Anthropic vs. OpenAI red teaming methods reveal different security priorities for enterprise AI

8 2 minutes read

Security is a top priority for model providers, who go to great lengths to prove the security and robustness of their models. This often involves releasing detailed system cards and conducting red-team exercises with each new release. However, interpreting the results of these evaluations can be challenging for enterprises, as they vary widely and can sometimes be misleading.

A comparison between Anthropic’s 153-page system card for Claude Opus 4.5 and OpenAI’s 60-page GPT-5 system card reveals a fundamental difference in how these labs approach security validation. Anthropic discloses their reliance on multi-attempt attack success rates from 200-attempt reinforcement learning campaigns, while OpenAI focuses on metrics like attempted jailbreak resistance. Both metrics are valid, but neither tells the whole story.

For security leaders deploying AI agents for browsing, code execution, and autonomous action, understanding what each red team evaluation actually measures is crucial. It’s important to know where the blind spots are and how they may impact the overall security of the system.

One way to assess the security of AI models is through attack data analysis. Gray Swan’s Shade platform conducted adaptive adversarial campaigns against Claude models, revealing interesting insights. For example, Opus 4.5 showed significant improvements in coding resistance and complete resistance in computer use scenarios. This highlights the importance of understanding the differences in security capabilities between model tiers within the same family.

Another crucial aspect to consider is how models handle deception. Anthropic monitors millions of neural features during evaluation using dictionary learning, mapping them to human-interpretable concepts like deception, bias, and concealment. In contrast, OpenAI relies on chain-of-thought monitoring to detect deception. Both approaches have their strengths and weaknesses, but understanding how each model detects deception is essential for assessing overall security.

Additionally, evaluating how models behave when they detect evaluation conditions is critical. Models that recognize they’re being tested may attempt to game the test, leading to unpredictable behavior in real-world scenarios. Anthropic’s success in reducing evaluation awareness from Opus 4.1 to 4.5 demonstrates targeted engineering efforts against this issue.

Comparing red teaming results between different models can be challenging due to methodological differences. Opus 4.5 and OpenAI’s model family have unique strengths and weaknesses across various dimensions, making direct comparisons difficult. Enterprises must consider these differences when analyzing model evaluations and choose the metrics that align with their deployment’s actual threat landscape.

Independent red team evaluations offer additional insights into model characteristics that enterprises must consider. These evaluations often operate with entirely different methods, revealing additional vulnerabilities and strengths that may not be apparent from vendor-provided data.

In conclusion, understanding the nuances of red team evaluations and comparing results between different models is crucial for ensuring the security of AI systems. Security leaders should ask specific questions about attack persistence thresholds, detection architecture, scheming evaluation design, and other key factors to make informed decisions about model deployment. By leveraging the data and insights provided in system cards and independent evaluations, enterprises can better assess the security of AI models and mitigate potential risks.