OpenAI’s GPT-Red Uses Self-Play to Find Prompt Injections Before Deployment

OpenAI has disclosed GPT-Red, an internal model trained to attack other language models so that their failures can become training data before release. The system concentrates on prompt injection: instructions hidden in material an agent reads, such as webpages, email, calendars, files, or source code. Rather than rely only on a fixed collection of human-written attacks, OpenAI placed an attacker and defenders in a self-play loop where each side adapted to the other.

The company says attacks selected from GPT-Red’s strongest discoveries succeeded against GPT-5 in more than 90% of tests but against GPT-5.6 in fewer than 23%. That is meaningful evidence that automated adversarial training can improve model-level resistance. It is not evidence that prompt injection is solved: the evaluation is vendor-run, the attack system is not being released, and OpenAI acknowledges weaker coverage of multi-turn and image-based attacks.

Self-play turns red-teaming into an adaptive search problem

GPT-Red began as a general model without specialist attacker training. OpenAI then put it into repeated contests with target models in a simulated environment covering web browsing, email and calendar use, and code editing. The attacker was rewarded for finding injections that changed the target’s behavior; the defenders learned from successful attacks. Once GPT-Red identified a promising technique, it generated variants and optimized them for particular scenarios.

This changes the economics of model testing. A conventional benchmark asks whether a model resists a known corpus. An adaptive attacker asks what still works after the target has learned that corpus. That distinction matters because static test sets can become release checklists rather than realistic adversaries. A self-play loop can keep searching around a patch, exposing whether the defense removed the underlying behavior or merely suppressed familiar wording.

In a rerun of a 2025 exercise against an earlier GPT-5 version, OpenAI reports that GPT-Red found effective attacks more successfully than the participating human red-teamers. It also attacked Vendy, Andon Labs’ vending-machine agent, and induced it to alter item prices and cancel an order. Those demonstrations connect model manipulation to application state: the security impact comes from the authority surrounding the model, not from adversarial text alone.

A fake chain of thought became a new injection primitive

OpenAI says GPT-Red independently discovered a technique its researchers call fake chain of thought. The injection presents spoofed reasoning or a fabricated prior conclusion as though the target model had already derived and verified it. Instead of issuing only a direct hostile command, the attacker corrupts the apparent state from which the model continues reasoning.

The technique is a practical instance of the role-confusion problem examined in recent prompt-injection research: models process trusted instructions, retrieved data, tool output, and their own intermediate state within one linguistic channel. The site’s analysis of chain-of-thought forgery and role confusion reached the same defensive conclusion from a different direction. If provenance is represented only as text inside the context, adversarial content can imitate it.

For agent builders, this broadens what must be treated as untrusted. Sanitizing imperative phrases is insufficient when an attack can masquerade as a completed check, a tool result, a memory, or a prior reasoning step. Trust labels need to survive retrieval and orchestration as enforced metadata, and consequential actions need validation against policy and current system state outside the generated narrative.

The reported gain does not transfer automatically to deployed agents

The headline comparison measures selected attacks against models, not every deployment assembled around those models. Agent risk also depends on which tools are exposed, what permissions they hold, whether external content enters the context, how tool results are delimited, and whether a second component verifies actions. A more injection-resistant model connected to unrestricted shell, browser, payment, or cloud credentials can still have a larger blast radius than a weaker model operating behind narrow capabilities.

Coverage gaps remain important. OpenAI told MIT Technology Review that GPT-Red is less effective at attacks requiring back-and-forth conversation and is not yet strong at image-mediated injection. Human specialists still find attacks the automated system misses, and OpenAI uses human discoveries as seeds for GPT-Red to expand. The company is keeping the attacker model private, which limits independent reproduction and means outsiders cannot test whether its search overfits OpenAI’s own products, harnesses, or reward design.

The reported reduction should therefore be read as a defense-in-depth improvement and a useful development workflow, not a replacement for application red-teaming. It also creates a familiar evaluation hazard: once defender training consumes the strongest generated attacks, success on those families can rise faster than robustness to genuinely different attack paths.

Defensive engineering guidance

  • Use an adaptive attacker, not only a frozen suite. Keep regression cases for reproducibility, but add a model or human team that can mutate attacks after each mitigation and search for alternate channels.
  • Model the complete agent. Test realistic webpages, messages, documents, images, memories, tool responses, and multi-turn sessions with the same permissions and orchestration used in production.
  • Measure security outcomes. Record whether the agent disclosed data, changed state, invoked a privileged tool, or crossed an authorization boundary—not merely whether it repeated an injected phrase.
  • Keep authority outside the model. Apply allowlists, destination binding, transaction limits, least-privilege credentials, sandboxing, and independent approval to consequential operations. Model robustness should reduce attempts that reach those controls, not replace them.
  • Preserve provenance structurally. Mark system policy, user intent, retrieved content, memory, tool output, and generated scratch state separately through the orchestration layer. Do not trust text that claims it was previously verified.
  • Retest after every change. Model versions, system prompts, connectors, context filters, and tool schemas all alter the attack surface. Track both attack success and false refusals so hardening does not silently disable legitimate workflows.
  • Retain human red-team coverage. Assign people to multimodal, conversational, business-logic, and cross-component attacks where the automated attacker remains weak, then feed their discoveries back into scalable variant generation.

GPT-Red is significant because it treats prompt-injection defense as a continuing contest rather than a one-time benchmark. Self-play can expose novel attack families and supply adversarial training at a scale human teams cannot match. The durable engineering lesson, however, is unchanged: assume some hostile instruction will eventually survive the model, then make sure the surrounding system can refuse the authority that instruction requests.

Sources: