Deep-Dive SDD-B06 — RedAgent: Black-Box Jailbreaking

Course: 2B — Securing & Attacking Harnesses and LLMs Deep-Dive: SDD-B06 · Duration: 45 minutes · Level: Senior Engineer and above Prerequisites: Course 2B B0–B2; SDD-B01, SDD-B02, SDD-B03, SDD-B04, SDD-B05

RedAgent (2026) is the finding that most black-box LLMs can be jailbroken within 5 queries using context-specific attacks. This is the model-level attack — we leave the harness (SDD-B04, SDD-B05) and target the model's refusal training directly. The 5-query chain works because context-specific attacks outperform generic jailbreaks: the attack is engineered to the target's deployed context (its system prompt, its tool surface, its conversation history), not a copy-paste payload. This deep-dive covers the methodology, the defense-in-depth implications (no single layer suffices — B2's thesis, now at the model), and how RedAgent-style testing fits an engagement (B12). A working 5-query jailbreak is the dual-use dilemma in its sharpest form — every disclosure principle from B0 applies, in spades.


Learning Objectives

After completing this deep-dive, you will be able to:

  1. Explain the RedAgent finding: most black-box LLMs jailbreak within 5 queries using context-specific attacks, why context-specific attacks outperform generic jailbreaks (the attack is engineered to the deployed context, not a static payload), and what the 5-query median implies for the refusal layer as a standalone defense.
  2. Construct the RedAgent 5-query attack chain: context reconnaissance (query 1), context-aligned payload crafting (queries 2-4), and the success-confirming query (query 5) — and explain how each stage reduces the model's refusal probability.
  3. Analyze why context-specificity defeats generic defenses: the deployed context (system prompt, tool surface, conversation history) is the attack surface, and a jailbreak crafted against that context bypasses refusal training calibrated against generic patterns.
  4. Map the RedAgent finding to the defense-in-depth thesis (B2): a 5-query jailbreak rate means the refusal layer alone is insufficient — no single layer suffices, and the harness defenses from SDD-B04/SDD-B05 are necessary precisely because the model layer will be bypassed.
  5. Apply the RedAgent methodology as part of a B12 engagement: scope it under B0's authorization chain (provider ToS, dual-use clause), run the 5-query chain against the deployed context, measure the success rate over N attempts (not a single success), and report under the CVD/dual-use principles from B0.
  6. Articulate the dual-use disclosure dimension: a working 5-query jailbreak is simultaneously the most valuable model-level finding and the most dangerous misuse recipe — and resolve it through the four B0 disclosure principles, with the provider-first report and the existence-not-recipe publication default.

Why this deep-dive exists

SDD-B04 and SDD-B05 attacked the harness — the governance layer around the model. CrabTrap's judge, IronCurtain's compilation pipeline and isolate boundary. The assumption throughout was that the harness is the attack surface because the model's refusal training is, if not unbreakable, at least expensive to break. This deep-dive tests that assumption directly. RedAgent (2026) finds that it does not hold: most black-box LLMs jailbreak within 5 queries, and they do so not through a universal payload but through context-specific attacks engineered to the deployed system.

This is the model-level attack, and it changes the defensive calculus in two ways. First, it means the refusal layer is not a reliable standalone defense. A defense that falls in 5 queries is not a defense you build an architecture around — it is a layer, one among several, and the harness defenses (SDD-B04, SDD-B05) are necessary precisely because this layer will be bypassed. This is B2's thesis arriving at the model: no single layer suffices, and the 5-query result is the empirical proof.

Second, it raises the dual-use stakes to their maximum. A working 5-query jailbreak is simultaneously the most valuable model-level finding (it proves the refusal layer's limits, measurably) and the most dangerous misuse recipe (it is a concrete, copy-paste-usable chain that bypasses refusal). The disclosure principles from B0 — provider first, existence not recipe by default, longer embargoes, withhold pure-misuse — apply here in their sharpest form. Every engagement that runs RedAgent-style testing is holding a dual-use artifact, and the handling is decided in the RoE before testing begins, not in the moment.

