On July 15, 2026, OpenAI announced its automated red-teaming model, "GPT-Red." It trains an attacker model alongside multiple defender models simultaneously, feeding attacks discovered in this process back into the training of GPT-5.6. This adds a process that iterates from attack discovery to defensive training, while still retaining human and third-party red-teaming. How far does the reach of what OpenAI calls "self-improving safety" actually extend, and where does the boundary lie beyond which humans and system design still hold the reins?
Training Attacker and Defender Together
At the core of GPT-Red is self-play reinforcement learning, where attacker and defender learn from each other as training partners. GPT-Red earns rewards by successfully executing attacks such as prompt injection. The defender models earn rewards by resisting these attacks while still completing the original task requested by the user. As the defense grows stronger, the attacker must find new avenues to win.
The training environment is not an unbounded attack space. Each scenario has a defined threat model, with humans specifying where the attacker can operate and what counts as success. Should the malicious instruction be placed in a local file? Embedded in a webpage banner? Mixed into email body text or tool output? By partitioning permissions and goals per environment, attack success or failure can be converted into reinforcement learning rewards.
What emerges is a training curriculum whose difficulty rises in step with the strengthening of the target. With a fixed problem set, the learning signal vanishes once a model approaches a perfect score. With self-play, however, the moment a defender model repels an old attack, a new attack that defeats that defense becomes the next training material. OpenAI has structured this so that GPT-Red is kept separate from the deployed model—attack capabilities are not exposed externally, while resilience is transferred to the defender side.
From a Fixed GPT-4 Turbo to a "Moving Target"
OpenAI has been researching automated red-teaming for some time. In a method published in 2024, the company trained a GPT-3.5-class attacker model via reinforcement learning, targeting a fixed GPT-4 Turbo. For indirect prompt injection, it used 4,664 training examples and 1,102 test examples to measure how well attacks transferred to unseen attack objectives.
The challenge at the time was balancing success rate with diversity. Standard reinforcement learning tends to converge on a small set of reward-earning attacks. One-shot generation, meanwhile, produced diverse but nearly zero-success attacks. OpenAI's solution combined rule-based rewards tied to each attack objective with multi-step training that encouraged tactics distinct from past attempts. GPT-Red inherits this lineage while also updating the target simultaneously.
By shifting from a fixed target to co-evolution with a group of defender models, the attacker transformed from "a specialized tool for defeating yesterday's model" into "a training-material generator that keeps pace with an ever-strengthening group of models." According to OpenAI, GPT-Red received a computational investment on par with the company's largest post-training efforts. Over the past six months, predecessor models have been sequentially applied to each production model from GPT-5.3 onward, making this announcement less a research demo and more a change to the production pipeline. That said, figures such as GPU count, training tokens, and cost have not been disclosed.
Saturation of existing evaluations also drove this investment. In the GPT-5.6 System Card, the defense success rate against known connector attacks rose from 0.649 for GPT-5.1 thinking to 1.000 for GPT-5.6 Sol. On more demanding search-and-function-calling evaluations, the rate rose from 0.423 to 0.910. Once older tests stop revealing meaningful gaps, the attacker side must be strengthened to uncover the next weakness.
An 84% Attack Success Rate That Measured Transferability
Merely beating an opponent encountered during training does not rule out the possibility that the attacker overfit to the environment. OpenAI addressed this by using unseen environments and attack objectives, internally reproducing the indirect prompt injection competition designed by Dziemian et al. Targeting GPT-5.1, GPT-Red reportedly succeeded in attacking 84% of scenarios, compared to 13% for human red-teamers.
While this gap is substantial, it does not necessarily establish that GPT-Red generally outperforms humans. The announcement does not specify the number of human participants or the time limit given to them. The number of attempts, token budget, and confidence intervals also remain unknown.
The public competition by Dziemian et al. itself involved 464 people launching 272,000 attacks against 13 models, collecting 8,648 successful attacks across 41 scenarios. Per-model attack success rates ranged from 0.5% to 8.5%, and tactics that transferred across 21 actions were also identified—but the attack budget and units of aggregation differ from OpenAI's internal reproduction using GPT-Red. The figures cannot be directly compared.
