GPT-5.6 Sol Cuts Prompt-Injection Failures to 0.05%

OpenAI says GPT-5.6 Sol is substantially harder to manipulate with prompt injection attacks after the company trained an internal adversarial model, GPT-Red, to find and generate them at scale.
In a July 15 research post, OpenAI said GPT-Red was used directly in GPT-5.6’s robustness training. The company claims its flagship Sol model now has six times fewer failures on its hardest direct prompt-injection benchmark than its best production model from four months earlier. Against GPT-Red’s own direct attacks, OpenAI reports a 0.05% failure rate.
Prompt injection is a practical security issue for AI agents that read untrusted material—web pages, emails, documents, tool output, source repositories, and local files. An attacker can hide instructions in that material in an attempt to override the agent’s intended task, induce data disclosure, or trigger actions the user did not authorize.

Cybersecurity infographic showing GPT-5.6 shield blocking adversarial attacks with layered defenses.An AI attacker trained through self-play​

According to OpenAI, GPT-Red was trained with self-play reinforcement learning. It tries to induce a failure while a collection of defender models is rewarded for completing the original task without following malicious embedded instructions. As the defenders improve, the attacker must find new and more varied techniques.
OpenAI says GPT-Red can control content in realistic attack surfaces such as local files, web-page banners, email bodies, and tool responses. It remains an internal-only system, a deliberate choice meant to avoid distributing a model optimized to produce malicious prompts.
The company also says an earlier GPT-Red variant uncovered a “fake chain-of-thought” injection class that succeeded more than 95% of the time against GPT-5.1. That attack family is now reported to succeed less than 10% of the time against GPT-5.6 Sol.

What the numbers do—and do not—mean​

The 0.05% figure is not a general measure of prompt-injection safety in the wild. It measures failures against OpenAI’s own automated attacker and its selected direct-injection environments. That is useful evidence that training against a stronger adversary improves resistance, but it is not proof that an agent connected to enterprise data is immune to novel attacks.
OpenAI’s GPT-5.6 system card also says the company used more than 700,000 A100e GPU hours for automated discovery of universal jailbreaks. That work is related to safeguard testing, but it should not be read as a GPU-hour total for GPT-Red alone. OpenAI says it will continue automated red teaming during deployment alongside human and third-party testing.
For Windows administrators and developers, the practical point is unchanged: treat AI access to local files, shared drives, browser sessions, email, and business connectors as a security boundary. Better model resistance can reduce risk, but it does not replace least-privilege access, approval gates for consequential actions, logging, and isolation of sensitive credentials.
GPT-5.6 Sol, Terra, and Luna are already rolling out across ChatGPT, Codex, and the API, with OpenAI continuing deployment-time testing.

References​

  1. Primary source: Crypto Briefing
    Published: 2026-07-15T22:09:01+00:00
  2. Official source: openai.com
 

Back
Top