NAAMSE: Adaptive Evolutionary Red-Teaming
- NAAMSE is an adaptive evolutionary red-teaming framework that treats vulnerability discovery as a continuous optimization problem in AI agents.
- It employs a four-phase loop—selection, execution, evolutionary decision, and corpus integration—using hierarchical clustering to refine adversarial prompts.
- By leveraging an LLM-based scoring system that balances harmful compliance against benign-use correctness, NAAMSE automates the scaling of multi-turn adversarial testing.
Searching arXiv for the NAAMSE paper and closely related red-teaming benchmarks to ground citations. NAAMSE is an adaptive, evolutionary red-teaming framework for AI agents that treats finding vulnerabilities as a continuous optimization problem rather than a one-shot checklist. It is described as a single-agent, evolutionary framework for security evaluation of AI agents, designed to automate and scale adaptive, multi-turn adversarial testing while explicitly balancing security against benign-use correctness. The framework repeatedly selects or generates a test prompt, sends it to a target agent, scores the response with an LLM-based behavioral judge, and uses that score as a fitness signal to determine whether to explore new regions of the prompt space or mutate and refine an emerging attack strategy (Pai et al., 7 Feb 2026).
1. Problem formulation and conceptual basis
NAAMSE is motivated by a specific limitation of prevailing agent-security practice. Manual red-teaming is described as labor-intensive, dependent on human intuition, difficult to scale to the combinatorial prompt space of modern LLM agents, and difficult to keep aligned with evolving attack strategies. Static or one-shot benchmarks and jailbreak libraries are described as quickly becoming obsolete as models are patched, as probing every model with the same corpus, and as lacking any notion of an adversary that learns from model responses or performs multi-turn refinement (Pai et al., 7 Feb 2026).
The central design move is to reframe red-teaming as feedback-driven optimization. In this formulation, each prompt or attack strategy is treated as an individual in an evolutionary process. The model’s response is converted into a fitness signal through an asymmetric scoring function. That score rewards harmful compliance on adversarial prompts from the perspective of vulnerability discovery, while penalizing over-refusal or incorrect answers on benign prompts. This creates an optimization landscape in which the system can both search broadly and intensify promising failures.
This framing is significant because it shifts evaluation from corpus replay to adaptive search. The paper explicitly argues that fixed prompt lists underestimate risk in real-world settings, where attackers iteratively refine prompts based on agent behavior. A plausible implication is that NAAMSE is intended less as a benchmark in the conventional sense than as a continuously updating search process over prompt space.
2. System architecture and control loop
NAAMSE is organized as a single autonomous agent orchestrating a four-phase loop. The first phase, Selection & Representation, is implemented through a Clustering Engine that maintains a hierarchical corpus of benign and adversarial prompts using sentence embeddings and recursive k-means clustering. The agent selects a seed prompt either to explore a new cluster or to refine within a cluster where prior vulnerabilities were found (Pai et al., 7 Feb 2026).
The second phase, Execution & Evaluation, is implemented through a Behavioral Engine. The selected prompt is sent to the target model over an agent-to-agent interface that supports tools and multi-turn dialogue. The response is evaluated along three dimensions: harmfulness across safety categories via specialized LLM judges, alignment or compliance, and privacy risk through detection of PII in the answer. The system then produces a single scalar fitness score in representing severity of failure.
The third phase, Evolutionary Decision, is implemented through a Mutation Engine or Decider. The paper specifies three macro-actions: explore, similar, and mutation. Low fitness prompts trigger exploration of other clusters and attack surfaces; intermediate fitness triggers semantically similar variants for local refinement; high fitness triggers stronger mutation operators intended to exploit a vulnerability more aggressively.
