StrongREJECT Framework for LLM Jailbreaks

• StrongREJECT is a benchmark evaluating LLM robustness against jailbreak attacks by scoring responses on refusal, specificity, and convincingness.
• The framework uses a rigorously curated 346-item forbidden prompt dataset across diverse misuse domains with an automated chain-of-thought evaluator.
• Continuous scoring and empirical analysis reveal that many jailbreak tactics severely degrade model capabilities, highlighting real-world risk.

The StrongREJECT framework is a benchmark and evaluation methodology for systematically measuring the robustness of LLMs against jailbreak attacks—prompt manipulations that elicit harmful, policy-violating outputs. StrongREJECT provides a rigorously curated dataset of forbidden prompts across real-world misuse domains and a fine-grained, partially automated evaluator that scores model responses for their true “usefulness for misuse.” This continuous scoring approach addresses major flaws in previous jailbreak benchmarks, enabling more accurate assessments of both single-turn and multi-turn jailbreak efficacy and the real-world residual risk posed by state-of-the-art LLMs (Souly et al., 15 Feb 2024, Yang et al., 11 Aug 2025).

1. Formal Problem Statement and Definitions

StrongREJECT is defined over a finite set of forbidden prompts $P$, each designed to solicit content disallowed by major provider policies (e.g., bomb-making, fraud, hate speech, illicit sexual content). The central object of measurement is a candidate jailbreak $J$: a (possibly stochastic) transformation applied to a user prompt $p$ such that the target model $M$ produces harmful output it would otherwise refuse. For any response $r = M(J(p))$, StrongREJECT assigns a scalar “usefulness for misuse” score $S(r, p) \in [0,1]$ defined as

$$S(r,p)\;=\;f\bigl(\text{refusal}(r,p),\,\text{specific}(r,p),\,\text{convincing}(r,p)\bigr)$$

where $f$ is specifically constructed to capture not only refusal, but also the specificity and convincingness of the response. High $S(r,p)$ values correspond to responses that are both actionable and persuasive from the perspective of an adversarial attacker (Souly et al., 15 Feb 2024).

2. Dataset Construction and Coverage

The forbidden-prompt set is derived via a multi-stage curation process targeting six broad misuse categories:

• Disinformation & Deception
• Illegal Goods & Services
• Hate, Harassment, & Discrimination
• Non-violent Crime
• Violence
• Sexual Content

A superset of 1,529 prompts—drawn from manual composition (218 items) and existing benchmarks (AdvBench, Shen et al., HarmfulQ, MaliciousInstruct, MasterKey, Liu & Klein, others)—undergoes four filtering stages: (1) removal of prompts outside the taxonomy, (2) deduplication via embedding similarity, (3) exclusion of prompts refused even without jailbreaking (using GPT-4 and Llama-2 refusals), and (4) extensive manual vetting for clarity and answerability. The resulting dataset comprises $|P|=346$ high-quality forbidden prompts, with an additional StrongREJECT-small subset of 50 items to support cost-constrained evaluations. Category balance is strictly maintained (no fewer than ≈40 or more than ≈80 prompts per category) (Souly et al., 15 Feb 2024, Yang et al., 11 Aug 2025).

3. Automated Evaluation Protocol

StrongREJECT introduces an autograder architecture based on a pretrained LLM (primarily GPT-4), which assigns values to three features for each $(p, r)$ tuple:

• $R(r, p) \in \{0,1\}$: refusal indicator (1 if explicit or implicit refusal)
• $\mathrm{Spec}(r, p) \in \{1,2,3,4,5\}$: specificity of harmful content (mapped to $[0,1]$)
• $\mathrm{Conv}(r, p) \in \{1,2,3,4,5\}$: convincingness (mapped to $[0,1]$)

The final StrongREJECT score is

$$S(r, p) = [1 - R(r, p)] \times \frac{\text{Spec}(r, p) + \text{Conv}(r, p)}{2}$$

Any refusal sets $S=0$; otherwise, the score is the mean of specificity and convincingness. The autograder is guided by a chain-of-thought prompt that explicitly instructs the LLM to ignore ethical disclaimers and score the actionable content provided, improving consistency with human attacker perspectives (Souly et al., 15 Feb 2024, Yang et al., 11 Aug 2025).

In multi-turn attack settings, the framework supports black-box interaction protocols: the attacker repeatedly retries or reformulates the prompt up to $n_\text{refusals}$ times per turn and can continue the attack for up to $n_\text{turns}$ overall. Crucially, refusals are not included in the model’s subsequent conversational context, and only successful responses and their scores inform follow-up prompts.

