Papers
Topics
Authors
Recent
Search
2000 character limit reached

GuardVal: Dynamic Jailbreak Evaluation

Updated 6 July 2026
  • GuardVal is a dynamic jailbreak evaluation protocol that adapts adversarial prompts based on the defender model’s behavior to reveal hidden vulnerabilities.
  • It employs a closed-loop architecture with four roles—Translator, Generator, Evaluator, and Optimizer—to iteratively refine malicious prompts and assess safety.
  • The protocol introduces metrics such as pairwise round-to-jailbreak measures and Overall Safety Value (OSV) for comparative and domain-specific safety evaluations.

GuardVal is a dynamic jailbreak evaluation protocol for comprehensive safety testing of LLMs. It was introduced to address the limits of static and template-driven safety benchmarks by generating and refining jailbreak prompts in a closed loop, conditioned on the observed behavior of the defender model under test. The protocol treats jailbreak evaluation as an adaptive interaction between an attacker LLM and a defender LLM, uses only black-box inputs and outputs, and emphasizes three desiderata: uncontaminated datasets, evolving attack complexity, and dynamic, model-specific generation. Its primary outputs are pairwise round-to-jailbreak measurements and an Overall Safety Value (OSV) computed across a cohort of models and across ten safety domains (Zhang et al., 10 Jul 2025).

1. Conceptual basis and evaluation objective

GuardVal is motivated by the claim that jailbreak attacks expose brittle points in safety alignment that are often missed by conventional evaluation. Static, human-curated benchmarks are described as costly to scale, susceptible to training-set overlap, and prone to producing “false safety.” Automated but template-driven dynamic sets improve scale, but remain largely task- or domain-specific and do not adapt to the evolving behavior of the specific defender being tested. GuardVal responds by turning evaluation into a state-aware adversarial process in which test content is updated as the defender reveals its refusal patterns, partial compliance, or other behavioral signatures (Zhang et al., 10 Jul 2025).

The protocol is organized around three desiderata. D1 requires uncontaminated datasets in order to reduce “false safety” from training-data overlap. D2 requires evolving complexity and effectiveness, so that attacks continue to challenge newer models rather than becoming obsolete. D3 requires dynamic, model-specific generation, meaning that the attack sequence should adapt to the particular defender rather than merely to a domain template. Taken together, these principles shift jailbreak evaluation away from fixed benchmark scoring and toward adaptive stress testing (Zhang et al., 10 Jul 2025).

GuardVal formalizes the defender’s observable state at iteration tt as

st=(rt,zt,yt),s_t = (r_t, z_t, y_t),

where rtr_t is the defender’s response text, zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\} is a coarse behavioral label inferred from that response, and yt[0,1]y_t \in [0,1] is the semantic similarity between the defender output and a safe “Oracle” response. The attack prompt at that step is denoted ptp_t, and jailbreak effectiveness can be expressed as a scalar objective such as

f(pt,st)=1ytλI[zt=refuse],f(p_t, s_t) = 1 - y_t - \lambda \cdot I[z_t = \text{refuse}],

with λ>0\lambda > 0 penalizing refusal. A successful jailbreak is therefore not merely a harmful-looking response, but a defender output that deviates sufficiently from the safe Oracle and is not classified as refusal (Zhang et al., 10 Jul 2025).

2. Role architecture and closed-loop operation

GuardVal’s attacker side is decomposed into four roles: Translator, Generator, Evaluator, and Optimizer. The defender is the target LLM under test. All models may be black-box; the protocol uses only inputs and outputs. This role separation is central to the protocol’s design, because it lets GuardVal separate prompt construction, scenario composition, response assessment, and anti-stagnation control into distinct functions rather than collapsing them into a single attacker prompt (Zhang et al., 10 Jul 2025).