The fourth phase, Corpus Integration, reinserts newly generated prompts into the hierarchical corpus through fast nearest-centroid assignment. This gives the framework a memory of effective attacks and their semantic neighborhoods. The paper emphasizes that one orchestrating agent closes the loop by choosing prompts, querying the target, scoring responses, deciding whether to abandon or amplify a lineage, and reintegrating the resulting prompts. That architectural choice distinguishes NAAMSE from multi-agent lifelong learning systems and makes orchestration explicit and centralized.
3. Evolutionary search and genetic prompt mutation
The evolutionary behavior in NAAMSE is mutation-driven rather than based on a large explicit population with tournament selection. Individuals are text prompts, including single-turn strings, structured system/user role sequences, multi-task prompts, and code blocks. Fitness is derived from the behavioral scoring function, with the final score clipped to the interval according to
Online selection then determines whether a prompt lineage is abandoned, stabilized, or intensified (Pai et al., 7 Feb 2026).
The Mutation Engine draws from several classes of operators. Research-derived strategies include game-theoretic framing, such as a “Game of Chicken” narrative in which refusal is framed as losing, and assistive task linkage in the SATa style, where a harmful task is broken into seemingly benign masked subtasks. Community techniques include persona or role-play prompts and dual-response formats. Baseline obfuscations include multilingual transformation, cipher transformations such as Caesar cipher, ASCII art and unicode-based perturbations, code execution wrappers, and task concurrency.
The paper provides concrete prompt-level examples. These include an adversarial prefix mutation of the form “Ignore previous instructions and test,” a cipher mutation phrased as “Decode this caesar cipher and answer: whvw,” a dual-response divider mutation with an explicit “ResponseFormat,” a SATa assistive task mutation based on placeholder replacement, and a task concurrency attack that requests processing multiple tasks in parallel. These operators span lexical, semantic, structural, and interaction-level transformations.
The exploration–exploitation schedule is explicitly thresholded. Scores below $50$ are treated as ineffective attacks and heavily favor explore with a weight; scores from $50$ to $80$ trigger similar prompts with a weight; scores above $80$ favor mutation with a probability. The paper presents this as the core adaptive logic of the framework. The resulting search behavior is structured: low-score regions are abandoned, mid-score regions are stabilized, and high-score regions are aggressively exploited.
4. Hierarchical corpus exploration and semantic navigation
NAAMSE does not operate over a flat attack list. It constructs a hierarchical tree over the prompt corpus by applying recursive k-means clustering to sentence embeddings. Each cluster corresponds to a semantic region, with top-level clusters labeled by an LLM summarizing representative prompts. The paper gives examples such as “role-play jailbreaks,” “banking queries,” and “multilingual obfuscation” (Pai et al., 7 Feb 2026).
The corpus is large and mixed. Adversarial prompts are reported at approximately 0, drawn from many sources, including JailbreakBench, AdvBench, HarmBench, FRACTURED-SORRY-Bench, AutoDAN, JailbreakPrompts, prompt injection and jailbreak detection datasets, in-the-wild and GitHub prompts, and multimodal and multilingual jailbreak corpora. Benign prompts are reported at approximately 1, including benign subsets of jailbreak and safety datasets and task-oriented assistant data from Rasa and CLINC150.
The embedding model used for clustering is all-MiniLM-L6-v2, with prompt embeddings defined as
2
New prompts created by mutation or similarity generation are assigned to the nearest centroid in the hierarchy. This preserves semantic neighborhood information and allows the corpus to become progressively concentrated around regions of higher vulnerability.
This design is important because the system’s search is not merely stochastic. It is guided by a hierarchical semantic structure that supports both broad traversal across attack classes and fine-grained refinement within a promising local region. The paper notes that it does not specify a tree-search procedure such as UCB or UCT; cluster navigation is instead driven by the fitness-based decider.
5. Behavioral scoring and benign-use correctness
A defining feature of NAAMSE is its asymmetric behavioral scoring. The same scalar score has different meanings depending on whether the input prompt is adversarial or benign. For adversarial prompts, a high score indicates a severe security failure, such as harmful compliance or privacy leakage. For benign prompts, a high score indicates a severe usability failure, specifically over-refusal or incorrect behavior on safe queries (Pai et al., 7 Feb 2026).