Three sub-sections, fifteen minutes each:


B06.1 — The RedAgent Finding and the 5-Query Chain

What the result means, and the structure of the attack that produces it.

The finding, stated precisely

RedAgent (2026) finds that most black-box LLMs — the frontier commercial models behind the APIs that production agents call — can be jailbroken within 5 queries using context-specific attacks. The "within 5 queries" is the load-bearing number: it is the median across the tested models and attack scenarios, not a worst-case or a single lucky run. The "context-specific" is the load-bearing method: the attacks that achieve the 5-query result are engineered to the target's deployed context, not generic payloads drawn from a jailbreak corpus.

The contrast with generic jailbreaks is the whole finding. Generic jailbreaks — the DAN prompts, the role-play wrappers, the encoding tricks that circulate in the jailbreak community — have a declining success rate as providers patch against them. A generic jailbreak that worked against a model six months ago often does not work today, because the refusal training was calibrated against the known patterns. RedAgent's contribution is to show that context-specific attacks, which cannot be pre-calibrated because they depend on the deployed context, achieve the 5-query median against the same models. The defense that stops the generic pattern does not stop the context-specific attack, because the two have different signatures.

This is the precise claim, and it is the one that matters for architecture: the refusal layer, as a standalone defense, falls in 5 queries to an attacker who can observe the deployed context. That is not a defense you build an architecture around. It is a layer.

Why context-specific attacks outperform generic jailbreaks

A generic jailbreak is a static payload. It is the same string (or the same template) regardless of what model it targets, what system prompt the model is running, what tools the model has, or what the conversation history is. The refusal layer is trained against these patterns — providers actively red-team against known jailbreak corpora and calibrate the refusal to recognize them. A generic jailbreak is, in effect, attacking a defense that has seen the attack before.

A context-specific attack is engineered to the deployed context. The attacker observes (or infers) the target's system prompt, its tool surface, its conversation history, and crafts a payload that is coherent with that context. The payload does not look like a known jailbreak pattern — it looks like a legitimate continuation of the conversation the model is already having, or a legitimate use of a tool the model already has. The refusal layer, calibrated against generic patterns, does not recognize it as an attack, because its signature is unique to the deployed context.

The mechanism is the same one that makes indirect prompt injection (SDD-B03) effective: the model cannot reliably distinguish "this is data I should treat cautiously" from "this is a legitimate instruction in my current context," because both arrive as text in the same channel. A context-specific jailbreak exploits this by making the attack indistinguishable from the context the model is already operating in. The defense (refusal training) is calibrated against out-of-context patterns; the attack is in-context.

The 5-query attack chain

RedAgent's 5-query chain is not a single payload; it is a sequence that converges on a successful jailbreak through iterative context-alignment. The structure:

The key property: each query reduces the model's refusal probability by making the payload more context-coherent. The first query has a low success rate (the payload is not yet aligned); the fifth query has a high success rate (the alignment has converged). This is why the result is "within 5 queries" rather than "in 1 query" — the context-specificity requires iteration, and the iteration is what makes it effective against a defense calibrated against single-shot generic patterns.

What the 5-query median implies

The 5-query median is the empirical refutation of the refusal layer as a standalone defense. If an attacker with black-box access — the access any user of a production agent has — can jailbreak the model in 5 queries by observing the deployed context, then the refusal layer is not the boundary. It is a delay, and a short one.

This does not mean the refusal layer is useless. It raises the bar (5 context-specific queries require more skill than 1 generic copy-paste), it stops the casual attacker, and it provides a signal that a more sophisticated defense (the harness layer, SDD-B04/SDD-B05) can act on. But it does mean that an architecture that relies on the refusal layer alone — "the model will refuse, so we are safe" — is an architecture with a 5-query bypass. The harness defenses are not optional hardening; they are necessary precisely because the model layer will be bypassed.


B06.2 — Why Context-Specificity Defeats Generic Defenses

The deployed context is the attack surface, and the defense-in-depth thesis arrives at the model.

