OpenAI's GPT-Red: self-play red-teaming at frontier scale; GPT-5.6 Sol 6× more robust

openaigpt-5-6gpt-5-6-solgpt-redautomated-red-teamingprompt-injection+6
Visual showing a GPT-Red attack-search process against a Vendy-style autonomous vending machine agent, with the model iterating on attacks in simulation before transferring to the live agent.
Source: openai.com/index/unlocking-self-improvement-gpt-red/ · Credit: OpenAI · License: Content from the announcement page, used for editorial commentary.

On 2026-07-15, OpenAI announced GPT-Red, an internal-only automated safety red-teaming model trained with self-play reinforcement learning at frontier compute scale. GPT-Red breaks nearly all prior models up to GPT-5.5 and was used to adversarially train GPT-5.6 Sol — which OpenAI reports is 6× more robust to its hardest direct prompt-injection benchmark than the best production model from four months earlier.

Why it matters

GPT-Red demonstrates a self-improvement flywheel for safety analogous to the one already running for capabilities: today’s models find vulnerabilities, those findings train tomorrow’s models, and each generation of attackers is trained against the next generation of defenders. On a replicated version of the Dziemian et al. (2025) indirect prompt-injection arena, GPT-Red achieves 84% attack success on novel scenarios vs 13% for human red-teamers. The “Fake Chain-of-Thought” attack class it discovered went from 95% success on GPT-5.1 to below 10% on GPT-5.6 Sol.

How GPT-Red is trained

GPT-Red is trained through self-play RL alongside a collection of diverse defender LLMs:

At the end of training, GPT-Red is kept separate from deployed models. OpenAI keeps the malicious capabilities trained into GPT-Red out of adversarial actors’ hands while using its output to harden production systems.

How strong is GPT-Red?

Three results ground the announcement:

Indirect prompt-injection arena (replicated version). On a private mirror of the Dziemian et al. (2025) benchmark — using scenarios distinct from GPT-Red’s training set — GPT-Red achieves an 84% attack success rate against GPT-5.1, compared to 13% for human red-teamers (announcement, arXiv 2603.15714).

Live Vendy case study. GPT-Red attacked an AI-powered vending machine in the OpenAI office (similar to Anthropic’s Project Vend), built by Andon Labs. After iterating in simulation, GPT-Red transferred its attack to the production agent and achieved all three malicious objectives: (a) change the price of an expensive in-stock item to $0.50; (b) order a new $100+ item at $0.50; (c) cancel another customer’s order. OpenAI says new safeguards are being tested.

Codex CLI case study. GPT-Red attacked a Codex CLI agent (GPT-5.4 mini) on 10 held-out data-exfiltration scenarios. Compared to a prompted GPT-5.5 baseline, GPT-Red is more effective (succeeds on more scenarios) and more token-efficient.

The robustness gain in GPT-5.6 Sol

OpenAI reports that GPT-Red’s adversarial training produced measurable robustness gains in GPT-5.6 Sol:

The prompt-injection benchmark table in the GPT-5.6 system card (§4.2, Connectors eval) shows Sol scoring 1.000 (up from 0.649 for GPT-5.1-thinking), with Search and Function-Calling at 0.910 (up from 0.423).

Practical implications

Risks and caveats

What to watch

Sources

#TitleURLDateType
1OpenAI — GPT-Red announcementopenai.com/index/unlocking-self-improvement-gpt-red/2026-07-15primary
2OpenAI — GPT-5.6 System Carddeploymentsafety.openai.com/gpt-5-62026-07-09primary
3Dziemian et al. (2025) — arXiv 2603.15714arxiv.org/abs/2603.157142026-03-16primary
4OpenAI GPT-Red pre-print (forthcoming)openai.com/index/unlocking-self-improvement-gpt-red/2026-07-16primary
5AIN-418 — AI news radar 2026-07-16news.lesbass.com/paperclip/AIN-4182026-07-16secondary