OpenAI did not announce another user-facing model. It described GPT-Red, an internal red-team model built to attack OpenAI's own systems before production models reach users.
The shift matters because agentic systems now read webpages, tools, files and code. Prompt injection is no longer only a chatbox jailbreak problem; it can enter through the content an agent is asked to process.
"Training strong automated safety red-teamers to improve robustness."
A red team inside the training loop
GPT-Red is trained with self-play reinforcement learning. The attacker tries to trigger a valid failure, while defender models try to finish the original task without obeying malicious instructions hidden in emails, webpages, local files or tool outputs.
OpenAI reports that GPT-Red found successful attacks in 84% of scenarios on a replicated indirect prompt-injection arena against GPT-5.1, compared with 13% for human red-teamers. Attacks generated by GPT-Red were then used to train GPT-5.6 Sol, which OpenAI says produced six times fewer failures on its hardest direct prompt-injection benchmark than its strongest production model from four months earlier.
The realistic cases are the warning
OpenAI also tested GPT-Red against a vending-machine agent. After exploring attacks in simulation, GPT-Red caused the production agent to set an expensive item to $0.50, add a $100-plus item and sell it for $0.50, and cancel another customer's order.
A second case targeted a Codex CLI agent backed by GPT-5.4 mini across 10 held-out data-exfiltration tasks. OpenAI says GPT-Red was more effective and more token efficient than a prompted GPT-5.5 baseline.
Strong numbers, visible limits
OpenAI says a Fake Chain-of-Thought attack class once succeeded more than 95% of the time against GPT-5.1, but is now below 10% against GPT-5.6 Sol. It also reports a 0.05% failure rate against GPT-Red's direct prompt injections across a broad robustness set.
Those numbers are useful, but GPT-Red remains internal. Outside researchers cannot yet reproduce the test distribution, inspect failures, or measure the trade-off between robustness and refusal behavior. For builders, the practical lesson is architectural: use permission boundaries, allowlists, confirmation for sensitive actions, audit logs and minimal data exposure. A stronger model lowers risk; it does not replace system controls.
Sources: OpenAI GPT-Red technical note, Help Net Security, SiliconANGLE, CocoLoop; checked the 84%/13% comparison, sixfold failure reduction, above-95% to below-10% attack-rate change, 0.05% failure rate and the Vendy/Codex CLI case descriptions.