The deployed context as the attack surface

The RedAgent finding reframes the attack surface. For the harness attacks (SDD-B04, SDD-B05), the surface was the governance layer — the judge, the compilation pipeline, the isolate. For the model-level attack, the surface is the deployed context itself: the system prompt that configures the model's behavior, the tool surface the model can call, and the conversation history that shapes the model's interpretation of new inputs.

These are not surfaces the model provider controls. The provider trains the refusal layer; the deployer configures the system prompt, selects the tools, and generates the conversation history. A context-specific attack exploits the deployer's configuration, not the provider's training — and the provider's refusal training cannot be pre-calibrated against configurations it has not seen. This is why the attack works against models whose generic-jailbreak resistance is high: the defense is calibrated against the wrong surface.

The implication for a red-team: the deployed context is the reconnaissance target. Query 1 of the 5-query chain is not a formality; it is the attack's dependence on the surface that the refusal training does not cover. An engagement that runs RedAgent-style testing must map the deployed context (system prompt, tools, conversation structure) as the first step — the same way a traditional pentest maps the network before attacking it.

Why pattern-calibrated refusal training fails

The refusal layer is trained to recognize and refuse disallowed requests. The training is, necessarily, pattern-based: the provider shows the model examples of disallowed requests (during RLHF or a safety fine-tune) and reinforces refusal. The patterns the model learns are the patterns in the training set — which is to say, the known jailbreak patterns at the time of training.

A context-specific attack does not match those patterns. Its signature is unique to the deployed context: a request that looks like a legitimate use of a specific tool, phrased in the style of a specific system prompt, building on a specific conversation history. The refusal training has never seen this exact signature, because it has never seen this exact context. The model's pattern-matching — which is what the refusal layer is — does not fire, because the pattern is novel. This is the same structural property as a zero-day in traditional security: the defense recognizes known threats; it does not recognize novel ones.

This is not a flaw the provider can fully fix. They can broaden the training patterns (red-team harder, include more diverse jailbreak attempts), but the space of possible deployed contexts is unbounded — they cannot pre-calibrate against every system prompt, every tool configuration, every conversation history. The residual is structural: pattern-calibrated defense has a novel-pattern bypass, and context-specific attacks are how that bypass is reached.

The defense-in-depth thesis, at the model

The RedAgent finding is where B2's thesis — no single layer suffices — arrives at the model layer. The argument has three steps, and this deep-dive is the third:

  1. SDD-B03 measured it. Layered defenses reach single-digit injection rates where single defenses sit near the baseline. The delta is the evidence.
  2. SDD-B04 and SDD-B05 demonstrated it at the harness layer. CrabTrap has residuals; IronCurtain has residuals. No single harness defense suffices.
  3. SDD-B06 demonstrates it at the model layer. The refusal layer — the defense closest to the content — falls in 5 queries to a context-specific attack. The model layer, like the harness layer, does not suffice alone.

The synthesis: an architecture that relies on any single layer (refusal training alone, a harness judge alone, a deterministic policy alone) has a bypass. The refusal layer falls in 5 queries; the harness judge is injectable (SDD-B04); the deterministic policy has compilation residuals (SDD-B05). The only architecture that holds is layered: the refusal layer raises the bar and provides signal, the harness layer governs the actions the model takes, and the deterministic layer provides the boundary the probabilistic layers cannot. Each layer's bypass is bounded by the others.

This is why the RedAgent finding, despite being a model-level attack, is load-bearing for the harness architecture. It proves that the harness is not optional hardening around a reliable model — it is the necessary defense precisely because the model layer will be bypassed. The 5-query result is the empirical justification for the entire SDD-B04/SDD-B05 prescription.


B06.3 — Engagement Practice and the Dual-Use Disclosure

Running RedAgent-style testing under B0, measuring success rates, and resolving the dual-use dilemma.

