StrongREJECT Benchmark for LLM Safety

• The paper introduces a continuous scoring rubric that quantifies model vulnerability to adversarial jailbreaks, aligning responses with expert human judgment.
• StrongREJECT is built from a diverse set of prompts targeting misuse-relevant behaviors, including illegal goods, hate, and disinformation.
• The automated evaluator uses both single-turn and multi-turn protocols to provide reproducible, detailed assessments of LLM safety and defense efficacy.

The StrongREJECT benchmark is a widely adopted, rubric-based standard designed to rigorously evaluate the resistance of LLMs to adversarial jailbreak attacks. Its construction targets high-stakes, misuse-relevant behaviors, assessing not just binary refusal but the degree to which a model provides actionable, harmful information in response to forbidden prompts. By employing a continuous scoring rubric derived from expert policy analysis, StrongREJECT enables detailed, automated, and reproducible measurement of LLM safety across both single-turn and multi-turn attack settings. The benchmark serves as a reference for model comparison, defense efficacy evaluation, and the diagnosis of systemic vulnerabilities in state-of-the-art LLMs (Souly et al., 2024, Yang et al., 11 Aug 2025, Cai et al., 29 Apr 2025).

1. Conceptual Motivation and Design Objectives

The StrongREJECT benchmark was introduced to remedy persistent deficiencies in prior LLM jailbreak assessments, which frequently overstated attack effectiveness and lacked standardization for safety-critical evaluation. Its dual objectives are: (1) to capture the breadth of real-world adversarial misuse categories—such as illegal goods, violence, disinformation, and hate, as identified through cross-vendor policy analysis—and (2) to provide a granular, continuous-value scoring system $(\phi)$ that more faithfully aligns with expert human judgment on harmfulness. The benchmark explicitly targets both direct (“Provide instructions for…”) and indirect prompts (obfuscated, persona-based, multi-hop, or chain-of-thought induced attacks), as well as "empty" jailbreaks where the harmful intent is obscured (Souly et al., 2024, Cai et al., 29 Apr 2025).

A major design goal is to ensure that the refusal metric not only reflects outright rejections but penalizes low-quality, ambiguous, or partially helpful responses, thereby addressing the subtlety of modern jailbreak attempts.

2. Dataset Construction and Scope

The StrongREJECT dataset comprises several hundred prompts, grouped by six misuse-relevant categories:

• Illegal goods & services
• Non-violent crimes
• Hate, harassment & discrimination
• Disinformation & deception
• Violence (including terrorism, sabotage, self-harm)
• Illicit sexual content

Prompts are typically one-shot, focused requests calibrated for answerability and specificity, and constructed so that models such as GPT-4 Turbo and Llama-2 70B refuse them by default. Sources for these prompts include 213 author-written questions and 133 high-quality selections from established adversarial datasets (AdvBench, MaliciousInstruct, HarmBench, etc.), all filtered for clarity, answerability, and de-duplication via semantic embeddings. Prompts are answer-focused, not conversational, and explicitly designed to be researchable by laypersons within an hour. A budget-friendly StrongREJECT-small variant (50 prompts) is provided for quick testing (Souly et al., 2024, Yang et al., 11 Aug 2025).

Each prompt is assigned to a single category. Additionally, substantial focus is given to prompt forms that resist trivial paraphrasing, indirect query variants (e.g., “How would you teach someone to...?”), and sophisticated obfuscations (base64, homoglyphs, persona-switching), enabling the evaluation of both explicit and stealth jailbreaks (Cai et al., 29 Apr 2025).

3. Automated Evaluation and Scoring Rubric

StrongREJECT employs an automated LLM-based evaluator that assigns a continuous “jailbreak usefulness” score:

$$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$

where:

• $\mathrm{refused}(\mathrm{response}) \in \{0,1\}$: 1 if the model unequivocally refuses the request,
• $\mathrm{specific}(\mathrm{response}) \in [0,1]$: detail and relevance, normalized,
• $\mathrm{convincing}(\mathrm{response}) \in [0,1]$: how actionable the response is from an attacker’s perspective.

A refusal guarantees $\phi = 0$; a fully helpful, specific jailbreak achieves $\phi = 1$. For any dataset $\{r_i\}_{i=1}^N$, the binary success rate at threshold $\tau$ is defined by:

$$\mathrm{SuccessRate}(\tau) = \frac{1}{N}\sum_{i=1}^{N} \mathbf{1}\{\phi(r_i) > \tau\}$$

Empirical recommendation is to use $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$0 to count only moderate- or high-quality bypasses as successful (Souly et al., 2024).

This score is computed via an autograder pipeline leveraging GPT-4 to rate responses, achieving a mean absolute error of $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$1 and a bias of $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$2 against human expert scores, both outperforming prior string-matching or binary baselines (Souly et al., 2024).

Secondary metrics include Mean Absolute Error (MAE), precision, recall, Spearman rank correlation (for cross-jailbreak ranking consistency), and Cohen’s $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$3 (human inter-rater reliability).

4. Experimental Protocols and Model Assessment

StrongREJECT evaluation adopts two principal attack regimes:

• Single-Turn Attacks: The attacker has a single opportunity per prompt, but may retry up to $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$4 times if a refusal occurs. Only non-refused (i.e., potentially harmful) responses are scored.
• Multi-Turn Attacks: The attacker can interact with the target model for up to $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$5 sequential exchanges, generating each new prompt $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$6 conditional on previous refusals/responses. Multi-turn protocols more closely emulate interactive adversarial jailbreaking seen in practice (Yang et al., 11 Aug 2025).

Each response is scored, and an attack is considered successful if any attempt reaches $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$7.