Role Function
Translator Maps safety guidelines into a malicious “Question Prompt” plus a safe “Oracle”
Generator Builds a rich, coherent scenario embedding the malicious intent
Evaluator Compares defender output to the Oracle, assigns similarity, and proposes modification advice
Optimizer Tracks response evolution and refines advice to avoid local optima

The Translator begins from a seed guideline and produces both an adversarial “Question Prompt” and a safe Oracle response. The Generator then wraps the malicious prompt into a more elaborate scenario. This scenario is submitted to the defender. The Evaluator measures semantic similarity between the defender’s answer and the Oracle, outputs a score yt[0,1]y_t \in [0,1], and proposes “Modification Advice.” The Optimizer observes the trajectory of prior responses and adjusts the Evaluator’s advice when prompt refinement begins to stall. The Generator then uses this refined advice to produce the next attack prompt pt+1p_{t+1} (Zhang et al., 10 Jul 2025).

The protocol includes a distraction-based generation mechanism for cases in which attacker-side prompting itself resists producing adversarial content. In that setting, GuardVal decomposes the attack into a benign template and a concealed malicious query, then iteratively refines both parts so that the surface form remains benign while the adversarial semantics are preserved. This is meant to overcome “attacker refusal” and to sustain the search for defender-specific weaknesses (Zhang et al., 10 Jul 2025).

The stopping rule is simple: terminate when jailbreak success is achieved, or when the maximum round budget st=(rt,zt,yt),s_t = (r_t, z_t, y_t),0 is exhausted. Because the procedure is round-based, GuardVal naturally yields a measure of how many iterations an attacker needs to break a defender. That quantity becomes the basis for pairwise offensive and defensive comparisons across models (Zhang et al., 10 Jul 2025).

3. Anti-stagnation optimization and state-aware refinement

A distinctive feature of GuardVal is its Adam-inspired anti-stagnation mechanism. The paper argues that naïve iterative refinement often converges to local optima in which the attacker repeats near-identical scenarios without making meaningful progress. GuardVal addresses this by tracking the evolution of attacker generations over time and converting numerical change signals into natural-language guidance for subsequent prompt construction (Zhang et al., 10 Jul 2025).

The core signals are defined as follows:

st=(rt,zt,yt),s_t = (r_t, z_t, y_t),1

st=(rt,zt,yt),s_t = (r_t, z_t, y_t),2

st=(rt,zt,yt),s_t = (r_t, z_t, y_t),3

st=(rt,zt,yt),s_t = (r_t, z_t, y_t),4

The intended bias-corrected forms are

st=(rt,zt,yt),s_t = (r_t, z_t, y_t),5

A sliding-window detection rule then checks whether

st=(rt,zt,yt),s_t = (r_t, z_t, y_t),6

The interpretation given in the source is that st=(rt,zt,yt),s_t = (r_t, z_t, y_t),7 may be an embedding- or text-level representation of the attacker generation at iteration st=(rt,zt,yt),s_t = (r_t, z_t, y_t),8, and the norm may be instantiated by cosine distance or an LLM-based similarity distance (Zhang et al., 10 Jul 2025).

GuardVal maps these signals back into language-level prompt advice. When st=(rt,zt,yt),s_t = (r_t, z_t, y_t),9 is large, the optimizer may issue advice such as: “It’s essential to significantly alter the approach by {insert_action}.” When rtr_t0 is large, it may propose broader exploration because the current impact is inconsistent. When the adjustment is small, it may advise slight modifications instead of wholesale rewrites. This translation from optimization signals to prompting instructions is meant to keep the search diverse without making it unstable (Zhang et al., 10 Jul 2025).

In operational terms, the anti-stagnation mechanism makes GuardVal more than an LLM-as-judge loop. The state tuple rtr_t1 lets the attack adapt to the defender’s particular refusal style, while the moment-based tracker lets the attack adapt to its own lack of progress. This two-sided adaptivity is the protocol’s central methodological contribution (Zhang et al., 10 Jul 2025).