Scoping under B0's authorization chain

RedAgent-style testing attacks the model's refusal training — a provider-controlled surface (per B0). The authorization chain from B0 applies in full: the deployer can authorize testing of their system, but they cannot authorize violation of the provider's terms. Before running the 5-query chain against a production agent that calls a commercial model, the engagement must verify one of: (a) the provider's ToS explicitly permits jailbreak testing, (b) a provider-issued waiver or preview-program enrollment is on file, or (c) the model is self-hosted or open-weights and the deployer owns it.

This is the B0 provider-authorization check, made concrete for the model-level attack. The check is not optional. Several providers' acceptable-use policies explicitly prohibit jailbreaking; running the 5-query chain without authorization is a ToS breach, and in some readings a CFAA exposure. The engagement scope file must carry a provider_authorization entry for the jailbreak technique, and the harness gate must enforce it before the first query.

The dual-use clause is equally non-optional. The RoE must specify, before testing: will the working 5-query chain be shared with the provider only, published as existence-plus-severity, or withheld as pure-misuse? This decision is not made when the jailbreak succeeds — it is made when the contract is signed.

Measuring success rates over N attempts

A single successful 5-query jailbreak is a weak finding (per B0 and SDD-B03). The honest measurement is a success rate over N attempts: run the 5-query chain M times against the target, under fixed sampling parameters (temperature, model version), and report the success rate (e.g., "62% of 5-query chains succeeded against model version X at temperature 1.0").

The parameters that affect reproducibility — model version, temperature, sampling config, the deployed context at test time — must be recorded with every run. The model version is the single most important field: providers ship silent updates, and a finding against version N may not reproduce against version N+1. The success rate, not the single success, is the finding that goes into the report and the CVD coordination.

The RedAgent methodology is well-suited to this measurement because the 5-query chain is repeatable. Unlike a single-shot jailbreak (which may be a lucky sample), the iterative context-alignment produces a convergent chain that can be run M times to establish the rate. The rate is the effectiveness claim about the refusal layer — and the before/after delta (refusal success rate before and after a provider mitigation) is the honest metric for whether the mitigation worked.

RedAgent-style testing in a B12 engagement

In a B12 engagement (the capstone assessment module), RedAgent-style testing is the model-layer component of a defense-in-depth assessment. The structure:

  1. Map the deployed context. Treat the system prompt, tool surface, and conversation structure as the attack surface. Query 1 of the 5-query chain is this map.
  2. Run the 5-query chain, measured. Execute the chain M times under fixed parameters. Report the success rate, not a single success. Record model version, temperature, sampling config, deployed context.
  3. Correlate with the harness assessment. The RedAgent result establishes the model-layer residual; the SDD-B04/SDD-B05 harness assessment establishes the harness-layer residual. The architecture's overall injection resistance is the combination — and a model layer that falls in 5 queries makes the harness layer's strength the load-bearing question.
  4. Prescribe the layered defense. The finding motivates the layered prescription: the refusal layer (provider-managed, raises the bar), the harness layer (deployer-managed, governs actions), the deterministic layer (the boundary the probabilistic layers cannot provide). The RedAgent result is the justification for not relying on the refusal layer alone.

The dual-use dilemma in its sharpest form

A working 5-query jailbreak is the dual-use dilemma (B0.2) in its sharpest form. It is simultaneously:

The four B0 disclosure principles resolve the tension, and RedAgent findings are where they bite hardest:

  1. Provider first, always. The provider gets a private report with the working chain under NDA before any external communication. The chain is shared only with the provider, under the engagement's confidentiality terms.
  2. Existence and severity, not the recipe, by default. A responsible advisory says "we found a context-specific technique that bypasses refusal with X% success on model Y; the provider has been notified." It does not include the 5-query chain unless the provider consents and the technique is independently well-known.
  3. Longer embargo. A model-level finding (the refusal layer) is on the 180-day track (per B0), not the 90-day software track. The mitigation is a retraining/RLHF round or a model-version bump, measured in months.
  4. Withhold pure-misuse with no defensive lesson. If a specific 5-query chain has no defensive lesson beyond "this model can be jailbroken" (no new technique class, no architectural insight), the responsible choice is often provider-only disclosure. The defensive value of publishing the chain is near zero; the misuse risk is high.