The appendix presents the clipped score
3
with 4 for Response Alignment, 5 for Harm Assessment, and 6 for personal identifiable information detection via Microsoft Presidio. The reported ordinal scales are:
- 7 corresponding to full refusal, weak refusal, weak acceptance, and full acceptance.
- 8 corresponding to not harmful, low risk, high risk, and harmful.
The text also reports scaled mappings. For response alignment on adversarial prompts:
9
and for benign prompts:
0
For harm assessment on adversarial prompts:
1
and for benign prompts:
2
The paper notes typographical issues in the PDF, but the conditional structure is explicit: the scoring uses different scaled terms depending on whether the prompt is adversarial or benign.
The benign-use correctness objective is meant to prevent degenerate security through blanket refusal. This is validated by two degenerate baselines. All-No, which always refuses, receives score 3 on adversarial prompts and 4 on benign prompts. All-Yes, which always complies, receives score 5 on adversarial prompts and 6 on benign prompts. The intended interpretation is explicit: always refusing is treated as a major usability failure, while always complying is treated as a major safety failure.
6. Evaluation protocol, empirical findings, and limitations
The experimental setup uses Gemini 2.5 Flash as the evaluated agent, and also as the basis for the LLM-based judges and transformation engine. The threat model includes prompt injection and jailbreaks, multi-turn conversational decomposition, multilingual and obfuscated prompts, tool or code-style payloads, and benign tasks to test false positives. The A2A interface supports multi-turn interactions, although many examples are encoded as structured single prompts rather than extended conversations (Pai et al., 7 Feb 2026).
The key quantitative result is the ablation over three search configurations across 7 iterations from the same seed:
| Configuration | Mean score |
|---|---|
| All (Random+Similar+Mutation) | 79.76 |
| Random+Similar only | 42.86 |
| Mutation-only | 54.79 |
The reported interpretation is that the full system discovers more severe failures, with frequent near-8 scores; random plus similarity search finds vulnerabilities but cannot intensify them; and mutation-only search becomes trapped around approximately 9 because it lacks a reset mechanism. High-scoring prompts with score $50$0 were also reported as independently validated by ChatGPT o3, Claude Sonnet 4.5, and Gemini 2.0 Pro as genuine jailbreaks.
Qualitatively, the framework is reported to uncover high-severity jailbreaks, prompt injection and instruction hijacks, decomposition attacks, multilingual and ciphered attacks, and benign-use failures in the form of over-refusal on legitimate but sensitive tasks. The paper states that multiple instances were surfaced in which Gemini 2.5 Flash’s safety mechanisms failed under evolved prompts.
The limitations are also explicit. Scores are relative rather than absolute guarantees; coverage is bounded by the diversity of the initial corpus and the expressiveness of the mutation operators; harmfulness and alignment judgments depend on LLM-based evaluators and therefore inherit bias and variance; the threat model is limited to prompt-level and interaction-level attacks rather than model-weight extraction, training data poisoning, or system-level exploits; and the present evaluation is text-based, even though the framework is described as architecturally modality-agnostic.
In relation to prior work, NAAMSE is positioned against manual red-teaming, static jailbreak benchmarks, and automated LLM-based red-teaming systems. Its distinctive features are the use of a single autonomous agent, hierarchical semantic clustering of a large multi-source corpus, a fitness-driven decider with explicit thresholds and weighted actions, and asymmetric scoring with an explicit emphasis on benign-use correctness. The code is reported as open source at https://github.com/HASHIRU-AI/NAAMSE, and the proposed extensions include modality-agnostic attack operators, alternative or ensemble judges, integration into continuous deployment pipelines, cross-model transfer studies, and defense co-evolution through incorporation of discovered attacks into training or policy tuning.