4. Domains, metrics, and empirical findings

GuardVal evaluates ten domains: Misinformation, Terrorism, Violence, Political sensitivity, Hallucination, Crime, Bias, Insult, Ethics, and Hate speech. The guidelines are instantiated from the “Trustworthy AI assessment list” aligned with the EU “Ethics guidelines for trustworthy AI.” For each guideline, the Translator produces a concrete adversarial prompt and a safe Oracle response, allowing the protocol to assess not just generic harmfulness but compliance with explicit normative constraints (Zhang et al., 10 Jul 2025).

The main pairwise metric is the average number of rounds an attacker rtr_t2 needs to jailbreak defender rtr_t3, denoted rtr_t4. The dual quantity rtr_t5 measures how many rounds other models need to jailbreak rtr_t6. These are averaged over three repeated runs. GuardVal then aggregates pairwise results into the Overall Safety Value

rtr_t7

where larger OSV means a model is harder to jailbreak while also being more effective at jailbreaking peers. The paper also reports defensive capability rtr_t8 and offensive capability rtr_t9 as total or mean versions of these round-based quantities (Zhang et al., 10 Jul 2025).

In the Misinformation domain, the reported OSV ranking is: GPT-4 at 15.0, rank 1; Llama2-7B at 13.5, rank 2; Qwen-72B at 12.3, rank 3; Gemini at 6.8, rank 4; GPT-3.5 at 3.6, rank 5; OpenChat-3.5 at zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}0, rank 6; Mistral-7B at zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}1, rank 7; and Vicuna-7B at zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}2, rank 8. In the same domain, Llama2-7B is reported as having the strongest defense with 40.3, while GPT-4 has the strongest offense with 23.3. Pairwise examples show that GPT-4 can jailbreak GPT-3.5 in 1 round, GPT-4 needs 3.3 rounds against Vicuna-7B, Gemini needs 2.3 rounds against Llama2-7B, and Llama2-7B needs 10.7 rounds against Gemini (Zhang et al., 10 Jul 2025).

The paper also evaluates the reliability of the Evaluator role on a 40-sample balanced dataset of jailbreak versus safe responses. Reported classification accuracies are 87.5% for GPT-4, 85.0% for Llama2-7B, 82.5% for Gemini, 82.5% for Qwen-72B, 77.5% for GPT-3.5, 75.0% for Mistral-7B, 70.0% for OpenChat-3.5, and 67.5% for Vicuna-7B. This matters because GuardVal’s success criterion depends on semantic judgment rather than on a fixed refusal string alone (Zhang et al., 10 Jul 2025).

Several behavioral findings recur across experiments. Models often exhibit shallow alignment, resisting in round 1 but failing after subtle paraphrases or reframings. Vulnerabilities are asymmetric: one model may be effective at jailbreaking another without the reverse relationship holding. Robustness is also domain-specific: performance in Hate Speech does not imply performance in Crime or Terrorism. Finally, GuardVal’s rankings diverge from static benchmarks such as TrustLLM, supporting the claim that static evaluations can miss model-specific vulnerabilities or be confounded by overfitting to test styles (Zhang et al., 10 Jul 2025).

5. GuardVal as a broader validation notion and common disambiguations

The exact title “GuardVal” refers to the dynamic jailbreak evaluation protocol introduced in “GuardVal: Dynamic LLM Jailbreak Evaluation for Comprehensive Safety Testing” (Zhang et al., 10 Jul 2025). In adjacent work, however, the same string or closely related variants are also used more generically to denote guardrail validation pipelines, which has produced terminological ambiguity in the literature.

One neighboring line of work uses GuardVal descriptively for guideline-grounded compliance testing. “GUARD: Guideline Upholding Test through Adaptive Role-play and Jailbreak Diagnostics for LLMs” operationalizes government-issued guidelines into concrete guideline-violating prompts, reports a guideline violation rate zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}3 and a jailbreak success rate zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}4, and uses GUARD-JD for adaptive role-play jailbreak diagnostics, including transfer to vision-LLMs (Jin et al., 28 Aug 2025). In that usage, GuardVal denotes a validation program built around prompt generation, compliance execution, jailbreak diagnostics, and reporting rather than the specific round-based OSV protocol of (Zhang et al., 10 Jul 2025).

