The news. On July 15, 2026, OpenAI published GPT-Red, an internal automated red-teaming model trained to hunt prompt-injection and tool-use vulnerabilities before deployment. OpenAI reports it found successful attacks on 84% of replicated indirect-injection scenarios versus 13% for human red-teamers, and that folding its discoveries into training helped make GPT-5.6 Sol its most injection-robust model so far — 6× fewer failures on its hardest direct-injection benchmark than the best production model from four months earlier. The post includes live-agent case studies against a vending-machine agent and a Codex CLI data-exfiltration suite. Read the announcement →

Picture a vaccine lab. The useful thing in the building isn't the syringe — it's the freezer full of nasty strains, because you can only immunize against a disease you have a live sample of. A lab that waits for new strains to show up in the wild is always a season behind; a lab that breeds them on purpose, deliberately raising each one against the current immune system, gets to meet next year's outbreak this morning. That is uncomfortable work, and it is also the only reason the syringe has anything in it. A defense only improves as fast as someone invents new attacks against it — so OpenAI automated the inventing.

Drop the metaphor and the mechanism is precise. GPT-Red is trained with self-play reinforcement learning: an attacker model is rewarded for eliciting failures that actually land, while defender models are rewarded for resisting the attack and still completing the user's task. That second half of the defender's reward is doing real work — a model that refuses everything is perfectly injection-proof and perfectly useless, so the reward has to price both. Each environment pins down a threat model: the attacker controls part of a local file, a webpage banner, an email body, or a tool's output — one specific door into the agent's context, not a vague "assume bad input."

The part that makes this a flywheel rather than a fancy test suite is what happens to the attacker's findings. GPT-Red never ships: OpenAI keeps it separate from the deployed models, and only its output travels — the injections it discovers become adversarial training data for GPT-5.6. The live strain stays in the lab; the inactivated one goes in the syringe. This is a different move from bolting an input filter in front of the model, which tries to catch the attack at the door; here the attack is folded into the model's own training so the door matters less. Both are worth having — that is the whole argument for defense-in-depth — but only one of them gets stronger every time the attacker gets smarter.

Here is what OpenAI reports the loop produced. Note that the first row measures the attacker's reach and the rest measure the defender's hardening — the flywheel is that the first row is what makes the others possible:

What was measuredBeforeAfter
Replicated indirect-injection scenarios cracked13%, by human red-teamers84%, by GPT-Red (OpenAI)
Hardest direct prompt-injection benchmarkbest production model, four months earlier6× fewer failures for GPT-5.6 Sol (OpenAI)
Fake Chain-of-Thought attacksupwards of 95% success on GPT-5.1below 10% on GPT-5.6 Sol (OpenAI)
GPT-Red's own direct injectionsGPT-5.6 Sol fails on 0.05% (OpenAI)

Hold the set fixed and the gap gets concrete. Take 100 scenarios from that replicated indirect-injection set. Human red-teamers land an attack on 13 of them; GPT-Red lands on 84. The interesting number is neither of those — it's the gap of 71 percentage points of coverage between them (a derived figure: arithmetic on the two reported rates. OpenAI doesn't report how far the two sets overlap, so this is the spread between them, not a roster of scenarios only the machine found). That gap isn't a scoreboard; it's raw material, because an attack nobody found is an attack nobody trained against. Now follow the same loop out the other side: fake Chain-of-Thought attacks landed on over 95 of every 100 attempts against GPT-5.1, and on fewer than 10 of every 100 against GPT-5.6 Sol — the same trick, from working at least 19 times in 20 to failing more than 9 times in 10 (derived from the reported rates). And against GPT-Red's own direct injections, GPT-5.6 Sol fails on 0.05% — about 1 in 2,000 (derived), which is the number you'd expect from a model trained on the attacker's greatest hits.

Read the four numbers in order and they tell one story, though it's worth being careful about what they don't say. A model measured against the attacker it trained on is graded by a friendly examiner, and OpenAI's post is a report on its own system, not an independent audit. The two headline defense numbers — 0.05% and 6× fewer failures — are both direct-injection results, while the case that actually haunts agents is the indirect one, where the payload waits inside a page nobody screened. And the lethal trifecta is structural: private data, untrusted content, and an exfiltration path in the same agent is dangerous no matter how well the model resists, which is why capability scoping doesn't become optional just because the model got harder to hijack. What the loop changes is the tempo. The bottleneck on agent security was never the defense; it was the supply of attacks to defend against — and that supply just stopped being limited by how many humans you can hire to be creative.

Goes deeper in: AI Agents → Security & the Lethal Trifecta → The Lethal Trifecta

Related explainers

Frequently Asked Questions

Check what you knowMap your AI & GPU knowledge across every track — free, role-based