Giskard: Multi-Domain Technical Systems
- Giskard is a term denoting distinct systems across LLM vulnerability scanning, robot-agnostic kinematic control, blockchain consensus, and decentralized aggregation.
- Each system modularly decomposes complex tasks—using attacker–evaluator pairs, Motion Statecharts, quorum-based messaging, or committee-based MPC—to meet specific technical and security guarantees.
- Despite sharing a name, these systems operate under different assumptions and metrics, necessitating careful disambiguation when applying them in academic research.
Searching arXiv for the cited Giskard works to ground the article in the current literature. In the arXiv literature, Giskard denotes several technically distinct systems rather than a single unified research artifact: an open-source scanner for conversational LLM vulnerabilities (Brokman et al., 2024), a framework for robot-agnostic kinematic control that addresses the Motion Execution Gap (Stelter et al., 12 May 2026), a Byzantine fault tolerant consensus protocol used in the PlatON network (Li et al., 2020), and a protocol for confidential and Byzantine-robust decentralized aggregation in large-scale learning (Touat et al., 17 Jun 2026). The shared name masks substantial differences in objective, abstraction level, adversarial model, and formal guarantees.
1. Disambiguation across research domains
The term appears in four separate technical contexts represented in the current literature.
| Domain | Giskard denotes | Source |
|---|---|---|
| LLM security | An open-source LLM vulnerability scanner | (Brokman et al., 2024) |
| Robotics | A framework for robot-agnostic kinematic control | (Stelter et al., 12 May 2026) |
| Blockchain consensus | The BFT consensus protocol used in the PlatON network | (Li et al., 2020) |
| Decentralized learning | A confidential and Byzantine-robust aggregation protocol | (Touat et al., 17 Jun 2026) |
The four usages are not interchangeable. One concerns red-teaming of conversational models, one concerns motion execution from semantic constraints, one concerns agreement on blockchain state, and one concerns privacy-preserving robust aggregation. This suggests that “Giskard” functions in the literature as a recurring project name rather than a single research lineage.
2. Giskard as an LLM vulnerability scanner
In the comparative study of open-source scanners for conversational LLMs, Giskard is one of four “leading, actively maintained” tools evaluated alongside Garak, PyRIT, and CyberSecEval. It is positioned at the LLM-based, highly configurable end of the scanner design spectrum, with a design philosophy that uses LLMs not just as targets, but also as tools to generate tailored adversarial prompts and to judge model responses, guided by explicit safety requirements (Brokman et al., 2024).
Architecturally, Giskard follows an attacker–evaluator pattern in which a test suite is composed of multiple attack–evaluation pairs. Its most distinctive mechanism is a dual-context mechanism. Users provide a free-text model description context, and Giskard then uses a dedicated requirements LLM either to generate a list of safety requirements tailored to that description or to integrate user-provided requirements. These requirements are reused both in prompt generation and in evaluation. As described in the study, this leads to three possible LLM usages per attack type: 0 LLMs for fully static tests, 2 LLMs for standard LLM-based attacks, and 3 LLMs for requirements-based attacks.
The evaluated attack coverage spans Jailbreak and Context & Continuation (C&C) categories. Reported detector classes include LLMPromptInjectionDetector, LLMCharsInjectionDetector, LLMBasicSycophancyDetector, LLMImplausibleOutputDetector, LLMHarmfulContentDetector, LLMStereotypesDetector, LLMInformationDisclosureDetector, and LLMOutputFormattingDetector. The study characterizes Giskard as a general-purpose scanner whose suite covers harmful content, stereotypes, information disclosure, hallucination-like implausible outputs, prompt injection, formatting issues, and basic sycophancy, while noting that gradient-based attacks and code-generation security are not covered in that evaluation. Additional features highlighted in the paper include non-English support, evaluator explanations in natural language, guardrails integration, and HTML reports summarizing attack success rates, grouped failures, prompts, responses, and evaluator explanations.
The quantitative evaluation used LLaMA 3 (8B), Cohere Command-R, Mistral Small, and OpenAI GPT-4o. For the Jailbreak category, based on 90 prompts, Giskard reported ASR values of 56.66% on Command-R, 10.0% on LLaMA 3 8B, 17.78% on Mistral Small, and 7.78% on GPT-4o, with MOE values of 11.1%, 12.62%, 7.2%, and 3.1% respectively. For C&C, based on 100 prompts, it reported ASR values of 40.0% on Command-R, 20.0% on LLaMA 3 8B, 16.0% on Mistral Small, and 26.0% on GPT-4o, with MOE values of 9.1%, 15.6%, 0.2%, and 11.2%. The study explicitly states that “the LLM-based evaluators of Giskard and PyRIT offer the highest reliability.”
