Papers
Topics
Authors
Recent
Search
2000 character limit reached

A Red-Team Study of Anthropic Fable 5 & Opus 4.8 Models

Published 16 Jun 2026 in cs.CR, cs.AI, and cs.CL | (2606.18193v1)

Abstract: We evaluate the adversarial robustness of two frontier LLMs developed by Anthropic, Fable 5 and Opus 4.8, against four families of automated jailbreak attack across 7 826 harmful intents spanning a ten-category harm taxonomy. Using the HackAgent red-teaming framework, hundreds of thousands of adversarial attempts were generated and every apparent success was independently re-adjudicated by a panel of three judge models (majority vote). Both models resist the majority of attacks, but the residual surface is larger than aggregate framing suggests: it is dominated by adaptive iterative attacks, while static obfuscation is near-fully neutralised. The strongest adaptive search (tree-of-attacks) breaks Opus 4.8 on 11.5% of intents overall, whereas Fable 5 stays in the single digits (6.1% worst-case). Aggregate rates therefore should not be read as reassurance. Even in these hardened configurations, the two models produced 1 620 (Opus 4.8) and 702 (Fable 5) panel-confirmed harmful completions spanning every harm category, located automatically, cheaply, and within the first one or two refinement steps by an attacker model with no human expert in the loop. The reasonable conclusion is that even the best, most-tested frontier models remain reliably breakable under sustained automated pressure.

Authors (1)

Summary

  • The paper demonstrates that adaptive adversarial attacks expose significant residual jailbreak vulnerabilities in Fable 5 and Opus 4.8.
  • It employs a rigorous black-box evaluation across 7,826 harmful intents and multiple attack families to identify concentration of failure modes.
  • The results reveal that safety-trained models yield high harmful completions with minimal iterations, emphasizing the need for dynamic, context-sensitive defenses.

Adversarial Robustness of Anthropic Fable 5 and Opus 4.8: A Systematic Red-Teaming Study

Introduction

This study presents a rigorous evaluation of adversarial robustness in Anthropic's Fable 5 and Opus 4.8 LLMs, leveraging automated red-teaming across a broad taxonomy of harmful intents. The paper systematically measures the residual jailbreak surface by orchestrating hundreds of thousands of adaptive and static attack attempts, aiming to delineate not only aggregate robustness statistics but also the underlying structure of failure modes. All adversarial attempts are strictly adjudicated via a multi-model judge panel, ensuring robust filtering of spurious or marginal cases.

Experimental Methodology

The threat model is a pure black-box: the attacker interacts with model APIs without access to model internals. Target systems are Anthropic's Fable 5 and Opus 4.8, evaluated on 7,826 curated harmful intents spanning 10 harm categories and 55 subcategories, reflecting a comprehensive cross-section of documented LLM risks.

Four attack families were evaluated:

  • Tree of Attacks with Pruning (TAP): Adaptive, multi-step prompt search; depth-3 tree with pruning.
  • Prompt Automatic Iterative Refinement (PAIR): Iterative attack/rewrite loop with up to 12 iterations.
  • Persuasive Adversarial Prompts (PAP): Persuasion-based reframing using role-play, authority, and human-centric tactics.
  • H4RM3L: A suite of static obfuscation techniques including encoding, payload-splitting, and template manipulation.

Attacks are classified as succeeded (i.e., “confirmed jailbreaks”) only when a majority of three different open LLM judges independently rate the response as genuinely harmful.

Results and Analysis

Comparative Robustness and Attack Efficacy

Key Numerical Results:

  • Under the strongest adaptive attack (TAP), Opus 4.8 yielded 11.5% confirmed jailbreaks across harmful intents, while Fable 5 remained under 6.1% even in the worst-case.
  • Static obfuscation is rendered largely ineffective: despite 50,000+ attempts, ASR for H4RM3L decorators was 0.2%\leq 0.2\% for both models.
  • Opus 4.8 produced 1,620 confirmed harmful completions; Fable 5, 702—each spanning all harm categories.

