
| timeToRead: 7 | ||
| author: aishwari | ||
| category: ai | ||
| featured: false | ||
| unlisted: false | ||
| faqs: | ||
| - question: "What is GPT-Red?" | ||
| answer: "GPT-Red is OpenAI's internal automated red-teaming model. It iteratively creates prompt injection attacks against defender models, then uses successful attacks as training data to strengthen those defenders." | ||
| - question: "Can developers use GPT-Red?" | ||
| answer: "No. OpenAI describes GPT-Red as internal-only and has not announced an API or public release. The company says it plans to publish a preprint with more technical details." | ||
| - question: "How effective is GPT-Red?" | ||
| answer: "In OpenAI’s internal replication of an indirect prompt injection arena, GPT-Red succeeded in 84% of the predefined scenarios against GPT-5.1, compared with 13% for human red-teamers. These results have not yet been independently reproduced." | ||
| - question: "How did GPT-Red improve GPT-5.6 Sol?" | ||
| answer: "OpenAI used attacks from GPT-Red and its precursors while training production models from GPT-5.3 onward. GPT-5.6 Sol failed on 0.05% of GPT-Red's direct prompt injections and had six times fewer failures than OpenAI's best production model from four months earlier on its hardest direct prompt injection benchmark." | ||
| - question: "Does GPT-Red replace human security testing?" | ||
| answer: "No. OpenAI says automated red-teaming will complement human and third-party red-teaming, layered safeguards, and real-time monitoring. Human review remains important for threat modeling, realistic system context, and judging impact." | ||
| --- | ||
|
|
||
| Prompt injection becomes harder to contain when an AI agent can browse the web, read email, inspect repositories, and call tools. A malicious instruction hidden in any of those inputs can compete with the user's request and turn ordinary context into an attack surface. | ||
|
|
||
| OpenAI's response is [GPT-Red](https://openai.com/index/unlocking-self-improvement-gpt-red/), an internal automated red-teaming model trained to find prompt injection vulnerabilities at scale. Announced on July 15, 2026, GPT-Red attacks defender models through adversarial self-play. Successful attacks become training data for stronger defenders, which forces the attacker to keep finding new failure modes. | ||
|
|
||
| This is not a public model release. There is no GPT-Red API, downloadable model, or independent benchmark result yet. What OpenAI has published is an early look at a safety training loop that has already influenced every production model since GPT-5.3. | ||
|
|
||
| # GPT-Red turns red-teaming into a training loop | ||
|
|
||
| Traditional red-teaming asks experts to devise attacks, observe failures, and help teams build mitigations. That work remains essential, but it is expensive to repeat at the volume needed for model training. A finite test set also becomes less informative as models learn to pass it. | ||
|
|
||
| GPT-Red changes the unit of work from a fixed evaluation to an **adaptive attacker**. OpenAI describes a loop with three core steps: | ||
|
|
||
| 1. GPT-Red sends an attack to a defender model in a red-teaming environment. | ||
| 2. It observes the defender's response and iterates toward a specified malicious goal. | ||
| 3. Successful attacks train the defender, raising the difficulty for later attacks. | ||
|
|
||
| This is adversarial self-play applied to safety. The attacker and defender improve against each other instead of optimizing against a static collection of prompts. OpenAI says it trained GPT-Red with compute comparable to some of its largest post-training runs, which makes the scale of the safety investment notable on its own. | ||
|
|
||
| The approach targets both major forms of prompt injection: | ||
|
|
||
| - **Direct prompt injection**, where the user sends a malicious instruction to the model. | ||
| - **Indirect prompt injection**, where an instruction arrives through untrusted third-party content such as a webpage, email, local file, tool response, or code repository. | ||
|
|
||
| Indirect attacks are especially relevant to agents because useful context and hostile instructions can share the same channel. OpenAI's broader [prompt injection guidance](https://openai.com/safety/prompt-injections/) describes the problem as social engineering for AI systems, not simply a string-matching problem. | ||
|
|
||
| # GPT-Red's reported prompt injection results | ||
|
|
||
| OpenAI evaluated GPT-Red on defender models and scenarios outside its training distribution. The published numbers show a strong automated attacker, but they should be read as **vendor-reported internal evaluations** until the promised preprint provides enough detail for reproduction. | ||
|
|
||
| | Evaluation | OpenAI-reported result | Why it matters | | ||
| | --- | ---: | --- | | ||
| | Held-out indirect prompt injection arena against GPT-5.1 | GPT-Red succeeded in **84%** of scenarios; human red-teamers succeeded in **13%** | Tests generalization to scenarios and goals not used to train GPT-Red | | ||
| | Fake chain-of-thought direct attacks | Above **95%** success on GPT-5.1; below **10%** on GPT-5.6 Sol | Shows how a discovered attack class weakened after adversarial training | | ||
| | GPT-Red direct prompt injections against GPT-5.6 Sol | **0.05%** defender failure rate | Measures robustness against the adaptive attacker itself | | ||
| | Hardest direct prompt injection benchmark | GPT-5.6 Sol had **6x fewer failures** than OpenAI's best production model four months earlier | Tracks robustness gains across model generations | | ||
