As AI agents gain the ability to browse the web, read emails, execute code, and call external APIs, one attack class has quietly become the defining security threat of the agentic era: prompt injection. An attacker embeds a malicious instruction inside content the agent reads , a webpage, a document, a tool response , and the agent follows it as if it came from the user. Documented injection attempts against enterprise AI rose about 340% year over year in late 2025, and indirect attacks , instructions hidden in an email, document, or web page , are now the dominant vector. OpenAI's answer to this is GPT-Red, a new internal automated red-teaming model that finds these vulnerabilities at scale and feeds them directly into production model training.

The bottleneck GPT-Red is built to break

Red-teaming , having skilled humans try to break a model before it ships , is how the industry discovers vulnerabilities. But it doesn't scale. Human red-teaming is time-intensive, limiting how quickly new failure modes can be identified and incorporated into stronger safeguards. And while these exercises produce valuable examples of successful attacks, they cannot generate the volume and diversity of adversarial data needed to improve model robustness through training.

The problem is compounding. Keeping pace with increasingly capable models requires red-teaming to scale as well. At the same time, prompt injection is still the number one entry on the OWASP LLM Top 10 in 2026, and security researchers now treat it as an unsolved problem rather than a bug awaiting a patch. The gap between how fast models are improving and how fast safety testing can keep up is exactly what GPT-Red is designed to close.

Self-play: the same trick that made AlphaGo, applied to safety

Self-play reinforcement learning , where a model trains by competing against itself or copies of itself , is the same technique that produced superhuman game-playing agents. In self-play RL, agents optimize policies by interacting and competing with instances of themselves within adversarial environments. In contrast to fixed-opponent training, self-play generates inherently adaptive curricula, allowing agents to reach strategic depth and robustness unattainable by conventional supervised or single-agent RL. GPT-Red applies this directly to safety.

Alpha Signal

Don't miss what's next in AI

Join 300,000+ engineers and researchers who get the signal, not the noise.

  • Full access to in-depth AI research breakdowns
  • Be the first to know what's trending before it hits mainstream
  • Daily curated papers, repos, and industry moves