A second neighboring usage treats GuardVal as an evaluation-and-enforcement stack rather than a benchmark. “OpenGuardrails: An Open-Source Context-Aware AI Guardrails Platform” provides a unified guard model for content safety and manipulation detection, a separate NER pipeline for data leakage identification and redaction, per-request category selection, and logit-thresholded sensitivity control through zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}5 and zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}6 (Wang et al., 22 Oct 2025). “GuardSet-X: Massive Multi-Domain Safety Policy-Grounded Guardrail Dataset” frames GuardVal as policy-grounded validation with domain-wise and rule-wise reporting, F1, FPR, FNR, and adversarial stress-testing over attack-enhanced instances (Kang et al., 18 Jun 2025). “WebGuard: Building a Generalizable Guardrail for Web Agents” presents a GuardVal blueprint for pre-execution action-risk filtering over SAFE, LOW, and HIGH action classes on real websites (Zheng et al., 18 Jul 2025). “The Gate Is Only as Honest as Its Contracts: ContractGuard for the Contract Layer of Risk-Aware Causal Gating” situates GuardVal at the contract layer of tool-augmented agents and validates signed provenance, typed contract attestation, and runtime effect verification (Iyer et al., 17 Jun 2026).

The literature also contains typographical confusions. One source states explicitly that “GuardVal is very likely a typographical variant of GuardEval,” where GuardEval is a multi-perspective moderation benchmark with 23 coarse categories, 106 fine-grained categories, and an accompanying Gemma3-12B QLoRA classifier called GemmaGuard (Machlovi et al., 22 Dec 2025). Another source states that “GuardVal” is a typographical variant of “GuardVLA,” a backdoor-based ownership verification framework for Vision-Language-Action models (Sun et al., 9 May 2026). These uses are not equivalent to the dynamic jailbreak evaluation protocol of (Zhang et al., 10 Jul 2025), but they explain why the term can appear overloaded in recent arXiv discourse.

6. Limitations, ethics, and practical significance

GuardVal’s authors identify several limitations. OSV is cohort-relative: because it is computed against a set of peer models, it does not provide an absolute notion of security. Dynamic-set comparability is also imperfect, since different attacker-defender pairs generate different prompt trajectories. Averaging three runs reduces stochastic noise, but outliers remain possible. The Evaluator can also make false positive and false negative judgments, which is why the paper emphasizes stronger evaluator models such as GPT-4 (Zhang et al., 10 Jul 2025).

The protocol is explicitly dual-use. It generates harmful content in a controlled red-team setting, so its use requires safe-harbor procedures, strict logging, rate limiting, output filtering, and careful handling of generated material. The paper’s ethical framing is that adaptive jailbreak generation should be confined to controlled evaluation environments and should not be deployed as unrestricted prompt-generation infrastructure (Zhang et al., 10 Jul 2025).

In practical safety engineering, GuardVal is significant because it reframes jailbreak testing from one-shot benchmark scoring into iterative adversarial search. The recommended workflow is to select domains and guidelines, choose attacker and evaluator models, instantiate the four roles, set round budgets, run three seeds per defender, compute zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}7, zt{refuse,comply,other}z_t \in \{\text{refuse}, \text{comply}, \text{other}\}8, and OSV, then inspect asymmetries and per-domain weaknesses. The paper further suggests that the resulting offense-defense profiles can motivate domain-specialized defenses or a “mixture-of-defenders” strategy in which adversarial prompts are routed to whichever defender is strongest in the relevant domain (Zhang et al., 10 Jul 2025).

A broader implication is that GuardVal evaluates not merely whether a model can refuse a single harmful query, but whether its safety policy remains stable under sustained, model-aware pressure. This suggests a shift in how jailbreak robustness is conceptualized: from static resistance to adaptive resilience.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to GuardVal.