Adaptive Probe-based Steering for Robust LLM Jailbreaking

Abstract: Recent work has demonstrated the potential of contrastive steering for jailbreaking LLMs. However, existing methods rely on limited and inherently biased contrastive prompts and require laborious manual tuning of steering strength, limiting their robustness and effectiveness. In this paper, we leverage the idea of model extraction to guide the learned steering vectors to approximate the ideal one and propose tuning the steering strength adaptively based on contrastive activations' statistics. Experiments demonstrate that our method notably improves the effectiveness and robustness of probe-based steering, without any extra contrastive prompts or laborious manual tuning. Being an attack paper, this paper focuses on revealing the breakdown of fortified LLMs, raising the average harmfulness score from 6\% to 70\%. Our code is available at https://github.com/fhdnskfbeuv/adaptiveSteering.

• The paper presents an adaptive probe-based steering method that leverages iterative model extraction and activation statistics to bypass LLM safety defenses.
• The method adaptively tunes steering strengths across layers using activation logits and ℓ2 norm scaling, removing the need for manual adjustments and ensuring coherent attacks.
• Experimental results demonstrate an increase in harmfulness scores from 6% to over 70% across various LLMs, challenging prevailing alignment protocols.

Authoritative Summary of "Adaptive Probe-based Steering for Robust LLM Jailbreaking" (2605.20286)

Problem Overview and Motivation

The proliferation of alignment techniques for LLMs, such as RLHF and safety fine-tuning, is intended to ensure output harmlessness. Yet, mounting evidence indicates such defenses can be circumvented by jailbreaking attacks, exposing the vulnerability of “fortified” LLMs to adversarial manipulation. This paper addresses a critical gap: the lack of strong, automated adversarial attacks that can reliably evaluate worst-case robustness of aligned LLMs, especially when traditional gradient-based strategies are infeasible due to the discrete nature of LLM input spaces and the lack of well-correlated response-level proxies.

Contrastive steering, specifically probe-based variants, has emerged as a promising but limited approach for behavioral control and jailbreaking. Existing methods suffer from two key shortcomings: (1) reliance on biased contrastive prompts leading to suboptimal steering directions, and (2) laborious layer-wise parameter tuning of steering strength, undermining practicality and robustness.

This work systematically resolves these deficiencies, enhancing probe-based steering for jailbreaking and pushing harmfulness scores for state-of-the-art fortified LLMs from as low as 6% to consistently over 70%.

Technical Contributions

Direction Refinement via Model Extraction

The authors recast the problem of finding effective steering vectors in probe-based contrastive steering as a model extraction task. A novel iterative algorithm is proposed, which augments the probe training dataset with contrastive activations from steered LLMs, annotated using a reliable judge (e.g., LLM-based classifiers such as SRF). This adaptive retraining procedure approximates an ideal linear probe direction without requiring additional contrastive prompts, mitigating the impact of coupled, confounded directions (e.g., ethical-unethical or topic-specific features) inherent in naive prompt augmentation.

The iterative refinement strategy is grounded in the formal Linear Control Assumption (LCA), ensuring monotonicity in behavioral control: for a learned steering vector sequence $V$, the indicator output $IB(me(\theta))$ is a monotonically increasing function of the steer strength.

Adaptive Strength Tuning Based on Activation Statistics

Empirically, probe accuracy across layers is highly unstable, and magnitude disparities in hidden activations result in frequent oversteering if uniform, fixed steering strengths are applied. The paper deprecates accuracy-based layer selection and proposes to set layer-wise steering strengths adaptively based on contrastive activation statistics—specifically, using activation logits of target behaviors, scaled by activation $\ell_2$ norms to account for order-of-magnitude differences across layers. This method obviates the need for manual continuous parameter tuning and ensures that probe-based steering operates at the correct scale, improving attack coherence.

Other critical implementation details include discarding last-layer activations (to avoid degenerate logit bias and repetition) and steering all token positions, interpreting steering vectors as parameter-efficient adapters.

Experimental Results

The adaptive probe-based steering method is evaluated against a suite of 12 LLMs equipped with diverse jailbreaking defenses, including circuit-breaker (CB), deep alignment (DA), representation bending (RB), safe unlearning (SU), latent adversarial training (LAT), tamper-resistant alignment (TAR), and decoupled refusal training (DeRTA). Judging harmfulness via SRF, HB, and SR metrics, the proposed attack increases average harmfulness scores from 6% to 70% or higher on nearly all models. Notably:

• Attacks like RepE and SCAV, as well as angular steering and refusal direction (RD), generally fail or require manual tuning, occasionally failing to find any available direction (especially RD, due to filtering).
• The adaptive retraining approach robustly bypasses defenses in CB and RB series, where prior works claimed perturbation-based attacks were ineffective.
• Adversarial robustness induced by degraded capability (e.g., R2D2) is clearly identified, demonstrating a positive correlation between overall helpfulness and jailbreak susceptibility.

Ablation studies reveal indispensability of adaptive strength tuning, steering all token positions, discarding the last layer, and adaptive retraining. The approach is consistently superior to naive augmentation and uncertainty sampling in probe training.

Extensibility is demonstrated: the method remains effective on general-purpose LLMs, reasoning-based models (e.g., Qwen3-4B-Thinking, GLM-4.6V-Flash), and multimodal defenses (e.g., Llava-CB), showing transferability of the attack framework.

Theoretical and Practical Implications

The results invalidate claims of adversarial robustness for many current LLM alignment strategies, especially those premised on shallow alignment or activation manipulation. The model extraction-inspired iterative refinement provides both theoretical guarantees (monotonic behavioral control via LCA) and practical robustness.

Adaptive probe-based steering is thus positioned as a critical red-teaming tool, systematically probing the worst-case vulnerabilities in LLMs in a parameter-free, automated, and scalable fashion. The approach, by leveraging activation statistics and adaptive annotator-based retraining, sets a new benchmark for the evaluation of LLM safety protocols.

Further, the framework is extensible: steering vectors for jailbreaking are special cases of controlling arbitrary LLM personas, unlocking potential for beneficial applications (persona control, safety monitoring).

Future Directions

Key avenues of improvement remain in developing more efficient, higher-fidelity annotators and adaptive sampling strategies, as well as identifying token positions most correlated with behavioral control. The framework opens up research in optimizer-driven text-space attacks (once optimization strategies catch up), multimodal adversarial evaluation, and general persona control in LLMs. With increasing compute and annotation capabilities, practical efficiency limitations will be mitigated.

Evaluating and strengthening LLM defenses must move beyond heuristics and manual testing to systematic, high-throughput red-teaming—models must demonstrate robustness under strong, adaptive attacks akin to those in this paper.

Conclusion

The adaptive probe-based steering method sets a new standard for evaluating and revealing LLM vulnerabilities to jailbreaking, bypassing alignment defenses through model extraction-inspired probe refinement and activation-statistics-driven strength tuning. The approach outperforms prior contrastive steering strategies in both robustness and harmfulness induction, establishing a rigorous, automated framework for red-teaming—essential for future proofing LLM safety and alignment protocols.