Challenge: Existing red-teaming methods require expensive fine-tuning, especially for large LLMs.
Approach: They propose a red-teaming method that uses an ‘evil score’ to evaluate the potential of tokens to contribute to harmful outputs during decoding.
Outcome: The proposed method achieves an ASR of 92.83% on the Llama-3.2-3B-Instruct model, compared to 83.48% with adversarial fine-tuning while using less computational resources.

Similar Papers

Automated Progressive Red Teaming (2025.coling-main)

Copied to clipboard

Challenge: Automated red teaming (ART) is effective but time-consuming, costly and lacks scalability.
Approach: They propose an automated red teaming framework that generates adversarial prompts to expose LLM vulnerabilities.
Outcome: The proposed framework explores and exploits LLM vulnerabilities through multi-round interactions.
Attack Prompt Generation for Red Teaming and Defending Large Language Models (2023.findings-emnlp)

Copied to clipboard

Challenge: Existing studies construct attack prompts via manual or automatic methods, but these methods have limitations on cost and quality.
Approach: They propose an attack framework to instruct LLMs to mimic human-generated prompts through in-context learning and a defense framework that fine-tunes victim LLM's through iterative interactions with the attack framework.
Outcome: The proposed approach is based on experiments on different LLMs to evaluate their effectiveness against red teaming attacks.
RedCoder: Automated Multi-Turn Red Teaming for Code LLMs (2026.acl-long)

Copied to clipboard

Challenge: Existing red-teaming approaches for code generation rely on extensive human effort and are prone to generating malicious code under adversarial environments.
Approach: They propose a red-teaming agent that engages victim models in multi-turn conversations to elicit vulnerable code.
Outcome: Experiments show that RedCoder outperforms red-teaming methods in inducing vulnerabilities in code generation.
Ferret: Faster and Effective Automated Red Teaming with Reward-Based Scoring Technique (2025.findings-emnlp)

Copied to clipboard

Challenge: Existing red-teaming methods generate adversarial attacks to identify vulnerabilities, but they face slow performance, limited categorical diversity, and high resource demands.
Approach: They propose a method that generates multiple adversarial prompt mutations per iteration and ranks them using scoring functions.
Outcome: The proposed method achieves a 95% attack success rate and reduces time to a 90% ASR by 15.2%.
Red-Bandit: Test-Time Adaptation for LLM Red-Teaming via Bandit-Guided LoRA Experts (2026.acl-long)

Copied to clipboard

Challenge: Existing approaches to audit Large Language Models (LLMs) lack mechanisms to efficiently adapt to model-specific vulnerabilities at inference.
Approach: They propose a red-teaming framework that adapts online to identify and exploit model failure modes under distinct attack styles.
Outcome: The proposed framework outperforms state-of-the-art methods on AdvBench and HarmBench, while generating more human-readable adversarial prompts (lower perplexity).
Atoxia: Red-teaming Large Language Models with Target Toxic Answers (2025.findings-naacl)

Copied to clipboard

Challenge: Large language models (LLMs) are still vulnerable to generation safety vulnerabilities.
Approach: They propose a method that A**tacks LLMs with target "toxi" given a particular harmful answer, the method generates a user query and a misleading answer opening to examine the internal defects of a given LLM.
Outcome: The proposed method detects safety risks in open-source models and state-of-the-art models such as GPT-4o.
ASTPrompter: Preference-Aligned Automated Language Model Red-Teaming to Generate Low-Perplexity Unsafe Prompts (2025.findings-emnlp)

Copied to clipboard

Challenge: Existing red-teaming approaches prioritize high attack success rate, resulting in high-perplexity prompts.
Approach: a new method uses contrastive preference learning to train an attacker to maintain low perplexity while achieving a high attack success rate.
Outcome: ASTPrompter achieves 5.1 times higher attack success rate on Llama-8.1B . low-perplexity attacks are more difficult to filter and more likely to arise during benign usage .
Agent vs. Agent: Automated Data Generation and Red-Teaming for Custom Agentic Workflows (2025.emnlp-industry)

Copied to clipboard

Challenge: Existing red-teaming frameworks like AgentHarm use static prompts and hardcoded toolsets .
Approach: They propose a red-teaming framework that generates adversarial tasks and evaluation functions tailored to arbitrary toolsets and uses iterative prompt refinement with self-reflection to develop more effective attacks.
Outcome: The proposed approach achieves 162% increase in attack success rate on o4-mini and 86% success on gemini 2.5 Pro.
Learning to Conceal Risk: Controllable Multi-turn Red Teaming for LLMs in the Financial Domain (2026.acl-long)

Copied to clipboard

Challenge: Large Language Models (LLMs) are increasingly deployed in high-stakes domains such as finance where unsafe behavior can lead to serious regulatory risks.
Approach: They propose a black-box multi-turn risk-concealed redteaming framework that progressively conceals surface-level risk while exploiting regulatory-violating behaviors.
Outcome: Experiments on nine widely used LLMs show that the proposed framework achieves 93.19% average attack success rate (ASR) and improves the average ASR to 95.00%.
MART: Improving LLM Safety with Multi-round Automatic Red-Teaming (2024.naacl-long)

Copied to clipboard

Challenge: Existing red-teaming methods for large language models often discover safety risks without addressing them.
Approach: They propose a multi-round automatic red-teaming method that incorporates both adversarial prompt writing and safe response generation.
Outcome: The proposed method significantly increases red-teaming scalability and the safety of the target LLM.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations