Papers
Topics
Authors
Recent
Search
2000 character limit reached

OTTER: A Red-Teaming System for Toxicity-Evading Jailbreak Prompt Optimization

Published 19 Jun 2026 in cs.CR and cs.CL | (2606.21077v1)

Abstract: Production LLMs increasingly rely on toxicity-based moderation filters as a primary defense, assuming that harmful intent correlates with toxic surface wording. We show this assumption is fundamentally brittle: surface toxicity and adversarial intent can be decoupled by replacing as few as five tokens. We present OTTER (Obfuscated Toxicity-Evading Token Evolution for Rewriting), a black-box red-teaming framework requiring only standard API access, directly targeting the practical constraints of industry security audits. Evaluated on 457 AdvBench prompts across four GPT models, OTTER raises average ASR from 7.0% to 84.0%. We further provide the first quantitative analysis of the toxicity--bypass relationship and a per-category breakdown, translating our findings into actionable recommendations for classifier hardening in production deployments.

Summary

  • The paper presents OTTER, a system that optimizes prompt rewrites via token obfuscation to reduce toxicity scores.
  • It employs mask-drop attribution, BERT-based candidate generation, and a greedy search to maintain semantic similarity with minimal edits.
  • Empirical results across various GPT models show bypass rates up to 84%, highlighting critical vulnerabilities in current toxicity moderation systems.

Authoritative Analysis of "OTTER: A Red-Teaming System for Toxicity-Evading Jailbreak Prompt Optimization" (2606.21077)

Motivation and Context

Production-grade LLMs heavily rely on surface-level toxicity moderation classifiers for input filtering, operating under the presumption that harmful intent cannot be separated from toxic linguistic cues. However, this paper systematically demonstrates that such classifiers exhibit a structural vulnerability: they can be effectively bypassed by minimally obfuscating adversarial prompts, decoupling toxicity from intent through low-cost token substitutions. This exposes a critical pathway for circumventing safety mechanisms using only the access privileges of standard API users—removing the necessity for model internals or auxiliary attacker LLMs.

System Design and Methodology

OTTER (Obfuscated Toxicity-Evading Token Evolution for Rewriting) formalizes jailbreak red-teaming as a black-box constrained optimization problem. The objective is to generate prompt rewrites that reduce the toxicity score below the moderation threshold while preserving semantic similarity and adversarial intent.

The methodology centers on three steps:

  1. Token Attribution via Mask-Drop: Uses mask-drop attribution with the moderation API to identify tokens most responsible for the toxicity signal—calculated as Ai=T(p)−T(pmask)A_i = T(p) - T(p_{\text{mask}}), prioritizing high-contribution tokens for rewriting.
  2. Candidate Generation Strategies: Two variants—
    • OTTER-MLM: Employs BERT in fill-mask mode to obtain plausible, context-preserving substitutions that maintain semantic coherence.
    • OTTER-RV: Selects from a larger filtered BERT vocabulary for aggressive toxicity reduction at higher API cost.
  3. Greedy Search: Iteratively substitutes selected tokens with candidates minimizing a loss function balancing toxicity reduction and semantic drift, enforced via a cosine similarity constraint.

The system operates entirely with RESTful access to moderation and chat APIs, supporting practical industry audit workflows and CI/CD integration.

Empirical Evaluation

OTTER is comprehensively evaluated on AdvBench prompts across four GPT models (gpt-4-turbo, gpt-4o, gpt-4o-mini, gpt-3.5-turbo), establishing the applicability to widely deployed closed-source LLMs. Attack success rate (ASR; non-refusal responses) serves as the principal metric.

Key Numerical Results:

  • ASR Baseline: Direct prompt submits yield a 7.0% ASR.
  • OTTER-MLM: Achieves 75.6% ASR with an average of five token edits.
  • OTTER-RV: Obtains 84.0% ASR at increased API call volume.
  • Logistic Regression: Demonstrates BTC=0.505BTC = 0.505 (p-value =6.68×10−31= 6.68\times 10^{-31}), AUC = 0.823, confirming that toxicity score is a robust proxy for bypass probability.
  • Category Analysis: Self-harm (96.0% ASR), hate speech (95.0%), and fraud (80.2%) are most vulnerable, whereas cybercrime/hacking exhibits lower bypass rates (73.7% ASR) due to less reliance on high-toxicity keywords.
  • Semantic Constraint: Rewrites maintain a cosine similarity threshold (δ=0.7\delta = 0.7), ensuring adversarial intent preservation.

Qualitative Evidence: OTTER rewrites successfully bypass moderation, prompting the model to generate detailed responses to reformulated harmful queries, with zero false positives for benign inputs.

Implications for Moderation and Safety

The study reveals several actionable vulnerabilities in current toxicity-based moderation pipelines:

  1. Lexical Vulnerability: Superficial modifications suffice for effective moderation evasion, necessitating intent-aware classifiers and training augmentation with OTTER-generated hard negatives.
  2. Model Independence: Safety does not correlate with model capability; stronger LLMs do not automatically yield safer refusal behaviors when confronted with obfuscated prompts.
  3. Risk Stratification: Harm categories that depend on few toxic keywords are disproportionately susceptible; moderation priorities should be guided by category-specific breakdowns.
  4. Automation and Auditability: OTTER supports scalable, closed-loop red-teaming, suitable for integration into CI/CD safety pipelines, providing extensive audit and classifier-hardening datasets.

Theoretical and Practical Impact, Limitations, and Future Directions

OTTER establishes a diagnostic framework for quantitatively characterizing the toxicity-bypass relationship in industrial LLM deployments, informing the limits of surface-level moderation. It foregrounds the necessity for classifier architectures that incorporate both surface and semantic signals, and for continuous adversarial data augmentation with intent-preserving, low-toxicity paraphrases.

The study is limited to English-language prompts and general-purpose domains. The efficacy across multilingual, domain-specific (medical, legal), and discourse-level adversarial prompts remains undetermined. The bypass metric uses keyword-based refusal detection, possibly underestimating true ASR; future work should employ LLM-based adjudication.

Conclusion

OTTER demonstrates that toxicity-based moderation in LLMs can be reliably circumvented through minimal, targeted token substitutions, with five edits raising bypass rates tenfold across all tested GPT variants using only standard API access. The work delivers a quantitative and category-resolved analysis of moderation system weaknesses and generates practical defense recommendations: classifier augmentation with hard negatives, risk-stratified moderation prioritization, and integration into automated safety pipelines. As moderation classifiers evolve, the architectural vulnerabilities revealed here persist unless addressed by fundamentally intent-aware defensive mechanisms.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.