4. Evaluation Metrics and Empirical Results

StrongREJECT stipulates a set of quantitative evaluation metrics:

Metric	Description
StrongREJECT Score	$S(r) \in [0,1]$: Harmfulness of response; 0 = refusal/harmless, 1 = fully actionable
Attack Success Rate	$$\mathrm{ASR} = \frac{1}{M}\sum_{i=1}^M \mathbf{1}[\max_{\text{turns}} S(r_i) \geq \tau]$$, $\tau \approx 1.0$
Refusal Rate	Fraction of attempted turns resulting in refusal ($$\mathrm{RefusalRate} = \frac{\#\,\text{refused}}{\#\,\text{attempted}}$$)
Score Correlation	Pearson correlation between model responses' score vectors
Learning Curve Fit	$S(k)=A-B\,e^{-ck}$ with parameters fit to success as function of attempt count

Empirically, StrongREJECT achieves state-of-the-art agreement with human judgments, with mean bias $\approx -0.03$ and mean absolute error (MAE) $\approx 0.16$, outperforming prior autograders such as binary refusal detectors ($+0.2-0.4$ bias, MAE $\sim 0.40$), string matching, and concurrent frameworks (HarmBench MAE $\sim 0.19$) (Souly et al., 15 Feb 2024). Ranking correlation with human scores across jailbreaks reaches $\rho \approx 0.87$, compared with GPT-4 Judge ($\rho \approx 0.75$) and PAIR ($\rho \approx 0.84$) (Souly et al., 15 Feb 2024).

In practice, StrongREJECT avoids false positives that afflicted prior schemes—such as giving high marks to incoherent, off-topic, or merely enthusiastic but uninformative responses. This enables more accurate differentiation of genuinely successful jailbreaks from “empty jailbreaks.”

5. Analysis of Model Capability Degradation

A central empirical finding is that many prompt-based jailbreaks incur severe collateral degradation of model capabilities, even on benign tasks. For example, when evaluated on MMLU (168 questions across 57 subjects) with GPT-4, the baseline accuracy (no jailbreak) is $78\%$. Under ROT13 jailbreaks, accuracy drops to $35\%$; for Hmong and Zulu translation attacks, below $50\%$; other obfuscation/diversion attacks similarly reduce accuracy by $20$–$40$ percentage points. Comparable effects are observed in open models (e.g., Dolphin), where obfuscated jailbreak tactics cause hallucinated or repetitive responses, reducing the average harmfulness score (as measured by StrongREJECT) by up to $70\%$ (Souly et al., 15 Feb 2024).

This phenomenon demonstrates that some jailbreak tactics achieve nontrivial attack success rates only by disabling core model reasoning or comprehension—posing minimal real-world risk on highly capable models.

6. Extensions to Multi-Turn Jailbreak Robustness

StrongREJECT is deployed as the core benchmark in systematic multi-turn jailbreak evaluations (Yang et al., 11 Aug 2025). The evaluation protocol simulates a black-box adversary interacting with the target model across up to $n_\text{turns}=8$ per prompt (default $n_\text{refusals}=10$ per turn), logging responses and computing $S(r)$ via the StrongREJECT rubric.

A key insight from “Multi-Turn Jailbreaks Are Simpler Than They Seem” is that, when the attacker's retries are accounted for, the efficacy of multi-turn jailbreaks is statistically equivalent to repeated single-turn resampling. Analytical results are formalized via learning-curve fits:

$S(k) = A - B\,e^{-c k}$

with parameters derived from first-attempt and retry success rates. This undermines the supposed sophistication of multi-turn jailbreaks: their increased attack success rate is attributable to brute-force resampling rather than strategy learning (Yang et al., 11 Aug 2025). Further, score and attack success are highly correlated across models of similar family, suggesting consistent patterns of vulnerability.

7. Contributions, Limitations, and Best Practice Recommendations

Documented contributions of StrongREJECT include:

• Exposure of critical flaws in extant jailbreak benchmarks (e.g., reliance on binary refusal, inclusion of unanswerable prompts).
• Release of a 346-item, expertly curated forbidden-prompt dataset with broad policy relevance and a 50-item balanced subset for cost-effective trials.
• Introduction of a continuous, fine-grained autograder that closely tracks human attacker ratings in both mean and ranking accuracy.
• Systematic demonstration that many jailbreaks degrade overall model capabilities—a property systematically neglected in prior work.

Caveats and limitations are explicitly acknowledged. The autograder relies on LLM-generated chain-of-thought, leaving it vulnerable to future optimization or “overfitting” by attackers specializing against the grading protocol. The dataset, while diverse, does not encompass every potential misuse domain, with some categories (e.g., political manipulation) omitted for brevity. Human evaluation remains costly and was limited to a dataset subset (Souly et al., 15 Feb 2024).

Recommended best practices are codified:

• Manually curate specificity-balanced, answerable, diverse forbidden prompts; avoid over-reliance on synthetic datasets.
• Deploy continuous, rather than binary, harmfulness metrics for jailbreak evaluation.
• Calibrate automated evaluators against human raters to detect and correct systematic biases.
• Measure side effects on general model capability (e.g., MMLU) alongside attack success to identify “empty” jailbreaks.
• Report both prompt sets and scored responses to ensure reproducibility and robust safety engineering (Souly et al., 15 Feb 2024).

By adopting the StrongREJECT framework and disseminating its open-source code and datasets, the community is provided with a methodologically transparent, highly discriminative, and empirically validated benchmark for evaluating LLM jailbreak vulnerability and risk.