The same paper also identifies failure modes. In one example, a DAN-style jailbreak was misclassified because evaluator logic treated the presence of the word “unethical” as a refusal. In another, the requirements-generation LLM introduced an extra requirement concerning a reporting mechanism, causing a safe refusal to be labeled invalid. The paper therefore presents Giskard as strong in evaluator reliability and customization, but still subject to brittle heuristic behavior, over-constrained requirements generation, smaller out-of-the-box coverage than Garak or CyberSecEval, and the complexities of multi-LLM evaluation pipelines.
3. Giskard as a robot-agnostic kinematic control framework
In robotics, Giskard is a framework intended to close what the authors call the Motion Execution Gap, defined as the disconnect between high-level symbolic motion descriptions expressed as semantic constraints and the low-level continuous robot motions that execute those constraints safely and smoothly. The framework combines Motion Statecharts (MSCs), a unified differentiable kinematic world model, and a linear Model Predictive Control (lMPC) implementation of the task function approach, with explicit jerk bounds to guarantee smooth motion even when tasks switch online (Stelter et al., 12 May 2026).
The representation layer is centered on Motion Statecharts, specialized statecharts for composing and executing complex motions. Each MSC node may carry task functions, in which case it is a Motion Task, or it may purely observe conditions, in which case it is a Monitor. Nodes can be arranged in sequence or parallel and may contain nested MSCs. Formally, each node contains two internal finite state machines: an Observation FSM with values and a Life-cycle FSM with states $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$. Conditions are ternary logical combinations of observation states, and callbacks such as on_tick can update observations at control frequency. The full MSC supports terminal states EndMotion and CancelMotion, both of which terminate the control loop and stop the robot.
The task specification layer is semantic and world-centric. Motions are expressed through differentiable task spaces and scalar task functions over symbolic world state variables . Equality and inequality tasks take the forms $\taskFEqP = \bE$ and $\lbASlack \leq \taskFNeqP \leq \ubASlack$. The paper’s examples include representing a 6D Cartesian end-effector goal as six equality tasks and grasping a handle by defining the distance between a gripper reference point and a line representing the handle, then setting that distance to zero. These tasks are semantic because they refer to named entities and relations rather than raw joint values.
The world model jointly represents robots and articulated environments as a single kinematic tree with links , joints , and symbols . Joint transforms are symbolic CasADi expressions in , enabling automatic differentiation, forward kinematics between arbitrary links, and Jacobians for arbitrary task functions. A central consequence is that environment DOFs can be modeled as controllable in the kinematic sense, which allows tasks such as opening a fridge door to be expressed through hinge angle equality constraints together with gripper constraints on the handle.
Execution is realized through a jerk-bounded lMPC formulation. The QP minimizes weighted joint velocities and slack variables subject to velocity bounds, jerk bounds, system model constraints derived from semi-implicit Euler integration, terminal zero velocity, and linearized equality and inequality task-function constraints. The authors emphasize that all task functions appear once as a scalar constraint in the QP, which they identify as critical for scalability. They further state that jerk itself is not directly penalized in the cost, because adding such a term can destabilize by making “coasting” cheaper than braking.
The framework was demonstrated on eight real robot platforms with diverse embodiments, including PR2, TIAGo, Toyota HSR, Stretch2, dual UR10, and a 5-fingered hand setup. The paper states that MSC descriptions and task functions themselves are robot-agnostic, while the world model and symbolic-to-kinematic mappings change across platforms. In simulation, identical parameters and $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$0 were used for all setups. Implementation is integrated with ROS and CRAM, and the QP solver is qpSWIFT at 100 Hz. The stated limitations are equally explicit: the controller is purely kinematic, does not model dynamics, has no native force control or torque-based tasks, focuses on motion execution rather than planning, and assumes reasonably accurate kinematic models.
4. Giskard as a Byzantine fault tolerant consensus protocol
In the blockchain literature, Giskard is the Byzantine fault tolerant consensus protocol used in the PlatON network to agree on which blocks of transactions and computations become part of the blockchain. The specification paper presents it as a rigorously defined protocol intended to serve as a reference for implementation and formal verification, with a primary emphasis on safety rather than liveness (Li et al., 2020).