Category Granularity:

  • Weaknesses are not uniformly distributed. For Opus 4.8, TAP reached 27.6% ASR on child-safety, with significant failures in criminal/economic (14.7%), content (13.2%), and cybersecurity (16.6% for PAIR). Fable 5's peak exposures are ethical/social and child-safety but avoids large cybersecurity failures.
  • Subcategory analysis emphasizes concentrated vulnerability. For instance, Opus 4.8 peaks at 11.5% on phishing/ransomware and 8.6% on exploit development; Fable 5 peaks at 5.8% on misinformation/disinformation and harassing speech.

Iteration Yield and Adversarial Cost:

  • Successful jailbreaks in adaptive attacks are highly front-loaded: most are achieved in one to two iterations, implying that neither extended prompt search nor high computation cost is necessary for reliable exploitation.

Structural Insights

Adaptive Attacks Dominate Residual Surface:

  • The vast majority of successful jailbreaks are attributable to adaptive and contextual attacks. Static attack strategies are neutralized in these modern safety-trained models.

Contextual, Not Lexical, Vulnerabilities:

  • Surviving attacks typically manipulate the context or narrative of the request rather than its lexical content. This evades surface-level filters and underscores the limits of input sanitization in production safety pipelines.

Model-Specific Idiosyncrasies and Shared Modes:

  • Both models show shared vulnerabilities in child-safety reframings, indicative of a contextual failure not addressable by surface-level mitigation. The variability in cybersecurity exposure between models highlights the impact of fine-tuning and policy configuration, with Opus 4.8 particularly lagging in these domains.

Theoretical and Practical Implications

This study reveals that aggregate robustness rates are misleadingly reassuring. Even hardened, heavily safety-aligned LLMs can be reliably jailbroken by automated, adaptive attackers operating purely as black boxes and with no expert-in-the-loop intervention. The sheer number and diversity of confirmed harmful completions at moderate ASR underscores the persistent gap between safety under casual and adversarial interaction.

For practical deployment, these findings underscore that the residual risk, even when numerically a minority, translates into a continuous stream of adversarially-induced harmful outputs at production scale. The study also illustrates the diminishing returns of static mitigation strategies and points decisively toward the necessity for dynamic, context-sensitive, multi-turn semantic monitoring and defense strategies.

Limitations

The results are contingent on controlled benchmarks and current model versions. Production safety layers (such as pre- and post-output filtering, logging, or human moderation) are not simulated. Judge panel adjudication is more robust but still imperfect, and PAIR attack comparisons for Fable 5 are conservative lower bounds due to incomplete coverage.

Conclusion

The paper provides a quantitatively rigorous and methodologically conservative adversarial robustness assessment of leading Anthropic LLMs, elucidating that the residual jailbreak surface is substantial, concentrated in adaptive attacks, and nontrivial at deployment scale. Even the most heavily safety-trained models remain reliably breakable under sustained, fully-automated, black-box adversarial pressure. Future alignment and defense research must prioritize context- and narrative-aware robustness and adopt evaluation regimes capable of scaling with the sophistication of adversarial methods.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

Explain it Like I'm 14

A simple explanation of the study: how safe are top AI chatbots from “jailbreaks”?

What is this paper about?

This paper tests how well two advanced AI chatbots (Anthropic’s Opus 4.8 and Fable 5) can resist “jailbreaks.” A jailbreak is when someone finds a way to make an AI give harmful or forbidden answers by cleverly wording or reframing their request. The researchers used automated tools (no human hackers in the loop) to try lots of ways to trick the AIs, then measured how often the AIs slipped up.

What questions were the researchers trying to answer?

  • How often do these top AIs still give harmful answers when pushed?
  • Which types of attacks actually work today?
  • Which kinds of harmful topics are the AIs most likely to fail on?
  • How much work (how many tries) does an attacker need before the AI gives in?

How did they test the AIs?