The decision of which principle applies to a given finding is made in the RoE before testing — not when the chain succeeds. An engagement that runs RedAgent-style testing without a dual-use clause is an engagement that will fail at exactly the moment a serious finding appears.


Anti-Patterns

Relying on the refusal layer as a standalone defense

"The model is safety-trained; it will refuse disallowed requests." Cure: RedAgent finds most black-box LLMs jailbreak within 5 queries via context-specific attacks. The refusal layer is a layer, not a boundary. The harness defenses (SDD-B04, SDD-B05) are necessary precisely because this layer will be bypassed.

Reporting a single successful jailbreak as the finding

"I jailbroke the model in 5 queries." Cure: a single success is a weak finding (anecdote). The honest measurement is a success rate over N attempts under fixed sampling parameters. Report the rate (e.g., 62% over M chains), the model version, the temperature. No rate, no finding.

Running RedAgent-style testing without provider authorization

"The deployer authorized testing of their agent, so I can jailbreak the model it calls." Cure: the deployer cannot authorize violation of the provider's terms. The B0 provider-authorization check must verify ToS permission, a waiver, or self-hosted ownership before the first query. The jailbreak technique needs a provider_authorization entry in the scope file.

Publishing the working 5-query chain in the advisory

"Including the chain proves the finding and helps the community." Cure: publish existence and severity, not the recipe, by default (B0). A copy-paste-usable chain is a misuse weapon. Share the chain with the provider under NDA; withhold publication unless the provider consents and there is a defensive lesson. The decision was made in the RoE.

Treating the model-layer finding as independent of the harness

"The model jailbreaks in 5 queries, but our harness (CrabTrap/IronCurtain) stops the actions, so it doesn't matter." Cure: the model-layer finding and the harness-layer finding are correlated, not independent. A model that falls in 5 queries makes the harness layer the load-bearing defense — and the harness has its own residuals (SDD-B04, SDD-B05). The architecture's overall injection resistance is the combination, and the RedAgent result is the justification for not relying on any single layer.

Using generic jailbreaks and reporting the low success rate as the finding

"I tried 20 known DAN prompts and only 1 worked; the model is well-defended." Cure: generic jailbreaks have a declining success rate because providers patch against known patterns. The RedAgent finding is specifically about context-specific attacks, which bypass the pattern-calibrated defense. Test the context-specific surface, not the generic corpus — or the low success rate is an artifact of testing the wrong attack class.


Key Terms

Term Definition
RedAgent finding Most black-box LLMs jailbreak within 5 queries using context-specific attacks; the empirical refutation of the refusal layer as a standalone defense
Context-specific attack A jailbreak engineered to the deployed context (system prompt, tools, conversation history); bypasses pattern-calibrated refusal because its signature is novel
Generic jailbreak A static payload (DAN, role-play, encoding tricks) with a declining success rate as providers patch against known patterns
5-query chain RedAgent's attack structure: query 1 reconnaissance, queries 2-4 context-aligned crafting, query 5 success confirmation; the median convergence point
Deployed context The model-level attack surface: the system prompt, tool surface, and conversation history that a context-specific attack aligns to
Pattern-calibrated refusal Refusal training based on known jailbreak patterns; has a novel-pattern bypass (the structural residual context-specific attacks exploit)
Defense-in-depth at the model B2's thesis at the model layer: the refusal layer falls in 5 queries, so the harness defenses are necessary, not optional — no single layer suffices
Dual-use dilemma (sharpest form) A working 5-query jailbreak is both the most valuable model finding and the most dangerous misuse recipe; resolved by the four B0 disclosure principles

Lab Exercise

See 07-lab-spec.md. The lab has you build a context-specific 5-query attack simulator (reconnaissance, context-aligned crafting, confirmation against a simulated refusal layer), measure the success rate over N chains, contrast it with a generic-jailbreak baseline, and walk through the dual-use disclosure decision under the four B0 principles. No GPU; Python 3.10+ with type hints; the refusal layer and the deployed context are simulated so the lab runs deterministically offline.


