AutoDAN: Automated LLM Jailbreaking

Updated 27 February 2026

The paper introduces AutoDAN, a framework that automates token-level adversarial attacks by maximizing conditional likelihood while minimizing prompt perplexity.
It employs reinforcement learning and hierarchical evolutionary algorithms to achieve high attack success rates, reaching up to 98.9% on state-of-the-art models.
The system features lifelong adaptive loops and ensemble methods, enabling robust red-teaming and transferability across various LLM platforms.

Automatic Jailbreaking of LLMs via AutoDAN comprises a family of frameworks and algorithms for the fully automated generation of adversarial prompts capable of bypassing sophisticated alignment guardrails, often at or near state-of-the-art attack success rates (ASR), even against recent frontier systems. These methods replace manual prompt engineering with reinforcement learning–like strategy exploration, adversarial optimization, and black-box/white-box evolutionary or gradient-based search. AutoDAN and its derivatives have become seminal tools for red-teaming, automated adversarial evaluation, and the study of LLM vulnerability surfaces.

1. Foundations and Dual-Objective Formulation

The original AutoDAN frameworks introduce an interpretable, token-level adversarial attack combining two critical objectives: maximizing the model’s conditional likelihood of generating a “jailbroken” or non-refusal response, and minimizing the perplexity of the adversarial prompt to ensure readability and stealthiness. For a prompt input sequence $t_1,\dots,t_m$ and target “affirmative” response $r_{m+1},\dots,r_{m+k}$ , the method maximizes

$P(r_{m+1},\dots,r_{m+k}\mid t_1,\dots,t_m) = \prod_{j=1}^{k} P(r_{m+j}\mid t_1,\dots,t_m,r_{m+1},\dots,r_{m+j-1}),$

while maintaining $\mathrm{PPL}(J)<\tau$ . In the gradient-based variant (Zhu et al., 2023), this objective is operationalized as

$L_{\text{total}}(x) = w_2 \cdot L_{\text{adv}}(x) + L_{\text{ppl}}(x),$

and tokens are selected in a left-to-right, greedy or beam-search fashion. The adversarial process converges efficiently due to the finite vocabulary and monotonic improvements per step.

Hierarchical genetic algorithms (AutoDAN-HGA) (Liu et al., 2023) expand on this by evolving a population of prompts, representing each individual as a hierarchy of sentences and words, using paragraph/sentence-level crossover and LLM-based mutation, and leveraging semantic fitness metrics rather than naive token overlap. These attacks are highly effective, surpassing both token-based attacks and manually authored prompts in ASR, stealth, and transferability.

2. Lifelong, Self-Exploratory and Strategy-Adaptive Loops

Recent frameworks exemplified by AutoDAN-Turbo (Liu et al., 2024) and AutoDAN-Reasoning (Liu et al., 6 Oct 2025) employ a closed-loop, lifelong strategy discovery architecture. The system consists of an Attacker LLM that proposes candidate prompts, a Target LLM that evaluates compliance, a Scorer LLM to provide normalized reward signals, and a Summarizer LLM to extract and encode successful “jailbreak strategies” into a continually expanding strategy library.

A critical advancement is the adaptive selection and recombination of these strategies via in-context retrieval (by response-embedding similarity), with each generation conditioned on the target model’s most recent refusal state. The library supports plug-and-play integration of human-designed strategies. Evaluation demonstrates that AutoDAN-Turbo achieves 88.5–93.4% ASR on strong GPT-4-1106-turbo models—an improvement of 74.3% on public benchmarks over the best prior automated systems. Once established, the strategy library provides high transfer and query-efficient red-teaming, needing only 2–6 queries per successful jailbreak.

Test-time scaling via Best-of-N sampling and compositional Beam Search, as in AutoDAN-Reasoning, further boosts ASR by leveraging cross-strategy synergy and stochasticity; beam methods yield up to +15.6 percentage points absolute gain and +60% relative improvement on robust targets such as GPT-o4-mini (Liu et al., 6 Oct 2025).

3. Adaptive and Ensemble Approaches

AutoDAN-style frameworks incorporate semantic model introspection to tailor adaptive attack strategies based on the target LLM’s comprehension capacity. In (Yu et al., 29 May 2025), an automated classifier scores the model’s semantic understanding via decryption and re-encryption proxy tasks. LLMs are classified as Type I or II according to $S(\mathrm{LLM})=\frac{1}{T} \sum_i 1\{\text{model succeeds on example } i\}$ , with threshold $\tau=0.5$ . Type I models are attacked with prompt mutation and single-layer encryption; Type II models are additionally forced to re-encrypt their answers, exploiting their deeper semantic capabilities. The resulting framework demonstrates ASR up to 98.9% on GPT-4o and outperforming CodeChameleon, FlipAttack, IRIS, and others across multiple benchmarks.

Ensemble techniques, as in AutoJailbreak (Lu et al., 2024), organize all subcomponents (mutation, selection, semantic scoring, CoT advice, etc.) into a directed acyclic graph, constructing optimal paths through the attack surface (e.g., combining AutoDAN-GA, GPTFuzzer, Semantic Mirror Jailbreak, PAIR, TAP). This design achieves up to 91.7% JR (Jailbreak Rate) on GPT-3.5 and +50 pp gains on GPT-4 over best single-lineage attacks.