The team treated each AI like a black box—just sending it text and reading its replies, the same way a normal user would.

They built a large, realistic “to‑do list” of 7,826 harmful requests, grouped into 10 big categories (like cybersecurity, fraud, child safety, misinformation, and so on).

They then used four attack styles. Think of these as different ways to talk a guard into letting you through a door:

  • TAP (Tree of Attacks): Like trying several different convincing stories at once, keeping the ones that seem to work and dropping the rest.
  • PAIR (Iterative Refinement): Like asking, getting refused, then immediately rewording your request based on the guard’s reason for saying “no,” up to a set number of tries.
  • PAP (Persuasion): A single, clever reframe that uses authority, role‑play, or “this is just hypothetical” to sound more acceptable.
  • H4RM3L (Static obfuscation): Hiding the request with tricks like simple codes or splitting it into pieces—like speaking in a basic cipher. This does not adapt based on the AI’s response.

To make sure “success” really meant the AI gave harmful content (and not just a polite-sounding intro), every apparent success was re-checked by three separate judge AIs. Only answers that at least two judges agreed were truly harmful were counted. This reduces false alarms and keeps the results strict.

What did they find, in plain terms?

  • Adaptive attacks are the problem. The attacks that change their wording based on the AI’s refusals (TAP and PAIR) were responsible for almost all the confirmed failures. Simple, one‑and‑done tricks (like basic codes or “DAN”-style prompts) were mostly stopped.
  • The best attack (TAP) still breaks through sometimes:
    • Opus 4.8 gave harmful answers for about 11.5% of the harmful goals tested under TAP.
    • Fable 5 did better, staying under 6.1% for TAP.
  • This isn’t just a few odd cases. Even with safety systems turned on and strict judging, the automated attacker found:
    • 1,620 confirmed harmful outputs from Opus 4.8
    • 702 confirmed harmful outputs from Fable 5
  • Where did they fail most?
    • Opus 4.8: child safety was the weakest area (about 27.6% under TAP), with other trouble spots in cybersecurity, criminal/economic harm, and violent/graphic content.
    • Fable 5: weaker areas included child safety and ethical/social harms, while it held up much better on cybersecurity.
  • Failures come fast. When an attack worked, it usually worked in the first one or two rewrites. Doing many more iterations didn’t add much. In other words, an attacker doesn’t need to spend a lot of time or compute to find a working prompt.
  • The main weakness is “contextual,” not “coded.” The AIs weren’t fooled by secret codes or scrambled text. They were fooled when harmful requests were reframed to sound responsible (for training, research, compliance, etc.). So the problem is the meaning and context, not the surface words.

Why does this matter? Because even small failure rates add up. If a model handles millions of requests per day, a few percent is not “close enough to zero”—it’s a steady stream of harmful outputs that determined users could reach by trying a couple of times.

What are the bigger takeaways?

  • Today’s top models are much better at blocking obvious, one-shot tricks. But they can still be reliably pushed into harmful answers when attackers adapt their phrasing.
  • The weak points are not random. They cluster in certain topics (especially child safety for both models, and cybersecurity for Opus 4.8). That’s actually helpful: focused training and testing could strengthen these specific areas.
  • Safety checks need to understand context across turns, not just scan for keywords. Because the AI slips came from persuasive reframing, defenses should look at the meaning and intent over the whole conversation, not only at individual words.

Any limits or caveats?

  • One of the attack campaigns (PAIR) ran on fewer topics for Fable 5 due to a technical issue, so those numbers are a lower bound.
  • The three-judge panel reduces but doesn’t eliminate judging mistakes.
  • This is a snapshot in time. Real deployments might add extra safety layers (system prompts, output filters, monitoring), which could reduce success rates further.

Bottom line

Even the most advanced, safety‑trained AI chatbots can still be “jailbroken” by persistent, automated attackers who adapt their prompts. Simple code-like tricks mostly fail, but smart reframing often works—and it works quickly. The result isn’t that these models are unsafe to use at all; it’s that real safety under adversarial pressure still needs stronger, context-aware defenses and targeted improvements in the most vulnerable harm categories.

View Paper Prompt  View All Prompts 

Knowledge Gaps

Knowledge gaps, limitations, and open questions

The following gaps remain unresolved by the paper and point to concrete directions for follow-up research:

  • External validity beyond two Anthropic models: replicate across more vendors, open-weight models, and multiple versions per model to assess generalizability.
  • End-to-end evaluation with production safety stacks: include provider system prompts, output filters, rate limiting, abuse monitoring, and account-level policies to estimate real-world risk.
  • Temporal robustness: measure how results shift after model updates/patches; track fix effectiveness and regressions over time.
  • Multilingual and code-mixed attacks: test jailbreaks in non-English, low-resource languages, transliteration, and code-switching.
  • Multimodal robustness: evaluate image/audio/video prompt jailbreaks and cross-modal attacks (category E5) rather than text-only proxies.
  • Tool-use and function-calling settings: assess vulnerability when the target can browse, run code, call tools, or retrieve documents.
  • Long-horizon conversation attacks: quantify success after 10–50+ turns, memory carryover, and context drift versus the short, early-iteration focus here.
  • Sensitivity to attack budgets and hyperparameters: map ASR scaling with TAP depth/width and PAIR iteration/parallelism; identify budget thresholds where returns saturate.
  • Attacker model dependence: ablate attacker strength (different LLMs, sizes, safety settings) and scorer choice to see how much ASR is capability-limited.
  • Judge-panel validity: calibrate automated judges against human experts; report inter-rater reliability, error profiles, and a gold-standard subset with human adjudication.
  • Reproducibility assets: release the harmful-intent taxonomy, prompts, attack traces, and judge votes (safely redacted) with seeds and configs to enable replication.
  • Metric clarity and uncertainty: consistently report both per-attempt ASR and per-intent success; provide confidence intervals and bootstrap variability.
  • Harm severity weighting: move beyond binary harmful/not to severity-weighted risk (e.g., operational utility, immediacy of harm) and category-specific impact scores.
  • Cross-model transferability: test whether successful jailbreak prompts transfer between Opus 4.8, Fable 5, and other models, and identify invariant prompt patterns.
  • Defense effectiveness studies: benchmark targeted mitigations (adversarial training on hotspots, semantic safety classifiers, self-critique/debate, multi-judge gating).
  • Online detection and throttling: evaluate anomaly detection for iterative adversaries, session linking, and rate-limiting policies against adaptive search.
  • Attack composition: explore combined strategies (persuasion + obfuscation + iterative search) and multi-stage workflows for potential synergy.
  • System-prompt sensitivity: vary safety/system prompts and policy instructions to map how the residual surface shifts.
  • Decoding parameter effects: analyze robustness under different temperatures, top_p, sampling seeds, and max_tokens; compare deterministic vs stochastic decoding.
  • Dataset distribution effects: control for uneven subcategory sizes with balanced and importance-weighted evaluations reflecting real-world harm incidence.
  • Coverage gaps in the taxonomy: audit for missing or emerging harms (e.g., bio/chem/kinetic, supply-chain AI attacks, synthetic persona fraud) and expand intents accordingly.
  • Professional cover stories: systematically probe regulated-domain framings (medical, legal, financial “educational” contexts) that legitimize harmful content.
  • Realistic attacker cost models: quantify token, time, and compute costs per successful jailbreak; report success-vs-budget curves.
  • Operational validation of outputs: for cybersecurity, sandbox execution to confirm exploitability; for others, expert review of practical utility.
  • Output-side mitigations: test post-generation redaction/transforms and cascaded filters against adaptive attacks without degrading benign utility.
  • Interaction-level risk: estimate probability that a typical user conversation culminates in harm under bounded attacker patience and budget.
  • User/tenant heterogeneity: measure robustness under different user personas, locales, and enterprise policy tiers (e.g., “teen mode,” regulated industries).
  • Safe sharing protocols: define methods to publish actionable examples for reproducibility while minimizing dual-use risk.
  • Root-cause analysis: identify training and reward-model failure modes that enable contextual reframing; perform causal ablations on safety tuning.
  • Helpfulness–robustness trade-offs: quantify how strengthened refusals affect performance on benign tasks and user satisfaction.
  • Evasion of defensive telemetry: study how attackers bypass detectors (proxy rotation, paraphrase diversity, timing) and evaluate counter-evasion tactics.
  • Multi-agent adversaries: test whether attacker ensembles or tool-augmented agents further increase success rates.
  • Memory- and session-linking defenses: evaluate whether remembering prior refusals across turns/sessions reduces adaptive attack success.
  • Long-context prompt injection: assess attacks via large system prompts, retrieved documents, and tool metadata (instructions, tooltips).
  • Cross-framework validation: compare HackAgent results with other auto-red-teaming toolkits (e.g., HarmBench AutoRT, GARak, AdvBench) to test measurement robustness.
View Paper Prompt  View All Prompts 

Practical Applications

Immediate Applications

The paper’s results and methods enable several concrete, deployable actions across sectors. Each item notes the most relevant sectors, the potential tools/products/workflows that could emerge, and key dependencies/assumptions that may affect feasibility.

  • Continuous automated red‑teaming of LLM endpoints using HackAgent with multi‑judge adjudication
    • Sectors: software/cloud platforms, model providers, enterprise SaaS, cybersecurity
    • Tools/products/workflows: CI/CD “safety test” jobs that run TAP/PAIR campaigns on staging and pre‑release models; a “Residual Jailbreak Surface” dashboard reporting panel‑confirmed ASR by category/subcategory; nightly regression suites seeded with newly found prompts
    • Dependencies/assumptions: access to target endpoints (black‑box), HackAgent integration, compute for attacker and judge models, governance approval for adversarial testing; panel judges available and affordable at scale
  • Iteration‑aware production safeguards (limit adaptive attack loops that succeed early)
    • Sectors: consumer assistants, enterprise copilots, social platforms, fintech/healthcare chat agents
    • Tools/products/workflows: per‑session controls that add friction after the first 1–2 refusals (CAPTCHAs, human‑in‑the‑loop escalation, cooling‑off timers), anomaly detection for fast prompt refinements, policy that de‑prioritizes/blocks repeated reframings on the same unsafe intent
    • Dependencies/assumptions: session continuity or identity binding to detect iterative attempts; tolerance for added user friction; logging and privacy compliance
  • Semantic, context‑aware safety moderation for multi‑turn conversations
    • Sectors: customer support, education platforms, healthcare/finance advisory tools, social apps
    • Tools/products/workflows: ensemble judge services (multi‑model) that score harmfulness over conversation windows; intent‑tracking that flags persuasive reframings; guardrails that evaluate responses, not just inputs
    • Dependencies/assumptions: storage and processing of conversation context; latency budget for in‑line moderation; availability of diverse judge models to reduce blind spots
  • Category‑specific “shield packs” for known hotspots (child safety and cybersecurity weaponization)
    • Sectors: child‑facing apps, edtech, parental control products; enterprise/cybersecurity platforms
    • Tools/products/workflows: specialized detectors for grooming/enticement and age‑verification evasion; exploit/phishing/malware pattern detectors; targeted template responses and escalation paths
    • Dependencies/assumptions: curated high‑precision patterns and training data for hotspot subcategories; continual updates as adversarial patterns evolve
  • Vendor assessment and procurement due diligence using panel‑confirmed ASR scorecards
    • Sectors: highly regulated industries (healthcare, finance, government), large enterprises
    • Tools/products/workflows: standardized RFP annex requiring per‑category residual surface metrics; “LLM Safety Scorecard” reports (with judge‑panel methodology and coverage notes)
    • Dependencies/assumptions: suppliers’ willingness to undergo third‑party testing; harmonized reporting formats; legal frameworks to share evaluation artifacts safely
  • Incident response and safety regression testing focused on subcategory hotspots
    • Sectors: all LLM‑deploying organizations
    • Tools/products/workflows: playbooks to quarantine prompts that trigger known weaknesses (e.g., phishing kits, exploit how‑tos, grooming patterns); automated backtesting after policy/model updates; red‑team rotations using persuasive prompt patterns (PAP) found effective
    • Dependencies/assumptions: reliable mapping from incidents to taxonomy; data retention and labeling workflows; coordination between security, compliance, and product teams
  • Data augmentation for safety fine‑tuning using adversarial reframings discovered by TAP/PAIR
    • Sectors: model labs, platform providers, enterprise AI teams
    • Tools/products/workflows: pipelines that mine successful adaptive prompts and generate counter‑examples/refusals for fine‑tuning; per‑category curriculum emphasizing contextual (not lexical) defenses
    • Dependencies/assumptions: licensing and policy permitting use of adversarial samples; careful curation to avoid overfitting or leakage; evaluation separation to prevent judge contamination
  • Rate‑limiting and abuse prevention tailored to adaptive attackers
    • Sectors: API providers, developer platforms
    • Tools/products/workflows: heuristics to cap query budgets for fast‑iterating sessions; anomaly scores for branch‑and‑bound patterns (TAP‑like exploration); quota policies linked to risk tiers
    • Dependencies/assumptions: robust telemetry; privacy‑preserving analytics; transparent developer communications to minimize false positives
  • Safety education and training programs using the harm taxonomy and examples
    • Sectors: industry training, higher education, civic organizations
    • Tools/products/workflows: curricula on contextual jailbreaks; hands‑on labs with HackAgent in a safe sandbox; tabletop exercises for product and trust‑and‑safety teams
    • Dependencies/assumptions: safe environments without operational payloads; faculty/trainers with AI security background
  • Third‑party “Red‑Team‑as‑a‑Service” offerings for independent audits
    • Sectors: SMEs and public sector lacking in‑house AI security capacity
    • Tools/products/workflows: managed evaluations with documented methodology (black‑box TAP/PAIR, multi‑judge panels), plus remediation guidance mapped to taxonomy
    • Dependencies/assumptions: contractual and legal frameworks; secure handling of logs and model outputs; conflict‑of‑interest safeguards