The experimental pipeline involves three LLMs: an attacker (e.g., GPT-4o-mini, $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$8), the target model (e.g., GPT-4, Claude, Gemini; $$\phi(\mathrm{response}) = (1 - \mathrm{refused}(\mathrm{response})) \cdot \frac{\mathrm{specific}(\mathrm{response}) + \mathrm{convincing}(\mathrm{response})}{2}$$9), and an evaluator (e.g., GPT-4o-mini; $\mathrm{refused}(\mathrm{response}) \in \{0,1\}$0) (Yang et al., 11 Aug 2025). Rigorous separation of attacker and defender ensures black-box testing.

Quantitative metrics: The aggregate StrongREJECT score $\mathrm{refused}(\mathrm{response}) \in \{0,1\}$1 for a model is the fraction of prompts yielding unsafe outputs. Improvement rates, false refusal rates (FRR), and compliance rates are standard. For model-family comparison, Pearson correlation $\mathrm{refused}(\mathrm{response}) \in \{0,1\}$2 reflects cross-model vulnerability patterns.

Metric	Definition	Interpretation
$\mathrm{refused}(\mathrm{response}) \in \{0,1\}$3	See above	0 = ideal refusal, 1 = maximally useful jailbreak
Success Rate $\mathrm{refused}(\mathrm{response}) \in \{0,1\}$4	$\mathrm{refused}(\mathrm{response}) \in \{0,1\}$5	Fraction of successful attacks
StrongREJECT Score	$\mathrm{refused}(\mathrm{response}) \in \{0,1\}$6	Lower is better
FRR	$\mathrm{refused}(\mathrm{response}) \in \{0,1\}$7	False refusals on benign prompts
Compliance Rate	$\mathrm{refused}(\mathrm{response}) \in \{0,1\}$8	Correct answers to innocuous queries

5. Empirical Findings and Failure Modes

StrongREJECT evaluations demonstrate several robust findings:

• Overestimation by prior benchmarks: Binary refusal and string-matching baselines substantially overstate jailbreak rates (bias $\mathrm{refused}(\mathrm{response}) \in \{0,1\}$9 vs. human scores $\mathrm{specific}(\mathrm{response}) \in [0,1]$0). The StrongREJECT autograder achieves both lower MAE ($\mathrm{specific}(\mathrm{response}) \in [0,1]$10.12) and near-zero bias (Souly et al., 2024).
• Vulnerability persists across turns: Even the most robust models exhibit 70–90% multi-turn jailbreak success rates if attackers are permitted retries, implying refusal mechanisms are not robust under iterative probing (Yang et al., 11 Aug 2025).
• Retrying equals multi-turn sophistication: The empirical success curve for multi-turn attacks closely follows that for independent, resampled single-turn attacks, indicating that attack success is primarily a function of allowed attempts, not prompt diversity or interactive steering (Yang et al., 11 Aug 2025).
• Cross-model correlation: Attack success rates are highly correlated within model families (Pearson $\mathrm{specific}(\mathrm{response}) \in [0,1]$2 to $\mathrm{specific}(\mathrm{response}) \in [0,1]$3), suggesting that vulnerabilities generalize across related systems (Yang et al., 11 Aug 2025).
• Reasoning increases risk: Among chain-of-thought-enabled models, more intensive reasoning token usage is associated with increased StrongREJECT scores, counter to standard safety expectations (Yang et al., 11 Aug 2025).

Fine-tuned models are particularly vulnerable to reduced capability under jailbreak attempts, often exhibiting hallucinations or incoherence (e.g., “The quick brown fox...”) instead of successful circumvention (Souly et al., 2024).

6. Defense Evaluation and Best Practices

The benchmark is regularly used to evaluate the efficacy of advanced defenses, such as AegisLLM—a multi-agent, prompt-optimized system combining orchestrator, deflector, and evaluator agents:

• AegisLLM on Llama-3-8B: Achieves $\mathrm{specific}(\mathrm{response}) \in [0,1]$4 StrongREJECT score vs. $\mathrm{specific}(\mathrm{response}) \in [0,1]$5 for baseline (51.3% improvement), with a compliance rate of 88.5% and false refusal rate of 7.9%, outperforming static defenses in both robustness and utility (Cai et al., 29 Apr 2025).
• Adaptation to novel attacks: Agentic defenses leveraging in-context prompt optimization can increase refusal rates for unseen attacks without significantly raising false refusal rates.
• Pipeline best practices: Effective defense requires layered detection (front-end classifier, back-end scoring of outputs), prompt and response optimization, and regular updating against evolving jailbreak strategies.

Recommendations for benchmarking include: curating diverse, independently auditable prompt types; including explicit “none of the above” refusal options in multiple-choice contexts; and reporting both true rejection and false positive (overrefusal) rates. Prompt strategies that explicitly permit refusal and avoid overuse of chain-of-thought are advised due to the risk of inducing hallucinated answers (Souly et al., 2024, Cai et al., 29 Apr 2025).

7. Impact and Future Directions

StrongREJECT has set a new standard for reproducibility, granularity, and real-world alignment in LLM jailbreak evaluation. Its adoption across major research efforts supports robust, comparative assessment of both model architectures and defense methods (Yang et al., 11 Aug 2025, Cai et al., 29 Apr 2025). Ongoing work includes expanding the prompt set for domain specialization (e.g., cryptographic tasks), refining calibration techniques for confidence-based refusals, and integrating real-time agentic defenses for dynamic adaptation.

A plausible implication is that future LLM safety assessments should treat iterative, multi-attempt adversarial protocols as the baseline and shift focus toward defenses that reduce the overall surface of harmful output generation, rather than only detecting attack archetypes or dialog structures.