OpenAI GPT-Red Achieves 84% Attack Success Rate in Red Teaming Against GPT-5.6, Human Red Teams Only 13%

OpenAI GPT-Red Achieves 84% Attack Success Rate in Red Teaming Against GPT-5.6, Human Red Teams Only 13%
OpenAI disclosed that its internally trained GPT-Red model achieved an 84% attack success rate in indirect prompt injection scenarios, while human red teams only reached 13%. This result was directly used in the training of GPT-5.6, reducing failures by 6 times compared to the best model from four months earlier.

On July 16, 2026, OpenAI disclosed that its internally trained GPT-Red model achieved an 84% attack success rate in indirect prompt injection scenarios, while human red teams only reached 13% in the same tests. This result was directly used in the training of GPT-5.6, reducing failures on the direct prompt injection benchmark by 6 times compared to the best model from four months earlier, with a failure rate of only 0.05% against direct injection from GPT-Red.

Training Mechanism and Attack Discovery

GPT-Red operates through adversarial self-play reinforcement learning: the attack model continuously generates prompt injection attempts, while the defense model simultaneously learns to defend while maintaining normal task performance. OpenAI invested over 700,000 GPU hours for this. The training environment simulates real-world scenarios such as web browsing, email processing, calendar management, and code editing. GPT-Red discovered a previously unknown "fake chain-of-thought" attack that can insert false information into the target model's internal reasoning records, causing the model to misjudge verified results and execute malicious actions.

Tests show that GPT-Red achieves an attack success rate of over 90% against GPT-5 released in 2025, but drops to less than 23% against GPT-5.6. It can also successfully induce Andon Labs' Vendy agent to modify product prices and cancel user orders. However, GPT-Red performs poorly on complex attacks requiring multi-turn interactions and image injection scenarios.

Impacts on Industry Stakeholders

For developers, GPT-Red's automated variant generation can expand test coverage, but it cannot replace human-designed new attack ideas. Enterprise users can get stronger prompt injection protection through GPT-5.6, but OpenAI has clearly stated that GPT-Red is for internal use only and will not release weights or code, making it difficult for other organizations to replicate.

In terms of competitive landscape, this move shifts security testing from static rules to dynamic adversarial testing. Other model providers need to assess whether to invest in automated red team systems of comparable scale. In the supply chain, GPU resource allocation will further tilt toward security training.

Strategic Outlook

Based on the current training scale and results, the most likely development is that OpenAI will continue to expand the self-play loop to cover more attack types, with the verification signal being whether failure rates under GPT-Red tests continue to decline in subsequent model versions.