ForgeDAN (Cheng et al., 17 Nov 2025) and Semantic Mirror Jailbreak (SMJ) (Li et al., 2024) advance AutoDAN methodologies through multi-level mutation and semantic-aware fitness. ForgeDAN introduces 11 mutation operators spanning character, word, and sentence transformations. Fitness is computed via embedding-based similarity (e.g., RoBERTa cosine distance) between the generated response and a harmful reference, rather than shallow token overlap, and success is adjudicated with dual LLM classifiers: one for behavioral compliance, one for explicit harmfulness.

SMJ further constrains evolution to maximize semantic similarity to the original harmful query, using sentence-BERT for S(Q,P) and outlier-token detection (ONION). This results in ASR improvements up to +35.4% (no ONION), +85.2% (with ONION) over earlier approaches, and resistance to similarity- and outlier-based defenses. ForgeDAN consistently outperforms AutoDAN-HGA, PAIR, GCG, and manual prompts in both benchmark and real-world settings, achieving 98–100% ASR on some targets.

5. Universal Multi-Prompts and Defensive Counterpart

The universal multi-prompt paradigm (JUMP) (Hsu et al., 3 Feb 2025) generalizes beyond per-query prompts: a small pool of suffixes Q is optimized via multitask beam search to maximize ASR across a large set of malicious tasks, formalized as minimizing averaged loss

$\min_Q \frac{1}{N} \sum_{i=1}^N \min_{q\in Q} \mathcal{L}_\pi(x_i \Vert q, y_i).$

Empirically, JUMP++ surpasses AutoDAN and GPTFuzzer in ASR and stealth when attacking black-box GPT-3.5/4/4o APIs, achieving 91.3%/48.1%/75.0% ASR@10, with robust PPL filtering.

JUMP incorporates a defense variant, DUMP, finding a defensive set of prefixes D such that, when prepended to adversarial suffixes, induce refusals with minimal loss; this reduces ASR by 12–20% over unprotected systems.

6. Multi-Turn, Adaptive, and Calibration-based Attacks

AutoAdv (Reddy et al., 4 Nov 2025) extends the single-turn paradigm to multi-turn, interactive settings. Its pipeline integrates a dynamic Pattern Manager (tracking successful jailbreak techniques), a Temperature Manager for adaptive sampling, and a two-phase rewriting stratagem (initial camouflage plus iterative refinement). This multi-turn approach increases ASR by 24 pp on Llama-3.1-8B (from 71% to 95%) and generalizes across GPT-4o-mini, Qwen3-235B, and Mistral-7B.

Recent calibration-based attacks (Lu et al., 31 Jan 2026) supplement prompt manipulation with inference-time logit arithmetic—leveraging the discrepancy between aligned and pre-alignment distributions. Using helper, predictor, and target models, an optimal aggregation recovers the pre-alignment distribution via a minimax "gradient shift" rule in the dual space of a proper loss (e.g., cross-entropy). This framework generalizes Weak-to-Strong, logit-mult, and proposes a hybrid estimator that achieves maximal ASR and near-zero Jailbreak Tax on benchmarks and utility tasks under strict alignment settings.

7. Limitations, Defenses, and Future Directions

Limitations of AutoDAN-style attacks include dependence on the LLM’s ability to process code-like decryption (for adaptive attacks), computational overhead of exploration and evaluation, and diminishing transferability to heavily fortified, defense-layered APIs. Common defenses—perplexity filters, keyword-matching, or static prompt-based containment—are largely ineffective due to the semantic fluency of evolved prompts. Stronger countermeasures include semantic filtering, dynamic anomaly detection, continual adversarial alignment (incorporating attacks into SFT/RLHF), and mixture-of-defenders frameworks combining pre- and post-generation screening.

Ongoing and future research directions include co-evolutionary attack–defense loops, plug-in optimization with reinforcement or bandit adaptation, extension to multimodal models, adversarial chain-of-thought scripting, and fast randomized beam or search hybrids that maximize both ASR and stealth under limited compute.

Table: Key Algorithms and Their Characteristics

Algorithm/Framework	Core Mechanism	Notable Performance
AutoDAN (Gradient-based)	Dual-objective, token-level	100% ASR, PPL ∼12 (Vicuna-7B, (Zhu et al., 2023))
AutoDAN-HGA	Hierarchical GA, semantic	0.98 ASR vs baseline, robust to PPL filtering
AutoDAN-Turbo	Lifelong RL, strategy lib	93.4% ASR (GPT-4-1106-turbo, (Liu et al., 2024))
AutoDAN (Adaptive)	Model-classification, encryption	98.9% ASR (GPT-4o, (Yu et al., 29 May 2025))
ForgeDAN	Multi-level mutators, LLM judging	98.3% ASR (Gemma-2-9B, (Cheng et al., 17 Nov 2025))
Semantic Mirror JB (SMJ)	GA+Semantic similarity	100% ASR (Guanaco-7B) under ONION defense
JUMP (Multi-prompt)	Batched multi-task opt	91.3% (GPT-3.5-turbo, ASR@10, (Hsu et al., 3 Feb 2025))
AutoAdv	Multi-turn, adaptive mgrs	95% ASR, multi-turn, strong transfer
Calibration (logit-arith)	Gradient-shift/inference	Hybrid rule: 100% util, max ASR (Lu et al., 31 Jan 2026)

AutoDAN and its descendents are now central tools for adversarial LLM evaluation, driving both red-team automation and the design of future LLM alignment defenses.