
OpenAI trained an elite hacker, then locked him in a cage. All it does is hack OpenAI’s own AI. The company says it’s too dangerous to let anyone near it.
The model is called GPT-Red and OpenAI detailed this week. It’s an automated red team: software that looks for ways to hijack or sabotage other AI systems, so holes can be patched before release. People have long done this work by hand. This is OpenAI’s deepest push to automate itself AI securityand GPT-Red does it at machine speed.
OpenAI aims for this emergency injectioninstructions hidden in an email, web page, or file trick the model into doing something it shouldn’t. Then he released the hacker to real targets.
Training dojo
GPT-Red learns by fighting. OpenAI turned it into a game against a team of defensive models. GPT-Red is rewarded for attacking; to repel one of the defenders. As the defenders get wiser, GPT-Red has to come up with worse tricks. OpenAI says it has poured some of its largest computations ever into the model, an unprecedented amount for security work.
It was good. talking to MIT Technology Reviewthe team says GPT-Red has discovered an entirely new class of attack they’ve never seen before, which they call “fake thought chaining.” He places a fake note in the model’s personal working memory and tricks her into believing something that isn’t true.
“It’s like I told you 1+1=3 and you’ve already confirmed it,” OpenAI researcher Chris Choquette-Choo said. “The model says, ‘Oh, okay, sure,’ and just spits out 3.”
Hacking the vending machine
The tests became physical. In one, GPT-Red attacked Vendy, an AI agent operating a real-life vending machine in OpenAI’s office, built by Andon Labs. He changed prices, marked down an expensive item by as little as 50 cents, and canceled the customer’s order. OpenAI said it disclosed the flaws.
The accounts are remarkable. Against older GPT-5, more than 90% of GPT-Red’s strongest attacks worked. Against the new GPT-5.6It was less than 23%. In the 2025 replay of the test, GPT-Red beat the human red teams 84% to 13% of the time.
It is kept in a cage
OpenAI trained GPT-5.6 against GPT-Red and calls it the most robust model against rapid injection. But he won’t hand over the attacker himself, so his skills are far from reality agent hijackers. This is not the first lab to build something and decide not to release.
“It’s not a trivial thing that someone can easily do,” Choquette-Choo said, “just go and train a super-striker using this idea.”
GPT-Red still has blind spots. Weak in extended, back-and-forth attacks, and hiding instructions inside images. And human testers continue to catch things he missed. “I think human experience will still be very important,” said Jessica Ji, an AI security analyst at Georgetown’s CSET.
The bigger idea is the flywheel: use today’s models to harden tomorrow’s models. OpenAI is already doing this to make its AI smarter. Now he wants security to expand just as quickly. The full document will be released later this week.





