OpenAI says GPT-5.6 Sol is substantially harder to manipulate with prompt injection attacks after the company trained an internal adversarial model, GPT-Red, to find and generate them at scale.
In a July 15 research post, OpenAI said GPT-Red was used directly in GPT-5.6’s robustness training. The company claims its flagship Sol model now has six times fewer failures on its hardest direct prompt-injection benchmark than its best production model from four months earlier. Against GPT-Red’s own direct attacks, OpenAI reports a 0.05% failure rate.
Prompt injection is a practical security issue for AI agents that read untrusted material—web pages, emails, documents, tool output, source repositories, and local files. An attacker can hide instructions in that material in an attempt to override the agent’s intended task, induce data disclosure, or trigger actions the user did not authorize.
According to OpenAI, GPT-Red was trained with self-play reinforcement learning. It tries to induce a failure while a collection of defender models is rewarded for completing the original task without following malicious embedded instructions. As the defenders improve, the attacker must find new and more varied techniques.
OpenAI says GPT-Red can control content in realistic attack surfaces such as local files, web-page banners, email bodies, and tool responses. It remains an internal-only system, a deliberate choice meant to avoid distributing a model optimized to produce malicious prompts.
The company also says an earlier GPT-Red variant uncovered a “fake chain-of-thought” injection class that succeeded more than 95% of the time against GPT-5.1. That attack family is now reported to succeed less than 10% of the time against GPT-5.6 Sol.
OpenAI’s GPT-5.6 system card also says the company used more than 700,000 A100e GPU hours for automated discovery of universal jailbreaks. That work is related to safeguard testing, but it should not be read as a GPU-hour total for GPT-Red alone. OpenAI says it will continue automated red teaming during deployment alongside human and third-party testing.
For Windows administrators and developers, the practical point is unchanged: treat AI access to local files, shared drives, browser sessions, email, and business connectors as a security boundary. Better model resistance can reduce risk, but it does not replace least-privilege access, approval gates for consequential actions, logging, and isolation of sensitive credentials.
GPT-5.6 Sol, Terra, and Luna are already rolling out across ChatGPT, Codex, and the API, with OpenAI continuing deployment-time testing.
In a July 15 research post, OpenAI said GPT-Red was used directly in GPT-5.6’s robustness training. The company claims its flagship Sol model now has six times fewer failures on its hardest direct prompt-injection benchmark than its best production model from four months earlier. Against GPT-Red’s own direct attacks, OpenAI reports a 0.05% failure rate.
Prompt injection is a practical security issue for AI agents that read untrusted material—web pages, emails, documents, tool output, source repositories, and local files. An attacker can hide instructions in that material in an attempt to override the agent’s intended task, induce data disclosure, or trigger actions the user did not authorize.
An AI attacker trained through self-play
According to OpenAI, GPT-Red was trained with self-play reinforcement learning. It tries to induce a failure while a collection of defender models is rewarded for completing the original task without following malicious embedded instructions. As the defenders improve, the attacker must find new and more varied techniques.OpenAI says GPT-Red can control content in realistic attack surfaces such as local files, web-page banners, email bodies, and tool responses. It remains an internal-only system, a deliberate choice meant to avoid distributing a model optimized to produce malicious prompts.
The company also says an earlier GPT-Red variant uncovered a “fake chain-of-thought” injection class that succeeded more than 95% of the time against GPT-5.1. That attack family is now reported to succeed less than 10% of the time against GPT-5.6 Sol.
What the numbers do—and do not—mean
The 0.05% figure is not a general measure of prompt-injection safety in the wild. It measures failures against OpenAI’s own automated attacker and its selected direct-injection environments. That is useful evidence that training against a stronger adversary improves resistance, but it is not proof that an agent connected to enterprise data is immune to novel attacks.OpenAI’s GPT-5.6 system card also says the company used more than 700,000 A100e GPU hours for automated discovery of universal jailbreaks. That work is related to safeguard testing, but it should not be read as a GPU-hour total for GPT-Red alone. OpenAI says it will continue automated red teaming during deployment alongside human and third-party testing.
For Windows administrators and developers, the practical point is unchanged: treat AI access to local files, shared drives, browser sessions, email, and business connectors as a security boundary. Better model resistance can reduce risk, but it does not replace least-privilege access, approval gates for consequential actions, logging, and isolation of sensitive credentials.
GPT-5.6 Sol, Terra, and Luna are already rolling out across ChatGPT, Codex, and the API, with OpenAI continuing deployment-time testing.
References
- Primary source: Crypto Briefing
Published: 2026-07-15T22:09:01+00:00
OpenAI strengthens GPT-5.6 against prompt injection attacks with internal AI red team
OpenAI's GPT-5.6 uses an internal AI red team called GPT-Red to achieve a 6x reduction in prompt injection failures, with a 0.05% failure rate against itscryptobriefing.com - Official source: openai.com
How we monitor internal coding agents for misalignment | OpenAI
How OpenAI uses chain-of-thought monitoring to study misalignment in internal coding agents—analyzing real-world deployments to detect risks and strengthen AI safety safeguards.openai.com