OpenAI has created GPT-Red, an LLM designed to play sparring partner: it simulates cyberattacks to make models like GPT-5.6 more robust. The announcement came from MIT Technology Review, July 2026. GPT-5.6, they say from San Francisco, is their most secure model ever thanks to this automated adversary.
Here’s the catch: who trains the trainer? Who audits GPT-Red to ensure it is not repurposed for offensive use? No one knows. While OpenAI self-certifies, Europe is still debating bureaucracy around the AI Act, with zero funding allocated for a public AI security counterpart.
We at Meteora Web take a clear stance: security bought from a single vendor is not security at all.
A proprietary super-hacker from one company is like a safe lock built by the same manufacturer — it may work, but no independent inspector checks the code. We see it every day with Italian SMEs: servers without backups, vulnerable forms, expired SSL certificates. Now add an LLM trained to break systems — without transparency on how it's controlled. For an Italian business, this means total dependence on an American black box for digital defense. That is precisely the opposite of the technological sovereignty Europe claims to pursue.
Sponsored Protocol
We come from accounting, balance sheets, real servers. When an automatic SSL renewal broke on a server, we fixed it and automated it without downtime. Because security is not a model you buy once: it's a daily practice. GPT-Red can be a useful tool, but locked inside OpenAI it helps no one defending a fashion e‑commerce in Palermo or a booking portal in Sciacca.
Sponsored Protocol
What to do now. For developers: integrate open-source security tools (OWASP Dependency-Check, Semgrep, free Burp) into your workflow — never outsource all trust to an external API. For business owners: when a consultant pitches “GPT-Red‑powered security,” ask for independent references and certifications. For Europe: it’s time to fund a public AI red‑teaming project, like Google’s Sandbox but with real transparency. We cannot leave defense to those who unilaterally decide what “secure enough” means.
The digital divide is also a security divide. We work to bridge it. But if Europe keeps watching, the gap between those with a private super‑hacker and those with an unpatched WordPress site will become an abyss.