Be Your Own Red Teamer: Safety Alignment via Self-Play and Reflective Experience Replay (2026.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have remarkable capabilities but are vulnerable to adversarial “jailbreak” attacks designed to bypass safety guardrails. |
| Approach: | They propose to empower a large language model to be its own red teamer . safety self-play allows the model to act as both the Attacker and Defender . |
| Outcome: | The proposed approach outperforms baselines trained on static adversarial datasets and establishes a new benchmark for proactive safety alignment. |
Similar Papers
TriPlay-RL: Tri-Role Self-Play Reinforcement Learning for LLM Safety Alignment (2026.acl-long)
Copied to clipboard
Zhewen Tan, Wenhan Yu, Jianfeng Si, Tongxin Liu, Kaiqi Guan, Huiyan Jin, Jiawen Tao, Xiaokun Yuan, Xiangzheng Zhang, Duohe Ma, Tong Yang, Lin Sun
| Challenge: | Existing approaches to safety alignment of large language models rely on costly manual annotations or human review. |
| Approach: | They propose a closed-loop reinforcement learning framework called TriPlay-RL that enables iterative collaboration among three roles with near-zero manual annotation. |
| Outcome: | The proposed framework achieves 20%–50% improvement in adversarial effectiveness while preserving high output diversity while achieving 10%–30% gains in safety performance without degrading general reasoning capability. |
MART: Improving LLM Safety with Multi-round Automatic Red-Teaming (2024.naacl-long)
Copied to clipboard
| Challenge: | Existing red-teaming methods for large language models often discover safety risks without addressing them. |
| Approach: | They propose a multi-round automatic red-teaming method that incorporates both adversarial prompt writing and safe response generation. |
| Outcome: | The proposed method significantly increases red-teaming scalability and the safety of the target LLM. |
MTSA: Multi-turn Safety Alignment for LLMs through Multi-round Red-teaming (2025.acl-long)
Copied to clipboard
| Challenge: | Existing jailbreak techniques rely on single-round interactions, pro-Corresponding author. |
| Approach: | They propose a multi-turn safety alignment framework to address the challenge of securing large language models in multi-round interactions. |
| Outcome: | The proposed framework exhibits state-of-the-art attack capabilities while improving safety performance on safety benchmarks. |
Thinking Twice Makes Large Language Models Safer and More Helpful (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing safety alignment techniques for large language models (LLMs) struggle to balance harmlessness and usefulness. |
| Approach: | They propose a safety-aware reflection-based reasoning framework that internalizes self-reflective reasoning and encourages reflection and correction. |
| Outcome: | The proposed framework outperforms reasoning-based alignment methods in safety alignment. |
MUSE: MCTS-Driven Red Teaming Framework for Enhanced Multi-Turn Dialogue Safety in Large Language Models (2025.emnlp-main)
Copied to clipboard
Siyu Yan, Long Zeng, Xuecheng Wu, Chengcheng Han, Kongcheng Zhang, Chong Peng, Xuezhi Cao, Xunliang Cai, Chenjuan Guo
| Challenge: | Existing defenses target single-turn attacks, but real-world usage involves multi-turn dialogues, exposing models to attacks that exploit conversational context to bypass safety measures. |
| Approach: | They propose a framework that tackles multi-turn jailbreaks from both attack and defense angles. |
| Outcome: | Experiments on large language models show that MUSE effectively mitigates multi-turn jailbreaks. |
RedCoder: Automated Multi-Turn Red Teaming for Code LLMs (2026.acl-long)
Copied to clipboard
Wenjie Jacky Mo, Qin Liu, Xiaofei Wen, Dongwon Jung, Hadi Askari, Wenxuan Zhou, Zhe Zhao, Muhao Chen
| Challenge: | Existing red-teaming approaches for code generation rely on extensive human effort and are prone to generating malicious code under adversarial environments. |
| Approach: | They propose a red-teaming agent that engages victim models in multi-turn conversations to elicit vulnerable code. |
| Outcome: | Experiments show that RedCoder outperforms red-teaming methods in inducing vulnerabilities in code generation. |
When Prompt Optimization Becomes Jailbreaking: Adaptive Red-Teaming of Large Language Models (2026.eacl-srw)
Copied to clipboard
| Challenge: | Existing safety evaluations rely on fixed collections of harmful prompts . such attacks span single-shot prompts, multi-turn interactions, cross-lingual settings . |
| Approach: | They propose to use black-box prompt optimization techniques to search for safety failures . they use GPT-5.1 to optimize for a continuous danger score . |
| Outcome: | The proposed approach reduces effective safeguards for large language models . the average danger score of Qwen 3 8B increases from 0.09 in its baseline setting to 0.79 after optimization. |
SELF-GUARD: Empower the LLM to Safeguard Itself (2024.naacl-long)
Copied to clipboard
| Challenge: | Recent studies have investigated methods to improve the safety of large language models (LLMs) safety training involves fine-tuning the LLM with adversarial samples, which activate the LRM’s capabilities against jailbreak. |
| Approach: | They propose a safety training approach that integrates safety training and safeguards to train the LLM to perform harmfulness detection on its own outputs. |
| Outcome: | The proposed method reduces harmful output and adds a [harmful] or [harmless] tag to the end of the LLM's response. |
Why Not Act on What You Know? Unleashing Safety Potential of LLMs via Self-Aware Guard Enhancement (2025.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have demonstrated impressive capabilities across various tasks but are vulnerable to meticulously crafted jailbreak attacks. |
| Approach: | They propose a training-free defense strategy to align LLMs’ strong safety discrimination performance with their relatively weaker safety generation ability. |
| Outcome: | The proposed strategy achieves an average 99% success rate against numerous complex and covert jailbreak methods while maintaining helpfulness on general benchmarks. |
Defending Against Alignment-Breaking Attacks via Robustly Aligned LLM (2024.acl-long)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have made significant advancements but can be misused to generate harmful content. |
| Approach: | They propose a Robustly Aligned LLM to defend against alignment-breaking attacks by retraining existing LLMs and using adversarial or handcrafted jailbreaking prompts. |
| Outcome: | The proposed model reduces attack success rates from nearly 100% to around 10% or less. |