Logo
FrontierNews.ai

OpenAI's Secret AI Hacker Is Making Its Models 4 Times Harder to Break

OpenAI has developed an internal artificial intelligence model called GPT-Red that acts as a dedicated attacker against its own systems, and the company credits it with dramatically improving security by cutting successful attack rates from more than 90% on GPT-5 to fewer than 23% on GPT-5.6, released last week. The system automates red-teaming, the practice of trying to break a model before shipping it to users, and has been in development for more than a year.

How Does OpenAI's AI Attacker Work?

GPT-Red was trained through a self-play loop, a technique where the model learns by competing against itself. Researchers took a base large language model (LLM), which is a type of artificial intelligence trained on vast amounts of text to understand and generate language, and pitted it against several defender models inside a simulated environment. These simulations mimicked real deployment scenarios where AI models interact with the internet, email, calendars, and code editing tools.

Over successive rounds of this competition, the attacker model got better at finding exploits and the defenders got better at resisting them. This iterative process created a system far more effective than traditional human testing. When researchers ran GPT-Red against the same tasks that human red-teamers had completed on an earlier version of GPT-5 in 2025, the AI attacker found more effective attacks than the humans did.

What Specific Threats Does GPT-Red Target?

The core threat GPT-Red focuses on is prompt injection, a technique in which hidden instructions embedded in text, code, or a webpage trick an AI model into leaking data, sabotaging a codebase, or producing harmful output. As AI models increasingly operate as autonomous agents that interact with third-party code, files, and other AI systems, the attack surface expands far beyond what human testers can manually cover.

GPT-Red has already discovered attack classes that OpenAI's researchers had not previously catalogued. One technique, which researchers call a fake chain of thought, inserts fabricated entries into a target model's internal reasoning trace, causing it to act on spoofed information as if it had already verified the result itself. Research scientist Chris Choquette-Choo compared this to convincing someone that 1+1=3 by telling them they had already checked the math.

The system was tested against OpenAI's own prior benchmarks and outside systems. It successfully hacked Vendy, a vending-machine agent built by Andon Labs, getting it to change item prices and cancel a customer's order.

What Are the Key Improvements in GPT-5.6?

The headline defensive result is the dramatic gap between GPT-5, released in August 2025, and GPT-5.6. Attacks that succeeded against the older model more than 90% of the time now succeed less than 23% of the time, roughly a fourfold reduction in exploit efficacy. This improvement came from training GPT-5.6 with GPT-Red as an adversary in the loop, meaning the new model learned to defend itself by being repeatedly attacked during development.

  • Attack Success Rate Reduction: Successful exploits dropped from over 90% on GPT-5 to under 23% on GPT-5.6, representing a significant security improvement.
  • Novel Attack Discovery: GPT-Red identified previously unknown attack techniques, including the fake chain of thought method that spoofs a model's reasoning process.
  • Outperformance of Human Testers: When given the same red-teaming task as human security researchers, GPT-Red found more effective attacks than the human team.

What Are GPT-Red's Limitations?

GPT-Red is not without limitations. It struggles with multi-turn attacks that require back-and-forth conversation between attacker and target, a scenario human hackers navigate easily. It is also weak at image-based prompt injection, where malicious text is embedded in an image passed to a multimodal model, meaning a system that processes both text and images.

OpenAI positions GPT-Red as a supplement to human red-teamers rather than a replacement. One workflow the company is exploring is feeding GPT-Red human-discovered attacks and asking it to generate every possible variant, combining the strengths of both human creativity and machine-scale testing.

"The risk surface grows and the blast radius also grows," said Nikhil Kandpal, a research scientist at OpenAI.

Nikhil Kandpal, Research Scientist at OpenAI

Why Is OpenAI Keeping GPT-Red Secret?

OpenAI will not release GPT-Red to the public. The company argues that replicating it is not straightforward. The training required more than a year of development and the computing power budget of a frontier AI lab, making it difficult for outside groups to recreate. By keeping the attacker proprietary, OpenAI limits its usefulness to potential adversaries who might otherwise use it to find vulnerabilities in other systems.

Jessica Ji, a senior research analyst at Georgetown University's Center for Security and Emerging Technology, called the self-play approach promising but flagged that human expertise remains critical, particularly in identifying where automated testing falls short.

The strategic logic is straightforward. Frontier AI labs are being asked to ship agentic products, meaning models that can read email, execute code, and negotiate with other AI systems, while the security research community is still catching up to what these systems can be manipulated into doing. Automating the adversary is one of the few ways to close that gap at the pace models are being deployed. OpenAI's numbers on GPT-5.6 give the approach real evidence to point to. The remaining question is whether other labs, particularly those without OpenAI's computing resources, can build comparable internal attackers. For models that do not train against something like GPT-Red, the 90% attack success rate is closer to the current baseline than the 23% figure.