PRISM Eval BET: Red-Teaming LLM Vulnerabilities
- The paper presents PRISM Eval BET as an innovative automated red-teaming system that optimizes adversarial prompt recipes to assess LLM vulnerabilities.
- Dynamic Adversarial Optimization is employed to generate context-adaptive prompts that evaluate harmful responses across defined high-risk hazard categories.
- Practical insights include detailed metrics such as Attack Success Rate, attempts-to-success estimates, and primitive-level vulnerability analysis to guide robust LLM safety evaluations.
Searching arXiv for the named BET report and closely related PRISM work. PRISM Eval Behavior Elicitation Tool (BET) is an automated red-teaming system for LLMs that elicits harmful behavior through Dynamic Adversarial Optimization rather than through a fixed bank of jailbreak prompts. It was introduced in the technical report accompanying the LLM Robustness Leaderboard v1 for the Paris AI Action Summit and is designed to optimize over a large combinatorial space of “jailbreaking primitives,” evaluate model responses against a discrete harmfulness scale, and estimate not only whether a model is vulnerable but also how difficult it is to exploit in practice (Lefebvre et al., 8 Aug 2025).
1. Scope, nomenclature, and placement within the PRISM landscape
PRISM Eval BET refers specifically to the red-teaming system introduced in the LLM robustness leaderboard report, not to other systems that also use the acronym “PRISM.” The PRISM name is used elsewhere for a multi-perspective AI alignment framework (Diamond, 5 Feb 2025), a diagnostic framework for semantic-flow and latent-computation analysis in LLM reasoning (Chang et al., 24 Mar 2026), and a closed-loop prompt reliability framework for enterprise conversational agents (Chaitanya et al., 15 May 2026). Within this wider naming overlap, PRISM Eval BET denotes a distinct system whose purpose is automated adversarial behavior elicitation and robustness measurement (Lefebvre et al., 8 Aug 2025).
Its institutional role is central to the leaderboard. The tool underpins a large-scale robustness study over 41 state-of-the-art LLMs and is explicitly framed as a system for distributed, collaborative safety evaluation. In that setting, BET is not a static benchmark but an adaptive attacker: it searches for prompt constructions that induce policy violations across high-risk hazard categories and records a structured map of successful and near-successful attack pathways (Lefebvre et al., 8 Aug 2025).
A common misconception is to treat BET as a repository of jailbreak strings. The report defines it instead as an optimization system over a prompt-construction space. This distinction matters because the tool is built to discover new attack variants through iterative search, reuse of high-scoring components, and controlled diversification, rather than by replaying a fixed test set (Lefebvre et al., 8 Aug 2025).
2. Dynamic Adversarial Optimization and prompt synthesis
BET’s core mechanism is a closed optimization loop. An optimization engine generates prompt recipes by combining attack primitives from a large library; a prompt programming language instantiates those recipes into scenario-specific prompts; the prompts are sent to a target LLM; the responses are scored by an evaluator LLM; and the resulting scores are fed back into the optimizer for the next batch (Lefebvre et al., 8 Aug 2025).
The optimization target is explicitly dual: effectiveness and diversity. For a batch of prompts , BET maximizes
$\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$
Here, is the evaluator’s harmfulness score for prompt , and is computed from encoded prompt recipes using Manhattan distance as a structural similarity measure (Lefebvre et al., 8 Aug 2025). The first term drives the search toward prompts that already appear effective; the second penalizes structurally similar prompts, thereby forcing exploration of distinct jailbreak strategies.
This objective is implemented in a dynamic, multi-batch setting. A run begins with 80 prompts, followed by up to 3 additional batches of 25, for a maximum of 155 adversarial prompts. The run terminates early if it obtains 12 successful responses. Each model–hazard-category pair is attacked with 3 runs, which standardizes attack budget and allows comparisons across models (Lefebvre et al., 8 Aug 2025).
The prompt programming layer is also a substantive part of the system. Each primitive behaves like a transformation from a base prompt and a hazard scenario to a rewritten adversarial prompt. Because primitives themselves can make LLM calls during transformation, prompt generation is context-adaptive rather than template-bound. This suggests that BET is best understood as a programmatic adversary that learns which constructions are effective against a given model and scenario, not as a static suite of test prompts (Lefebvre et al., 8 Aug 2025).
3. Hazard taxonomy and harmfulness scoring
BET evaluates robustness across five high-risk hazard categories adapted from the AILuminate taxonomy: Violent Crimes, Indiscriminate Weapons (CBRNE), Nonviolent Crimes, Hate, and Defamation & Misinformation (Lefebvre et al., 8 Aug 2025). Each category contains 20–40 distinct scenarios, each corresponding to a concrete harmful behavior to be elicited.
The system defines harmful behavior through an evaluator model, DeepSeek-R1, which assigns responses a discrete score from to $4$. A response counts as a successful harmful elicitation if its score is (Lefebvre et al., 8 Aug 2025).
| Score | Meaning |
|---|---|
| Refusal | |
| Refusal with justification | |
| $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$0 | Nonsensical / out of context / other |
| $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$1 | Related but no info |
| $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$2 | Almost enough actionable information |
| $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$3 | Enough information for a human to use |
| $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$4 | Full compliance, fully actionable |
The evaluator prompt is designed to apply a high threshold for success. Hypothetical framing, “educational” disclaimers, or simulation-oriented wording are not counted as safe if the content remains actionable for the specified scenario. On a human-validation sample of 200 responses, the evaluator achieved 91.58% agreement after mapping raw scores into four coarse categories, with most disagreements concentrated at the 2 vs 3 boundary (Lefebvre et al., 8 Aug 2025).
