HarmBench: Standardized LLM Red Teaming Framework

Updated 9 December 2025

HarmBench is a standardized, end-to-end evaluation framework unifying attack implementations, defense interfaces, and metrics for assessing LLM safety.
It features a comprehensive behavior registry with 510 test cases and 18 adversarial modules, enabling rigorous testing of robust refusal behaviors.
Experimental results show that larger models do not guarantee enhanced safety, emphasizing the need for diverse, multi-dimensional red teaming strategies.

HarmBench Framework provides a standardized, end-to-end, community-driven evaluation infrastructure for automated red teaming of LLMs, focusing on the measurement of robust refusal behaviors under adversarial and realistic threatening prompts. By unifying attack implementations, defense interfaces, a comprehensive taxonomy of harmful behaviors, and robust open-source metrics under a single experimental pipeline, HarmBench enables direct, reproducible comparison across models, attack algorithms, and safety interventions. It has become a reference point for the systematic assessment of LLM robustness in both academic and applied settings (Mazeika et al., 6 Feb 2024, Li et al., 27 Aug 2024, Kuntz et al., 17 Jun 2025, Belkhiter et al., 11 Nov 2024).

1. Motivation and Historical Context

LLMs are highly capable at generating text, but their open-ended nature exposes them to misuse, particularly through adversarial or malicious prompts that elicit harmful outputs. Existing evaluations of LLM safety were fragmented—employing disparate datasets, task formulations, attack protocols, or metrics—hindering meaningful progress tracking and the development of generalizable alignment strategies.

HarmBench was motivated by three persistent gaps:

Poor comparability: A lack of standardization obscured true differences between models and defenses, with attack success rates (ASRs) depending on unreported factors such as decoding budget, prompt phrasing, and evaluation classifiers.
Limited breadth: Most prior benchmarks focused on a narrow set of contrived or "toy" harmful behaviors, omitting contextual, multimodal, and agentic attack surfaces.
Fragile metrics: Many evaluations relied on easily-gamed heuristics or closed-source classifiers, causing unreliable or inflated robustness estimates (Mazeika et al., 6 Feb 2024).

2. Core Structure and Taxonomy

HarmBench defines a modular architecture with four primary components:

Behavior Registry: A catalog of 510 (standard release) held-out test behaviors spanning seven semantic categories (cybercrime, chemical/bioweapons, copyright, misinformation, harassment, illegal activities, general harm) and four functional types (standard text, copyright-leakage, contextual, multimodal). Each behavior is specified as a text string, extended context, or image plus prompt (Mazeika et al., 6 Feb 2024).
Attack Method Registry: 18 adversarial attack modules—spanning white-box suffix optimizers (GCG, PEZ, GBDA, UAT, AutoPrompt), black-box LLM-based strategies (PAIR, TAP, Zero-Shot, Stochastic Few-Shot), genetic approaches (AutoDAN), template-based (PAP), and human jailbreak templates.
Defense Module: 33 evaluated models encompassing open-source LLMs (Llama, Vicuna, Baichuan, Qwen, Koala, SOLAR, Mistral, OpenChat, etc.), commercial APIs (GPT-3.5 Turbo, GPT-4, Claude, Gemini), and adversarially fine-tuned variants (e.g., R2D2).
Evaluation Engine: Executes the pipeline, generates ASR matrices of shape (|Behaviors| × |Attacks| × |Models|), and logs all results under consistent parameters (decoding budget 512 tokens, fixed validation/test splits, hardware controls).

3. Formal Metrics and Evaluation Protocol

HarmBench metrics are precisely defined to ensure reproducibility and adversarial robustness:

Attack Success Rate (ASR):

$\mathrm{ASR}(y, g, f) = \frac{1}{N} \sum_{i=1}^N c(f_T(x_i), y)$

where $y$ is a harmful behavior, $g$ an attack method, $f$ the target model, $x_i$ the $i$ -th adversarial prompt, $f_T$ model response under greedy decoding, and $c$ a binary classifier indicating successful harm (Mazeika et al., 6 Feb 2024).

Robustness Score:

$\mathrm{Robustness}(f, g) = 1 - \frac{1}{M} \sum_{j=1}^M \mathrm{ASR}(y_j, g, f)$

where $M$ is the number of behaviors.

Refusal Accuracy: Proportion of test cases where the completion contains a refusal token sequence and is judged non-harmful by the classifier:

$\mathrm{RefusalAccuracy} = \frac{\#\{\text{c} = 0 \wedge \text{completion contains } t_\text{refuse}\}}{N}$

These metrics are implemented using an open-source Llama 2 classifier, calibrated to match GPT-4 validation accuracy and passing prequalification protocols (handling refusal-then-comply, unrelated, or benign outputs).

