OpenAI’s Secret ‘Super Hacker’ Model Achieves 84% Attack Success Rate
OpenAI built GPT‑Red, an internal large‑model ‘super hacker’ that autonomously performs red‑team testing, achieving an 84% success rate against GPT‑5 compared to 13% for human teams, and significantly improves the robustness of the newer GPT‑5.6 model.
OpenAI disclosed that it has internally trained a large‑model “super hacker” called GPT‑Red , which serves as an automated red‑team partner to help other models improve their resistance to cyber attacks.
The company released GPT‑5.6 as its latest flagship model, stating that training against GPT‑Red made it the most robust model to date.
GPT‑Red performs automated red‑team testing, aiming to discover as many ways as possible to compromise or hijack a system before release. As large models become more complex and act as agents that can interact with files, websites, and third‑party code, manual testing struggles to cover the expanding attack surface. OpenAI scientists Nikhil Kandpal and Dylan Hunn emphasized that the risk landscape is widening and that GPT‑Red is designed to give the testing process future‑proof capabilities.
The model focuses primarily on prompt injection attacks, where malicious instructions are embedded in text that the model may process, causing it to perform unintended actions such as leaking confidential information or damaging code bases.
To build GPT‑Red, researchers started with an untrained large model and placed it in a self‑adversarial loop with multiple other models. In this “dojo” environment, GPT‑Red attempts to attack the other models while they try to defend themselves. Through repeated rounds of competition, GPT‑Red’s attack abilities improve, and the defending models become more resilient.
When GPT‑Red discovers a new attack, it explores many variants to find the most effective method for a given scenario. Dylan Hunn noted that, compared with human red‑teamers, the model is extremely good at identifying which methods work and persisting in refining them.
One notable discovery is a previously unseen prompt‑injection technique dubbed “fake chain.” Large‑model “thought chains” act like logs where the model records notes during problem solving. GPT‑Red can insert fabricated entries into another model’s chain, tricking it into acting on false information. Chris Choquette‑Choo illustrated this with the analogy “telling you 1+1=3 and claiming it’s verified; the model then outputs 3.”
External analyst Jessica Ji from Georgetown University’s Center for Security and Emerging Technology praised the self‑adversarial loop as a promising approach.
In a re‑run of a 2025 experiment, GPT‑Red achieved an 84% success rate in attacking test scenarios, far surpassing the 13% success rate of human red‑team testers. When its strongest attacks were applied to the previous‑generation GPT‑5, over 90% succeeded, whereas only under 23% succeeded against the newer GPT‑5.6.
GPT‑Red also successfully compromised Vendy, an autonomous vending‑machine agent from Andon Labs, modifying product prices and canceling customer orders.
Despite its strengths, GPT‑Red has limitations: it struggles with attacks that require multi‑turn interaction between attacker and target, and its image‑based attack capabilities are still low. OpenAI positions GPT‑Red as a complement to human red‑teamers, using a workflow where humans design attacks that GPT‑Red then expands into variants.
OpenAI will not release GPT‑Red publicly, citing the high barrier for others to replicate its capabilities. The model was developed over more than a year with substantial computational resources provided by a major tech company.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
