OpenAI has unveiled GPT-Red: a language model trained to act as a super-hacker, capable of finding vulnerabilities in other generative AI systems. The stated goal is to use it as a “sparring partner” to make their own models more robust. The news arrives as the European Union is trying to finalize safety rules for artificial intelligence through the AI Act.
Why it matters
For European businesses, the message is twofold. On one hand, GPT-Red proves that security risks in AI systems are real and growing — no longer just lab theories. On the other, it highlights a structural problem: safety is left in the hands of a few US tech giants. Italian SMEs that adopt LLM-based tools (chatbots, virtual assistants, document automation) have no way to independently verify whether those models are exposed to attacks like prompt injection, jailbreak, or data poisoning. They become dependent on what Big Tech decides to disclose.
Sponsored Protocol
Moreover, OpenAI’s strategy — training a model to attack — raises ethical and regulatory questions. Who watches the watchmen? An LLM super-hacker could be used offensively if it falls into the wrong hands. Europe, with the AI Act, is trying to impose transparency and risk assessment obligations, but we are still far from a framework that forces companies to publicly disclose their red-teaming systems.
Our position
We, at Meteora Web, see GPT-Red as yet another confirmation that cybersecurity in Italian SMEs is systematically underestimated. We see it every day: outdated plugins, unprotected forms, no backup configured. Now the threat comes from AI as well. But we cannot wait for OpenAI or Google to tell us whether their models are safe. The only way is to take responsibility for your own infrastructure. Anyone adopting generative AI should demand independent security audits, train their developers, and not blindly trust closed APIs. Our position is clear: owning your stack beats renting it, even when the landlord is called OpenAI. For Italian SMEs, this means investing in internal skills or partnering with agencies like ours that can assess real risks, not just declared ones.
Sponsored Protocol
What to do
If you use AI tools in your business, ask the vendor: “Do you have a red-teaming program? What security tests have you run?” If you don’t get concrete answers, replace the tool. For developers: integrate prompt injection cases into your tests and verify model boundaries. And if you’re an entrepreneur, don’t wait for a breach to act — today is the best day to run a security audit on your digital presence.