For years, human experts have been the ones trying to break AI systems and expose their weak spots. OpenAI has now handed that job to another AI. The company has unveiled GPT-Red, an automated system built to find security vulnerabilities inside its own language models. In plain terms, it is an AI whose entire purpose is to attack other AI.
The name comes from a long-standing cybersecurity practice called red teaming, where you deliberately try to break a system in order to find its weaknesses before real attackers can exploit them.
Hardening GPT-5.6 before launch
In a post on Wednesday, OpenAI said the tool helped make GPT-5.6 more resistant to prompt injection attacks before it was deployed. Writing on X, the company argued that as model capabilities grow, safety and alignment have to scale alongside them. Red-teaming is essential, it said, but today's approaches are hard to scale, and that creates a critical bottleneck. GPT-Red, it added, is one way it is addressing that problem.
A system that learns by fighting itself
According to OpenAI, GPT-Red was trained through self-play reinforcement learning. In this setup, the system generates progressively stronger prompt injection attacks, while defender models learn to resist them. Those attacks were then folded into GPT-5.6's own training process. The results were striking: in internal evaluations, GPT-Red succeeded in 84% of scenarios, compared with just 13% for human red teamers running the same tests.
The company explained that GPT-Red learns through adversarial self-play, with the goal of prompt injecting a range of challenging defender models. Every successful attack it uncovers is used to strengthen those defenders, which in turn pushes GPT-Red to keep finding broader and more complex failures.
The vending machine that got tricked
To illustrate the point, OpenAI shared a case study. In it, the system manipulated an autonomous vending machine agent into lowering prices, ordering discounted inventory, and even canceling another customer's order. The vulnerabilities were later disclosed and fixed.
Years of work after ChatGPT
GPT-Red is the product of years of cybersecurity effort that followed the public launch of ChatGPT. In 2023, OpenAI set up its OpenAI Red Teaming Network, bringing in outside cybersecurity researchers and domain experts to probe ChatGPT and other models for flaws before release. GPT-Red takes that idea further by automating much of the process, generating prompt injection attacks and other adversarial tests at a scale that would be difficult for human researchers working alone.
The announcement reflects a broader shift toward using AI to secure AI. Earlier this month, the Ethereum Foundation said it had deployed AI agents to red-team critical network infrastructure, uncovering a vulnerability in software used by Ethereum consensus clients. Researchers noted that AI agents can search far larger codebases than humans, but the real challenge has moved from finding potential bugs to proving which ones are actually exploitable.
Why it will stay behind closed doors
OpenAI says GPT-Red will remain an internal tool, because it contains intentionally developed offensive capabilities. The company believes that with GPT-Red it has begun to unlock a similar flywheel for safety, where today's models can be used to make tomorrow's models more robust, aligned, and trustworthy.