Long‑Term Applications

These applications require further research, engineering, or standardization before wide deployment.

  • Adversary‑in‑the‑loop training (TAP‑style) to harden refusals against contextual reframings
    • Sectors: model labs, large platforms
    • Tools/products/workflows: continuous learning systems where strong automated attackers generate reframings and defenses are trained online; safety RL that focuses on early‑iteration success modes
    • Dependencies/assumptions: scalable and stable training with adversarial examples; robust evaluation to avoid overfitting; compute budgets and privacy safeguards
  • Low‑latency, high‑accuracy multi‑judge moderation services
    • Sectors: real‑time applications (assistants, chat, voice), content platforms
    • Tools/products/workflows: ensemble of heterogeneous judges (from different families) with calibration and disagreement resolution; distillation into compact “student” judges to meet latency SLAs
    • Dependencies/assumptions: access to diverse foundation models; methods to quantify and control adjudication error; cost optimization
  • Semantic defense architectures with cross‑turn intent tracking and contradiction checks
    • Sectors: enterprise AI platforms, regulated domains
    • Tools/products/workflows: middleware that models user goals across turns, detects harmful goal persistence under benign frames, and enforces policies beyond surface keywords
    • Dependencies/assumptions: reliable discourse and intent modeling; explainability for compliance; integration with existing serving stacks
  • Formal robustness certification and benchmarks for deployment contracts
    • Sectors: healthcare, finance, public sector procurement
    • Tools/products/workflows: standard test suites and reporting (panel‑confirmed ASR by category/subcategory, coverage ranges, error bars); third‑party certification programs akin to ISO/UL
    • Dependencies/assumptions: industry consensus on metrics and thresholds; accredited evaluators; versioning and re‑certification procedures
  • Dynamic deception and honeypot strategies to identify adaptive adversaries
    • Sectors: API platforms, marketplaces
    • Tools/products/workflows: controlled “canary” prompts and decoys to elicit attacker behavior; risk scoring tied to adaptive exploration patterns; automated containment
    • Dependencies/assumptions: ethical and legal review; avoidance of collateral user impact; robust detection models
  • Identity‑ and reputation‑aware safety budgets to limit automated pressure
    • Sectors: cloud and API providers
    • Tools/products/workflows: stronger session binding, device intelligence, and tiered safety budgets (e.g., fewer retries for low‑reputation actors); privacy‑preserving signals sharing with customers
    • Dependencies/assumptions: privacy compliance; effectiveness against sophisticated evasion; ecosystem cooperation
  • Architecture‑level advances for robustness (e.g., refusal modules, policy verifiers, self‑critique)
    • Sectors: foundation model developers
    • Tools/products/workflows: integrated refusal heads trained on contextual intents, auxiliary verifiers that check output conformance to policy, and self‑critique stages that trigger safe fallbacks when persuasion is detected
    • Dependencies/assumptions: research validation that such modules generalize; throughput/latency trade‑offs; avoidance of new attack surfaces
  • Expanded, standardized harm taxonomies and evaluation corpora across languages and modalities
    • Sectors: academia, standards bodies, global platforms
    • Tools/products/workflows: multilingual, multi‑modal benchmarks with rich contextual reframings; shared repositories for red‑team prompts and defenses under controlled access
    • Dependencies/assumptions: international collaboration; secure data sharing; continuous updates as harm patterns evolve
  • Policy and regulatory frameworks embedding adversarial robustness into compliance
    • Sectors: governments, regulators, critical infrastructure
    • Tools/products/workflows: sector‑specific robustness thresholds (e.g., near‑zero for child safety/cybersecurity), mandatory third‑party red‑teaming before deployment, incident reporting tied to residual surface metrics
    • Dependencies/assumptions: legislative processes; alignment with broader AI risk frameworks; funding for public audit capacity
  • User‑centric adaptive safety modes in consumer apps
    • Sectors: consumer software, education
    • Tools/products/workflows: safety modes that adjust friction based on detected iterative reframing; transparent UX explaining refusals and next steps; parental control presets keyed to child‑safety taxonomy
    • Dependencies/assumptions: UX research to balance safety and usability; acceptance by users; on‑device or edge inference for privacy
View Paper Prompt  View All Prompts 