The protocol operates over a finite set of participating nodes $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$1 under a partially synchronous mesh network model. It assumes $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$2 and tolerates up to $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$3 Byzantine nodes, so quorum size is at least $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$4. Time is organized into epochs and views. For each epoch, a committee $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$5 of $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$6 nodes is selected, and within an epoch the nodes rotate as proposers according to $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$7. Each view may propose up to 10 blocks.
The protocol defines five consensus message types: PrepareBlock, PrepareVote, PrepareQC, ViewChange, and ViewChangeQC. These messages may carry quorum certificates for parents or previous views. A distinctive feature is that PrepareBlock, PrepareVote, and ViewChange messages can carry QCs, allowing nodes to derive sufficient evidence for voting by processing received messages rather than by requiring a strict linear sequence of earlier communications.
Safety is expressed through three block stages. A block is in Prepare at node $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$8 if it is in PrepareinView in some view, where PrepareinView holds if the node has at least a $\{\taskInactive{}, \taskActive{}, \taskOnHold{}, \taskDone{}\}$9 quorum of PrepareVote messages for the block in that view or has a corresponding PrepareQC. A block is in Precommit if it is in Prepare and has a child that is also in Prepare. A block is in Commit if it is in Precommit and has a child that is itself in Precommit. This yields the familiar “three-deep” confirmation structure.
The formal contribution of the paper is a distributed state-machine specification and a series of safety theorems. Theorem 1 establishes Prepare-in-view safety: if two blocks of the same height are in PrepareinView in the same view, they must be equal. Theorem 2 establishes Precommit safety: if two blocks of the same height are in Precommit, they must be equal. Theorem 3 establishes Commit safety by reduction to Precommit safety. The paper’s headline interpretation is that no two honest nodes commit conflicting chains under the stated fault assumptions.
View changes are handled either normally, when the last block in a view reaches Prepare, or abnormally after a timeout. In the latter case, nodes send ViewChange messages describing their local highest Prepare block, and once a quorum is reached a ViewChangeQC identifies the max-height block to carry into the next view. The protocol is therefore pipelined, leader-based, and QC-driven, with deterministic proposer rotation and local epoch/view advancement.
The paper explicitly limits its claims. It does not provide a formal proof of liveness or termination under partial synchrony, does not analyze throughput or latency, assumes synchronized clocks for timeouts, and leaves validator-set dynamics and stake management outside scope. Its principal contribution is a precise protocol specification and accompanying safety proofs suitable for future mechanized verification.
5. Giskard as a protocol for confidential and Byzantine-robust decentralized aggregation
In decentralized learning, Giskard is a protocol for aggregation that is simultaneously confidential, Byzantine-robust, and designed to scale to very large networks. The protocol computes a coordinate-wise approximate median by organizing 0 parties into a tree of committees of size 1 and evaluating a committee-adapted distributed binary search over the value domain, using BGW-style MPC within each committee (Touat et al., 17 Jun 2026).
The motivating problem is the tension between confidentiality and robustness. Robust aggregation rules such as medians require inspection of individual updates, while confidentiality mechanisms hide those updates. Giskard addresses this by replacing secure sorting with repeated secure counting. For a pivot 2, the required quantity is the count
3
Each party computes local comparison bits for a coordinate and a pivot, secret-shares those bits to its base committee, and committees aggregate counts up a tree.
Committee formation is randomized. A scalable Byzantine Agreement or common-reference-string protocol generates a random seed, from which permutations and committee assignments are derived. The paper states that if the global adversary corrupts at most 4 parties, then with probability 5 every committee of size
6
has fewer than 7 corrupted members. Each party belongs to at most one committee per level and therefore to at most 8 committees in total.
At each binary-search iteration and coordinate, a leaf computes
9
shares it using BGW VSS-SHARE, and the committee checks that the shared value is a bit by reconstructing $\taskFEqP = \bE$0. Invalid values are replaced with a share of $\taskFEqP = \bE$1. Base committees sum validated bits into partial counts, and the RESHARE procedure passes fresh Shamir sharings of these counts to parent committees. The root committee reconstructs the global count, updates the left and right bounds, and broadcasts the next pivot. After
$\taskFEqP = \bE$2
iterations, the midpoint of the remaining interval is returned as the approximate median.
