OpenAI’s GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- OpenAI disclosed GPT-Red, an internal automated red-teaming model that iteratively probes GPT models to uncover prompt injection vulnerabilities before deployment
- GPT-5.6 Sol achieves 6x fewer failures against direct prompt injection benchmarks versus GPT-5.5, failing on only 0.05% of GPT-Red's direct injections
- GPT-Red uses self-play reinforcement learning where the attacker model is rewarded for successful injections while defender models are rewarded for resisting while still completing their original tasks
- Andon Labs' AI vending machine was targeted by GPT-Red in a real-world test, where the red-teamer lowered an item's price to the $0.50 minimum, ordered a $100 item for that same amount, and canceled another customer's order
- Codex CLI agent (based on GPT-5.4 mini) was attacked across 10 held-out data-exfiltration tasks, with GPT-Red causing more sensitive data leakage than a prompted GPT-5.5 baseline
- Fake Chain-of-Thought attacks, a novel attack class discovered by an early GPT-Red version, achieved >95% success against GPT-5.1 but now sit below 10% on GPT-5.6 Sol
- OpenAI said an audit of SWE-Bench Pro found roughly 30% of tasks are broken (27.4% flagged by its data pipeline, 34.1% by human annotation), retracting its prior recommendation to adopt the coding benchmark
Why it matters: As agentic AI systems gain more access to browsers, files, and third-party tools, the prompt injection attack surface keeps widening. OpenAI claims GPT-5.6 Sol achieves 6x fewer failures than GPT-5.5 through self-play training, and isolating GPT-Red from production models signals a new offense-defense split competitors will likely need to replicate.