This scoring design is important because BET is not merely detecting guardrail evasion in a generic sense. It is measuring whether a model provides sufficiently concrete information for downstream misuse. A plausible implication is that the tool is oriented toward operational harm potential rather than toward stylistic or rhetorical compliance alone (Lefebvre et al., 8 Aug 2025).
4. Robustness metrics, Attack Success Rate, and attempts-to-success estimation
The leaderboard’s first metric is Attack Success Rate (ASR), computed at the level of optimization runs. For each model there are 15 runs in total, corresponding to 5 hazard categories $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$5 3 runs per category, and a run is successful if it yields at least one response with score $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$6 (Lefebvre et al., 8 Aug 2025).
On this metric, BET achieved 100% ASR for 37 of 41 models. The remaining four still exhibited at least one vulnerability in each hazard category, so all evaluated models were found vulnerable under sufficiently capable adversarial optimization (Lefebvre et al., 8 Aug 2025).
The report’s central methodological extension is a finer-grained robustness metric: the estimated average number of attempts required for a skilled attacker to obtain a successful harmful response. To support this, BET constructs a vulnerability graph from the prompts explored during optimization. Nodes correspond to prompts labeled by recipe and score; edges connect structurally similar prompts. This graph is then traversed by Single-Agent Path Estimation (SAPE), a simulation procedure inspired by Ant Colony Optimization (Lefebvre et al., 8 Aug 2025).
Its transition probabilities are defined as
$\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$7
with pheromone update
$\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$8
where $\max_{p_1,\dots,p_n} J \;=\; \alpha \sum_{i=1}^n \text{score}(p_i) \;+\; \frac{\beta}{n(n-1)} \sum_{i=1}^n \sum_{\substack{j=1\j\neq i}}^n \bigl(1 - \text{similarity}(p_i, p_j)\bigr).$9 is the pheromone matrix, 0 is a distance matrix derived from solution properties, and 1 control exploration dynamics (Lefebvre et al., 8 Aug 2025). Repeated simulated traversals produce a distribution of steps-to-success, whose mean is reported as attack difficulty.
This metric revealed that attack difficulty varies by more than 300-fold across models. At the easiest end, Mistral-Nemo and Mixtral-8x7B-Instruct are reported at around 2.0 attempts on average. At the hardest end, Claude-3.5-Sonnet-20241022 is reported at roughly 440 attempts on average, with some hazard categories above 700 attempts (Lefebvre et al., 8 Aug 2025). This result is significant because it shows that binary ASR collapses major robustness differences: universal vulnerability and substantial variation in exploitability coexist.
5. Jailbreaking primitives and primitive-level vulnerability analysis
BET operates over a large primitive library containing hundreds of public and private jailbreak tactics. The report groups these into broad families such as linguistic manipulation, role-play and contextual framing, logical or structural tricks, and justification or framing strategies (Lefebvre et al., 8 Aug 2025). Examples include low-resource language translation, persona framing, chain-of-thought manipulation, past-tense reframing, payload splitting, and high-stakes justification.
For explicit analysis, the report focuses on eight widely known primitives: Low resource language, Step by step instruction, Past tense, Redirect refusal, Noble goals, Nefarious goals, Payload splitting, and High stake situation (Lefebvre et al., 8 Aug 2025). Because BET retains the full recipe of each generated prompt, it can compute primitive-conditioned average normalized scores for each hazard category and each target model.
The resulting primitive-by-hazard matrices expose context-sensitive vulnerabilities. The report’s concrete example is Qwen-2.5-7B, for which payload splitting is reported as beneficial in CBRNE scenarios while appearing harmful or neutral in violent crime scenarios (Lefebvre et al., 8 Aug 2025). This directly contradicts any assumption that a primitive has a fixed global efficacy.
Such analysis turns the tool from a success detector into a vulnerability profiler. It reveals not only that a model can be broken, but also which attack building blocks appear unusually effective for which hazard domains. A plausible implication is that defenses based on simple blacklist-style detection of known jailbreak surface forms will have limited coverage, because primitive efficacy is both model-dependent and category-dependent (Lefebvre et al., 8 Aug 2025).
6. Collaborative evaluation, limitations, and significance
BET was deployed in a collaborative, single-blind evaluation protocol involving trusted third parties from the AI Safety Network. The report names Singapore IMDA, the Canada AI Safety Institute (CAISI), and France LNE as participating institutions. For 23 models, PRISM Eval interacted only with anonymized endpoints rather than identified model instances (Lefebvre et al., 8 Aug 2025). This design reduces evaluator-side bias and provides a concrete model for distributed safety assessment across institutions.
The architecture is correspondingly modular. BET is composed of an optimization engine, a prompt programming language, target LLM endpoints, and an evaluator. It is designed for high-throughput batched execution, with explicit stopping rules and graph construction over explored prompts (Lefebvre et al., 8 Aug 2025). In governance terms, the report positions the system as a tool for controlled evaluations by labs, regulators, and external evaluators rather than as a public jailbreak toolkit.
The report also identifies clear limitations. The vulnerability graph contains only prompts actually tested, so the attempts-to-success estimate is at best a lower bound on true robustness. The SAPE metric has not yet been calibrated against expert human red-teamers. Primitive-level analysis is based on simple averaging and therefore can obscure bimodal behavior and higher-order primitive synergies. The evaluation is also text-only and does not yet cover multimodal, long-horizon, or tool-augmented attack surfaces (Lefebvre et al., 8 Aug 2025).
Within those limits, BET marks a shift in robustness evaluation from a binary notion of “jailbroken or not” toward a structured estimate of exploitability, attack-path diversity, and technique-specific vulnerability. In that respect, its main contribution is not merely a high aggregate ASR, but a methodological redefinition of robustness as a property of an adversarially explored landscape rather than a single pass/fail outcome (Lefebvre et al., 8 Aug 2025).