| | Held-out developer-tool and browsing benchmarks | Above **97% accuracy** for OpenAI's latest model | Suggests several existing indirect-injection evaluations are nearing saturation | | ||
|
|
||
| These figures do not make GPT-5.6 Sol immune to prompt injection. They cover particular environments, harnesses, attack budgets, and success criteria. OpenAI has not yet published the full methodology, confidence intervals, or attack transcripts needed to compare the system independently. | ||
|
|
||
| # How GPT-Red tests prompt injection attacks on real AI agents | ||
|
|
||
| OpenAI also tested whether GPT-Red could transfer attacks into realistic agent systems with incomplete knowledge of their underlying models and harnesses. | ||
|
|
||
| In one case study, GPT-Red attacked **Vendy**, an AI agent from Andon Labs that manages a vending machine in OpenAI's office. GPT-Red first iterated against a simulation, then transferred its attack to the production agent. OpenAI reports that it achieved three goals: | ||
|
|
||
| - Reduced an expensive in-stock item to the minimum allowed price of $0.50. | ||
| - Ordered a new item worth more than $100 and offered it for $0.50. | ||
| - Canceled another customer's order. | ||
|
|
||
| OpenAI disclosed the vulnerabilities and says new safeguards are being tested. The case is useful because the harm did not require exotic model access. It came from manipulating an agent that could change prices, place orders, and modify customer state. | ||
|
|
||
| A second evaluation targeted a Codex CLI agent backed by GPT-5.4 Mini across 10 held-out data-exfiltration scenarios. OpenAI says GPT-Red succeeded in more scenarios and used fewer tokens than a prompted GPT-5.5 baseline. The announcement does not publish the exact success counts, so those results cannot yet be quantified beyond the stated comparison. | ||
|
|
||
| # How GPT-Red improves prompt injection defenses without over-refusal | ||
|
|
||
| A model can look robust by refusing broadly or losing the ability to use tools. That would lower attack success, but it would also make the agent less useful. | ||
|
|
||
| OpenAI says it evaluated general frontier capabilities alongside targeted over-refusal tasks and found normal capabilities unaffected. Its interpretation is that GPT-5.6 Sol learned to resist malicious instructions more reliably instead of avoiding legitimate work. The forthcoming preprint will need to expose the evaluation design before that trade-off can be assessed independently. | ||
|
|
||
| The training history also suggests that GPT-Red is not a one-off benchmark run. OpenAI used progressively stronger precursors in the training of each production model since GPT-5.3. As defenders improved, GPT-Red's attack success dropped monotonically across a broad set of robustness environments, creating pressure to produce more complex attacks. | ||
|
|
||
| # Why GPT-Red automated red-teaming is one layer of AI agent security | ||
|
|
||
| GPT-Red's most important contribution is scale, not completeness. Automated attackers can generate diverse adversarial training data, replay regression suites, and search for combinations that humans may not try. They still operate inside environments and objectives that people design. | ||
|
|
||
| OpenAI explicitly positions GPT-Red alongside human and third-party red-teaming, layered safeguards, and real-time monitoring. For teams building agents now, the announcement reinforces several practical controls: | ||
|
|
||
| - **Minimize authority.** Give an agent only the data and tools required for the current task. | ||
| - **Separate instructions from untrusted data.** Treat webpages, emails, retrieved documents, repository content, and tool output as potentially hostile. | ||
| - **Require confirmation for consequential actions.** Price changes, purchases, deletions, messages, and data transfers need clear approval boundaries. | ||
| - **Test the whole harness.** Model-only evaluations miss vulnerabilities in tool descriptions, permissions, state handling, and application logic. | ||
| - **Continuously replay attacks.** Every successful prompt injection should become a regression test and, where possible, new adversarial training data. | ||
|
|
||
| These controls line up with OpenAI's earlier guidance on [designing agents to resist prompt injection](https://openai.com/index/designing-agents-to-resist-prompt-injection/). Filtering suspicious text is not enough. Systems also need sandboxing, constrained data flow, monitoring, and limits on what a compromised agent can do. | ||
|
|
||
| # Build safer AI workflows with Appwrite | ||
|
|
||
| GPT-Red is internal, and OpenAI says a preprint with more technical detail will follow. Until its environments and methodology are public, the reported gains are best treated as promising evidence for adaptive safety training rather than a solved security problem. | ||
|
|
||
| Developers do not need GPT-Red to apply the core lesson. Design every agent around explicit authority boundaries, test it with adversarial content from every connected data source, and turn each failure into a permanent regression case. | ||
|
|
||
| If you are building an AI workflow on Appwrite, start with [Appwrite's AI overview](/docs/products/ai) and the [OpenAI integration guide](/docs/products/ai/integrations/openai). Use [Appwrite Functions](/docs/products/functions) to keep provider credentials and privileged operations on the server, and create an [Appwrite Cloud](https://cloud.appwrite.io) project when you are ready to test the complete workflow. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.