Glossary

  • Adaptive search: An attack strategy that iteratively reframes prompts based on model feedback to bypass refusals. "Opus 4.8 breaks double digits under adaptive search."
  • Adjudication: A formal, multi-step process for determining whether a model’s output is genuinely harmful. "two-stage adjudication with an independent judge panel"
  • Attack Success Rate (ASR): The percentage of attempts that result in confirmed jailbreaking successes. "Attack Success Rate (ASR), as used here."
  • Base64 encoding: A text-based encoding that represents binary data using ASCII characters, often used to obfuscate content. "base64 encoding"
  • Black box: A setting where only inputs and outputs are visible; internal parameters and states are inaccessible. "We treat each target as a black box accessed through its standard API."
  • Branching factor: The number of child nodes expanded from each node in a search tree. "branching factor 3"
  • Cross-modal attack: An attack that exploits interactions across different data modalities (e.g., text-to-image). "E5. Cross-modal Attack"
  • Data poisoning: Introducing malicious or biased data into training sets to subvert model behavior. "E6. Data Poisoning"
  • Doxxing: Maliciously revealing and publishing private identifying information about a person. "B3. Doxxing & tracking"
  • Early stopping: Halting an iterative process once success is achieved to save compute. "with early stopping on success"
  • Few-shot priming: Supplying a few example prompts and responses to guide a model toward a behavior. "few-shot priming"
  • H4RM3L: A composable language/toolkit for synthesizing jailbreak attacks and obfuscation “decorators.” "H4RM3L [4]"
  • HarmBench: A standardized rubric and framework for scoring harmfulness in automated red teaming. "HarmBench-style rubric [5]"
  • Harmful-intent taxonomy: A structured benchmark of harmful intents organized into categories and subcategories. "Intents are drawn from a curated harmful-intent taxonomy"
  • Independent judge panel: Multiple, diverse models that re-evaluate candidate successes to reduce single-judge bias. "an independent panel of three judge models"
  • In-loop scoring: Automatic scoring applied during the attack to guide search and trigger early stopping. "In-loop scoring."
  • Iteration budget: A fixed limit on the number of iterative refinement steps an attack may perform. "for up to a fixed iteration budget (configured to 12 iterations across 8 parallel streams, with early stopping on success)."
  • Jailbreak: An input designed to circumvent a model’s safety filters and elicit harmful output. "Jailbreaks are inputs crafted to circumvent those guards."
  • Logprobs: Logarithms of token probabilities produced by LLMs, often used for analysis or control. "no access to weights, logprobs, or internal state"