The main theoretical guarantees are both cryptographic and statistical. Security is proved in the Universal Composability framework, and the full protocol is shown to UC-realize a secure coordinate-wise median functionality in the hybrid model. The stated leakage is limited to the final approximate median and the global counts used during binary search. For Byzantine robustness, the paper assumes a static computationally bounded adversary corrupting $\taskFEqP = \bE$3 parties in a synchronous network with authenticated channels and a PKI. Under that condition, the output for each coordinate lies between two order statistics of the honest values up to an additive $\taskFEqP = \bE$4 term, and the resulting aggregation rule is proved $\taskFEqP = \bE$5-robust with
$\taskFEqP = \bE$6
The scalability claim is central. Theorem 6 gives per-party effective communication complexity
$\taskFEqP = \bE$7
and total network complexity
$\taskFEqP = \bE$8
The paper contrasts this with all-to-all MPC and all-to-committee designs, arguing that Giskard reduces worst-case per-party cost from $\taskFEqP = \bE$9 or $\lbASlack \leq \taskFNeqP \leq \ubASlack$0 to polylogarithmic in $\lbASlack \leq \taskFNeqP \leq \ubASlack$1.
The implementation is in Rust using arkworks, and the experiments include networks from $\lbASlack \leq \taskFNeqP \leq \ubASlack$2 to $\lbASlack \leq \taskFNeqP \leq \ubASlack$3 parties, Byzantine fractions of $\lbASlack \leq \taskFNeqP \leq \ubASlack$4, $\lbASlack \leq \taskFNeqP \leq \ubASlack$5, and $\lbASlack \leq \taskFNeqP \leq \ubASlack$6, and utility experiments on MNIST and CIFAR-10 with $\lbASlack \leq \taskFNeqP \leq \ubASlack$7 and $\lbASlack \leq \taskFNeqP \leq \ubASlack$8 Byzantine parties. Reported findings include a worst-case per-party bandwidth reduction of up to ~1775× relative to an all-to-committee baseline at $\lbASlack \leq \taskFNeqP \leq \ubASlack$9, 0, and test-accuracy gaps relative to cleartext median or trimmed mean that are reported as <0.4% on MNIST and usually <1.5% on CIFAR-10, with stronger attacks sometimes reaching ~2.7%. The stated limitations include synchronous-network assumptions, a static adversary, the bound 1, significant absolute communication overhead, and evaluation on relatively simple learning tasks.
6. Comparative themes, recurring design patterns, and interpretive cautions
Despite the shared name, the four systems instantiate different notions of correctness and failure. The LLM scanner evaluates adversarial prompt success and evaluator reliability through metrics such as ASR and MOE. The robotics framework aims at executable symbolic motion with smooth online task switching through Motion Statecharts, a differentiable world model, and jerk-bounded lMPC. The blockchain protocol formalizes safety through Prepare, Precommit, and Commit predicates under partial synchrony. The decentralized-learning protocol combines UC security, Byzantine robustness, and polylogarithmic per-party communication through committee-based MPC (Brokman et al., 2024, Stelter et al., 12 May 2026, Li et al., 2020, Touat et al., 17 Jun 2026).
A common structural motif is the decomposition of a difficult global objective into smaller, verifiable subproblems. In the scanner, attacks and evaluations are organized as attacker–evaluator pairs, sometimes with an additional requirements generator. In robotics, task execution is decomposed into MSC nodes with dual FSMs and local task functions. In consensus, protocol progress is decomposed into typed messages, quorums, and stage predicates. In decentralized learning, median computation is decomposed into committee-local secure counts and resharing across a tree. This suggests a family resemblance at the level of systems design—modularity, explicit state transitions, and layered verification—even though the application domains are disjoint.
Interpretive caution is therefore necessary. Results for one Giskard system do not transfer to another. A statement such as “Giskard has high evaluator reliability” applies only to the LLM scanner in the 2024 comparative study. “Giskard guarantees no two honest nodes commit conflicting chains” applies only to the PlatON consensus protocol. “Giskard is robot-agnostic” refers to the kinematic control framework. “Giskard tolerates up to 2 Byzantine parties” refers to the decentralized aggregation protocol rather than the blockchain protocol, which instead assumes 3. The most accurate encyclopedic treatment is therefore disambiguating: Giskard is a recurrent name attached to several independent technical systems, each defined by its own formal model, implementation assumptions, and evaluation methodology.