4. Experimental Results and Key Insights

The HarmBench framework systematically supports large-scale, multi-dimensional evaluation:

Model robustness is not strictly determined by scale: Within LLM families, increasing parameter count (e.g., 7B to 70B) does not guarantee improved robustness.
No universal attack or defense: The five strongest red teaming methods each exhibit blind spots, and no single model defends against all attacks. Notably, contextual and multimodal behaviors are more easily exploited, with ASRs up to 80% on vision-LLMs (Mazeika et al., 6 Feb 2024).
Defenses are brittle to multi-turn human jailbreaks: Single-turn, automated attack ASRs (e.g., AutoDAN, GCG, PAIR) yield reassuringly low values on some defenses, but multi-turn human red teaming exposes failures up to 75% ASR—massively larger effect sizes—revealing that one-step quantitative metrics can provide a misleading sense of safety (Li et al., 27 Aug 2024).
Complex alignment interventions help but do not close the gap: Techniques such as adversarial training (R2D2) reduce ASR for specific attacks (e.g., GCG from >30% to 5.9% for Zephyr 7B), but do not address the full range of attack surfaces or human tactics.

5. Algorithmic Innovations—Attack and Defense

HarmBench codifies and integrates both existing and novel attack and defense mechanisms:

Attack modules: Suffix-optimization (GCG), persuasive prompt strategies (PAP), black-box LLM chaining (PAIR, TAP), evolutionary (AutoDAN), and human-invented jailbreaks, with each wrapped under a standardized generate_tests API.
Defense modules: Model fine-tuning pipelines (including R2D2) that adaptively combine standard instruction loss, "away" loss (move responses away from target output), and "toward" fixed refusal string loss per batch:

$\ell_{\text{total}} = \ell_{\text{SFT}} + \ell_{\text{away}} + \ell_{\text{toward}}$

A portion of adversarial test cases is periodically reset to maintain diversity, accelerating the coevolution of attacks and defenses (Mazeika et al., 6 Feb 2024).

6. Extension and Open-Source Ecosystem

HarmBench is openly available (github.com/centerforaisafety/HarmBench), supporting extensibility via:

Registries: YAML-based cataloging of behaviors and attacks, facilitating new category or method additions.
Model wrappers: Simple interfaces for registering and benchmarking custom models or alignment strategies.
Evaluation scripts: Standardized command-line tools for generating ASR tables and robustness matrices.
Pretrained classifiers: Supporting evaluation across both non-copyright and copyright behaviors.
Blueprint for other agentic systems: Agent safety benchmarks such as OS-Harm are patterned on the HarmBench methodology—modular environment plugins, harm-injection task templating, automated LLM judges, and precision/recall/F1-derived metrics (Kuntz et al., 17 Jun 2025).

7. Impact, Limitations, and Future Directions

HarmBench has driven the adoption of standardized, cross-method safety evaluation in both academic research and industry red teaming engagements. Its core contributions include: (i) revealing the inadequacy of prior "toy" benchmarks and single-turn ASR metrics, (ii) demonstrating that robust refusal is an emergent property of both model training and broader evaluation design, and (iii) providing open infrastructure for coevolving attacks and defenses.

However, HarmBench has key limitations:

Static behavior set: While large, its 510-behavior catalog is necessarily incomplete; new contexts (social engineering, agentic multimodality, interaction with external interfaces) continually expand the threat landscape.
LLM classifier reliance: The open-source judge can itself be circumvented by adversarial completions or ambiguous outputs, necessitating ongoing calibration and adversarial validation.
Brittleness to advanced human tactics: Even with comprehensive automated coverage, multi-turn, creative human adversaries routinely break defenses previously rated robust by HarmBench (Li et al., 27 Aug 2024).

Research is ongoing in three core directions: (1) developing agent-oriented variants (e.g., OS-Harm, Browser-Harm) to systematically stress-test LLM-empowered software agents (Kuntz et al., 17 Jun 2025), (2) integrating finer-grained harm-level compliance analysis (e.g., HarmLevelBench) to quantify alignment failures at various severity levels and under model compression strategies (Belkhiter et al., 11 Nov 2024), and (3) bridging the gap between automated and human-subject red teaming for realistic deployment robustness.

Table: HarmBench Framework—Components and Properties

Component	Description	Source(s)
Behavior Registry	510 test behaviors across 7 semantic/4 functional harm categories	(Mazeika et al., 6 Feb 2024)
Attack Registry	18 adversarial methods (GCG, PAIR, AutoDAN, PAP, etc.) with unified API	(Mazeika et al., 6 Feb 2024)
Defense Module	33 LLM/defense variants, open-/closed-source, adversarially-trained models	(Mazeika et al., 6 Feb 2024)
Metrics Engine	ASR, Robustness, Refusal Accuracy; Llama 2-based open classifier	(Mazeika et al., 6 Feb 2024)

Extensions such as OS-Harm apply the same methodology to multimodal, agentic LLM applications (Kuntz et al., 17 Jun 2025).

References

HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal (Mazeika et al., 6 Feb 2024)
LLM Defenses Are Not Robust to Multi-Turn Human Jailbreaks Yet (Li et al., 27 Aug 2024)
OS-Harm: A Benchmark for Measuring Safety of Computer Use Agents (Kuntz et al., 17 Jun 2025)
HarmLevelBench: Evaluating Harm-Level Compliance and the Impact of Quantization on Model Alignment (Belkhiter et al., 11 Nov 2024)