The practical weight of this transferability showed up in attacks against tool-using agents. GPT-Red first attacked a Vendy-style store-management agent within a simulation, then transferred the same procedures to a real environment. The results included changing the price of an inventory item down to the floor price of $0.50, offering a new item worth over $100 for $0.50, and canceling another customer's order—achieving all three objectives. OpenAI states it has disclosed the vulnerability to relevant parties and is testing new defensive measures.
Against GPT-5.4 mini using Codex CLI, the team tested 10 unseen data-exfiltration scenarios. GPT-Red succeeded in more scenarios than a prompted GPT-5.5, while requiring fewer tokens. However, the absolute number of successes and token counts were not disclosed. What can be read from this is a broadening of red-teaming's target—from chat-based attacks that coax a model into saying dangerous things, to attacks that induce an agent holding real permissions to carry out undesirable actions.
The Distance Between "Self-Improvement" and Recursive Self-Modification
The self-improvement achieved by GPT-Red differs from recursive self-modification, in which a model rewrites its own code or weights and even sets its own goals for capability advancement. Here, humans define the threat model and the scope of permissible operations. They design the success criteria and rewards, prepare the computational infrastructure, and control which attack data gets fed into the production model. The autonomy resides within the loop of exploring attacks—it does not encompass the entirety of research and development.
OpenAI itself distinguishes the terminology. In the GPT-5.6 System Card, "AI Self-Improvement" is defined as a risk category measuring the capability to automate AI research and development. Its evaluations include debugging research experiments and kernel optimization. They also cover improving small-scale LLM training using a single H100, as well as designing and executing post-training methods. GPT-5.6's Sol, Terra, and Luna were all rated below High in this category. What the GPT-Red announcement refers to is self-improvement in the process of producing safety data.
Even so, this bounded loop carries significant weight. Human red-teamers excel at discovering novel failure modes, but they have limits in both the volume and iteration speed needed to satisfy model training. GPT-Red converts vulnerability discovery directly into training signal for the next model. Whether the pace of safety improvement can keep up with the growth of model capability hinges on how far this process can be automated.
At the same time, the materials currently available for external verification are limited. GPT-Red's weights and code are not public, and its training data and detailed evaluation environments remain undisclosed. External researchers cannot reproduce the results. There is reasonable justification for suppressing the proliferation of attack capabilities, but as long as the same organization designs the attack, defense, and evaluation, it is difficult for outsiders to inspect for overfitting to rewards or threat models. Transfer tests against unseen environments mitigate this concern somewhat, but they are no substitute for independent evaluation.
What Remains Beyond 0.05%
The improvement on the defender side is clear. The "Fake Chain-of-Thought" attack discovered by GPT-Red's predecessor had a success rate exceeding 95% against GPT-5.1, but this fell below 10% against GPT-5.6 Sol. The failure rate of GPT-5.6 Sol against GPT-Red's direct prompt injection stood at 0.05%—even on the hardest direct-attack evaluation, failures dropped to one-sixth of the best production model from four months earlier. Some indirect-attack evaluations targeting development tools and browsing also reached over 97% accuracy.
However, a low failure rate is not synonymous with a guarantee of safety. For an agent running an enormous number of times, even 0.05% cannot be ignored, and unknown attacks or product-specific tool chains can fall outside the evaluated distribution. Because a defender model that simply refuses everything would drive the numbers up, one must also measure whether it can still complete legitimate work. OpenAI states there was no degradation in general capability or over-refusal, but the GPT-Red announcement lacks detailed breakdowns per evaluation item.
What cannot be closed off through model training must be contained on the system side by limiting damage. This means narrowing tool permissions and restricting external communication. Critical operations should require user confirmation, and execution environments should be isolated. Monitoring can be deployed faster than a model update once a new attack is discovered. GPT-Red supplies this layered defense with high-quality attack examples, but it does not render the other layers unnecessary.
As of the day after the announcement, a detailed preprint had not yet been published; OpenAI has indicated it will release one later this week. Points worth confirming first include the scale of compute involved, the composition of the group of defender models, and the reward design. Also essential are how the unseen environments were partitioned, the budget given to human comparisons, and whether evaluations exist that external teams can independently reproduce. If the defender continues to outpace the attacker's growing strength, and if these results can also be reproduced through independent testing, then confidence in the claim that this system generalizes to unknown environments would rise substantially.