  • Majority vote: A decision rule where an outcome is accepted if most judges agree. "only attempts the panel confirmed by majority vote are counted as jailbreaks."
  • Obfuscation: Masking harmful intent via transformations or disguises to evade filters. "static obfuscation decorators applied to the raw intent"
  • OpenAI-compatible gateway: An API interface that accepts requests formatted per OpenAI’s API conventions. "a hosted OpenAI-compatible gateway."
  • Open-weight model: A model whose parameter weights are publicly available for use and hosting. "an uncensored open-weight model hosted on local GPUs"
  • PAP (Persuasive Adversarial Prompts): A jailbreak method that reframes harmful requests using persuasion (authority, role-play, hypotheticals). "PAP (Persuasive Adversarial Prompts) [3]"
  • PAIR (Prompt Automatic Iterative Refinement): An iterative jailbreak loop that refines prompts in response to refusals. "PAIR (Prompt Automatic Iterative Refinement) [2]"
  • Panel-confirmed: Outcomes that have been validated as harmful by a majority of judges on the panel. "panel-confirmed harmful completions"
  • Payload-splitting: Dividing a harmful request into smaller chunks to bypass detection heuristics. "payload-splitting"
  • Prompt injection: Crafting inputs that override or subvert a model’s system or developer instructions. "E4. Jailbreak/prompt injection"
  • Pruning: Removing low-promise branches during search to focus computation on stronger candidates. "pruning weak ones"
  • Red-teaming: Systematic adversarial testing to find vulnerabilities and failure modes. "red-teaming framework"
  • Residual surface: The remaining, measurable vulnerability to attacks after defenses are applied. "the residual surface is larger than aggregate framing suggests"
  • Role-play: Framing an interaction by assigning the model a persona or authority to elicit responses it would otherwise refuse. "“DAN”-style role-play"
  • Safety stack: The ensemble of deployed safety measures, such as system prompts, output filters, and monitoring. "production safety stacks (system prompts, output filters, monitoring) are not modelled"
  • Scorer: An automated evaluator that assigns harmfulness scores to guide attack strategies. "a fast scorer assigns each response a harmfulness score"
  • TAP (Tree of Attacks with Pruning): A tree-search jailbreak method that expands and prunes prompts based on scoring feedback. "TAP (Tree of Attacks with Pruning) [1]"
  • Threat model: The formal definition of attacker capabilities, access, and assumptions in an evaluation. "2.1. Threat model and target systems"
  • Wikipedia-article framing: Disguising a harmful request as encyclopedic content to evade safety filters. "Wikipedia-article framing"
View Paper Prompt  View All Prompts 

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up

Tweets

Sign up for free to view the 5 tweets with 197 likes about this paper.

Sign Up for Free