AI Security

Prompt Injection Just Went Industrial. Caver Already Watches for It.

OpenAI's GPT-Red shows what is coming: prompt injection generated by machine, at scale, landing 84% of the time. Caver records every AI call and flags that attack class in real time. Live today.

Matt Lucas  |  July 16, 2026  |  6 min
An all-seeing eye watching an AI agent held by red puppet strings, editorial hero illustration
84%
GPT-Red injection success (vs 13% human)
$0.50
Price it forced a live vending agent to set
OCSF 6005
Open schema Caver records every AI call in
Live
Caver injection detection, today
TL;DR
  • What OpenAI showed: GPT-Red, an internal-only automated red-teamer that uses self-play to mass-produce prompt-injection attacks. On an independent arena it broke GPT-5.1 on 84% of scenarios where human red-teamers managed 13%, and it hijacked a live vending-machine agent through injected text alone.
  • Why it is hard to catch: the payload rides inside content the agent legitimately reads, a web page, a document, a tool result. Your firewall sees encrypted traffic, your endpoint sees a normal process, and the malicious instruction lives in the model's context window, which nothing in a classic SIEM ingests.
  • What Caver does today: it sits in the agent's LLM path, records every prompt, tool call, and response as OCSF 6005, and flags prompt injection, credential and key leaks, system-prompt exfiltration, and cost anomalies in real time. Surfaced in the AI Observatory and piped to your SIEM. This is running now, on a live agent flow.
  • What is next: inline blocking and action-level policy, catching the unauthorized tool action by its effect. Near-term roadmap, built on the pipeline that already ships.

Prompt injection is the attack where you do not hack the AI, you talk it into hacking for you. You bury an instruction inside something the agent reads, a web page, a document, an email, a tool result, and the agent carries it out as if it came from its owner. This has been the defining weakness of AI agents since agents existed. What changed this week is the scale. On July 15, OpenAI revealed GPT-Red, an internal system that generates prompt-injection attacks through self-play and improves itself, landing them at a rate no human team can match. On an independent arena it broke GPT-5.1 on 84% of scenarios where human red-teamers managed 13%. The attack is not new. The industrialization of it is.

OpenAI keeps GPT-Red locked inside its own lab and uses it to harden its models, and its newest model resists these attacks well. You will never be attacked by GPT-Red itself. That is not the point. The point is what it proves: automated, self-improving prompt injection now works, and the technique is public. The offense just stopped being rate-limited by how many humans you can put on it.

The demonstration that should stop a room: GPT-Red was turned loose on a live vending-machine agent running in OpenAI's own office, an Andon Labs system in the spirit of Project Vend. Through injected instructions alone it hit all three of its goals, forcing the agent to drop an expensive in-stock item to the $0.50 floor, order a new $100-plus item and offer it for fifty cents, and cancel another customer's order. No exploit, no CVE, no memory corruption. It talked the agent into betraying its own operator, using nothing but text the agent was built to read.

Why this attack is invisible to the stack you already own

Prompt injection does not look like an attack to anything watching the wire or the box. The malicious instruction is not a packet signature or a suspicious binary. It is a sentence, sitting inside a product review, a support ticket, a scraped web page, a PDF, or the output of a tool the agent just called. The agent reads it because reading it is the job. The instruction then rewrites what the agent does next.

Walk it through your existing controls. The network firewall sees a TLS session to a model endpoint, same as every other agent call. The endpoint agent sees a normal process making a normal HTTPS request. The SIEM ingests logs from hosts, identities, and network flows, and none of those carry the one thing that matters here: the actual conversation between the agent and the model, and the tool calls that conversation triggers. The attack happens entirely inside the agent's context window. If you are not recording that window, you did not see it happen.

The blind spot is the agent's own input stream

Every classic detection layer sits outside the model's context. Prompt injection lives inside it. You cannot alert on what you never collect, and until very recently nobody was collecting the agent conversation as first-class security telemetry. That is the gap GPT-Red drives a truck through.

Caver already watches that stream, and it is live today

This is the part we are proud of. The defensive answer to a GPT-Red-class attack is not something we are going to build. It is running now, wired into a live agent flow, as part of Caver's AI observability. Here are the pieces, in the order the data moves.

1. Caver sits in the path

Caver captures agent traffic inline. Point an agent's model calls through Caver as a proxy, or feed it from a first-party emitter, and Caver sees every prompt, every tool call, and every response as it happens. Not sampled after the fact. In the path, in real time.

2. Every AI call becomes OCSF 6005

Each interaction lands in Caver's open lakehouse normalized to OCSF 6005, the GenAI event class the Open Cybersecurity Schema Framework recently defined for exactly this. That matters more than it sounds. Your AI activity is now queryable in the same schema, in the same lake, next to your endpoint, network, and identity telemetry. An analyst can correlate an injected prompt with the login that preceded it and the tool action that followed, without stitching three vendors together.

3. Detectors flag the attack in real time

As the traffic flows, Caver's detectors run against it: prompt injection, credential and API-key leaks, system-prompt exfiltration, and cost or volume anomalies. OpenAI's own GPT-Red samples read like a checklist of the same behaviors, AWS credential exfiltration, API-key forwarding, internal-directory upload, disabling two-step verification, which is exactly the ground these detectors cover. When that kind of injection shows up in the stream, it is scored and raised, not buried in a log nobody reads.

4. Content stays out of the lake, verdicts go in

Custody is deliberate. Caver attaches the verdict, the rule that fired and its severity, and does not persist the scanned prompt or response content. You get the security signal without turning your SIEM into a second copy of every sensitive thing your agents ever said.

5. It surfaces where analysts already work

Detections land in Caver's AI Observatory dashboard and flow into your SIEM, so a prompt-injection attempt gets triaged the same way a failed login does. The AI agent stops being a black box your security team cannot see into and becomes one more monitored surface.

The whole flow, in one line

Agent traffic goes inline through Caver, every call is normalized to OCSF 6005 in the open lakehouse, real-time detectors flag injection and leaks and exfil, verdicts surface in the AI Observatory and your SIEM, and the sensitive content never gets stored. That pipeline is shipped and running today.

What is next: from seeing it to stopping it

We are going to be straight about the line between shipped and coming, because the security crowd reading this will hold us to it. What is live today is detection: Caver sees the injection and raises it. The next two milestones build directly on that same pipeline.

The RedEye take

GPT-Red is the clearest signal yet that you cannot ask the model alone to defend itself. Against GPT-5.1 the automated attacker landed on 84% of scenarios where humans got 13%. OpenAI hardened its next model against it, which is the right move and also the catch: most agents running in production today are not the latest, adversarially trained frontier model, and nothing stops a motivated adversary from building their own self-improving attacker. When the offense scales like this, hardening the model is necessary and permanently insufficient. You need a control that watches the agent at runtime, from outside the model, that does not care how clever the next injection is because it is looking at behavior and content on the wire, not trusting the model's judgment.

That control is AI observability, and Caver has it running now. Not a slide, not a waitlist, not a partner integration you have to go buy. It is the same Caver that gives you cheaper storage and faster queries than the legacy SIEM stack, extended to the one telemetry source everyone else forgot to collect: the conversation inside the agent. OpenAI just told the whole industry how good the offense has gotten. The defensive half is already in the lake.

Source

OpenAI, "Unlocking self-improvement in AI red-teaming with GPT-Red," July 15, 2026. openai.com/index/unlocking-self-improvement-gpt-red

See the AI Observatory

Caver records your AI agents as security telemetry, flags prompt injection and data leaks in real time, and keeps the sensitive content out of the lake. Live today.

See the AI Observatory at getcaver.com