Tech

OpenAI built GPT-Red to hack its AI, and hide it

OpenAI trained an elite hacker, then locked him in a cage. Its entire mission is to break OpenAI’s AI. The company says it’s too dangerous to let another person near it.

The model is called GPT-Red, and OpenAI detailed it this week. It’s the default red team: software that hunts for ways to hijack or destroy other AI systems, so that holes can be patched before release. People have been doing this work by hand for a long time. It’s OpenAI’s deepest push yet in automating its AI security, and GPT-Red is doing it at machine speed.

OpenAI aims for instant injection, where hidden instructions, buried in an email, web page, or file, trick the model into doing something inappropriate. It then unleashed the hacker on the real target.

A training dojo

GPT-Red learns to fight. OpenAI puts you in a self-play loop against a group of defensive models. GPT-Red is awarded for attacking; they do not protect themselves by protecting another. Since the defenders are smart, GPT-Red has to come up with bad tactics. OpenAI claims to have poured some of the largest supercomputers ever into the model, an unprecedented amount for security work.

TNW City Coworking Space – Where your best work happens

A workplace designed for growth, collaboration, and endless networking opportunities at the heart of technology.

It was good. Speaking to MIT Technology Review, the team said that GPT-Red discovered a new class of attacks they had never seen before, which they called “false logic chain.” It plants a false note in the model’s private working memory, tricking it into trusting something that isn’t true.

“It’s like I’m telling you 1+1=3 and you’ve already proven this,” said OpenAI researcher Chris Choquette-Choo. “The model is like, ‘Oh, okay, of course,’ and it just spits out a 3.”

Hacking a vending machine

The tests got physical. In one, GPT-Red attacked Vendy, an AI agent that uses a real vending machine in the office of OpenAI, developed by Andon Labs. It changed prices, marked the lowest price item down to 50 cents, and canceled the customer’s order. OpenAI claims to have disclosed the flaws.

The score is amazing. Against the old GPT-5, more than 90% of GPT-Red’s strongest attacks worked. Against the new GPT-5.6, less than 23%. In a repeat of the 2025 test, GPT-Red beat the red group of people, breaking 84% of the cases to 13%.

Kept in a cage

OpenAI trained GPT-5.6 against GPT-Red, and calls it its most powerful model to date against rapid injection. But it won’t give it to an attacker by itself, so its capabilities remain unclear to real-agent hackers. It’s not the first lab to build something and then decide not to release it.

“It’s not a trivial thing that one can easily do,” said Choquette-Choo, “just go and train a big hitter using this idea.”

GPT-Red still has blinders. Weak to attacks drawn from the outside, back and forth, and hiding instructions within images. And human inspectors continue to catch misses. “I think human intelligence is still going to be very important,” said Jessica Ji, an AI security analyst at Georgetown’s CSET.

The big idea is the flywheel: use today’s models to power tomorrow’s. OpenAI is already doing this to make its AI smarter. Now it wants security to grow faster. The full paper will be released later this week.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button