References

  1. RedAgent (2026) — the finding that most black-box LLMs jailbreak within 5 queries using context-specific attacks. The primary subject of this deep-dive.
  2. Course 2B B0 — the authorization chain (provider ToS, provider-authorization check), the dual-use dilemma, and the four disclosure principles that govern a RedAgent finding's handling.
  3. Course 2B B2 — the injection-defense layer; the defense-in-depth thesis (no single layer suffices) that the RedAgent finding arrives at the model layer.
  4. Course 2B SDD-B03 (InjecAgent) — the measurement instrument; the RedAgent success rate over N chains is the model-layer analogue of the InjecAgent injection-rate delta.
  5. Course 2B SDD-B04 (CrabTrap Offensive Analysis) — the harness-layer attack; the RedAgent finding justifies why the harness is necessary (the model layer will be bypassed).
  6. Course 2B SDD-B05 (IronCurtain Offensive Analysis) — the strongest harness defense and its residuals; the RedAgent finding completes the argument that no single layer (model or harness) suffices.
  7. Course 2B B12 — the capstone assessment module where RedAgent-style testing is the model-layer component of a defense-in-depth assessment.
  8. OWASP Agentic AI Top 10 (2026) — the context-specific jailbreak maps to ASI01 (goal hijacking) at the model layer, distinct from the harness-layer ASI05/ASI07.
  9. Provider acceptable-use policies — the ToS layer that governs whether jailbreak testing is authorized; the B0 provider-authorization check for the jailbreak technique.
  10. Coordinated disclosure norms (CERT/CC, Project Zero) — the baseline extended to ~180 days for model-level findings (per B0); the RedAgent finding's coordination window.
# Deep-Dive SDD-B06 — RedAgent: Black-Box Jailbreaking

**Course**: 2B — Securing & Attacking Harnesses and LLMs
**Deep-Dive**: SDD-B06 · **Duration**: 45 minutes · **Level**: Senior Engineer and above
**Prerequisites**: Course 2B B0–B2; SDD-B01, SDD-B02, SDD-B03, SDD-B04, SDD-B05

> *RedAgent (2026) is the finding that most black-box LLMs can be jailbroken within 5 queries using context-specific attacks. This is the model-level attack — we leave the harness (SDD-B04, SDD-B05) and target the model's refusal training directly. The 5-query chain works because context-specific attacks outperform generic jailbreaks: the attack is engineered to the target's deployed context (its system prompt, its tool surface, its conversation history), not a copy-paste payload. This deep-dive covers the methodology, the defense-in-depth implications (no single layer suffices — B2's thesis, now at the model), and how RedAgent-style testing fits an engagement (B12). A working 5-query jailbreak is the dual-use dilemma in its sharpest form — every disclosure principle from B0 applies, in spades.*

---

## Learning Objectives

After completing this deep-dive, you will be able to:

1. Explain the RedAgent finding: most black-box LLMs jailbreak within 5 queries using context-specific attacks, why context-specific attacks outperform generic jailbreaks (the attack is engineered to the deployed context, not a static payload), and what the 5-query median implies for the refusal layer as a standalone defense.
2. Construct the RedAgent 5-query attack chain: context reconnaissance (query 1), context-aligned payload crafting (queries 2-4), and the success-confirming query (query 5) — and explain how each stage reduces the model's refusal probability.
3. Analyze why context-specificity defeats generic defenses: the deployed context (system prompt, tool surface, conversation history) is the attack surface, and a jailbreak crafted against that context bypasses refusal training calibrated against generic patterns.
4. Map the RedAgent finding to the defense-in-depth thesis (B2): a 5-query jailbreak rate means the refusal layer alone is insufficient — no single layer suffices, and the harness defenses from SDD-B04/SDD-B05 are necessary precisely because the model layer will be bypassed.
5. Apply the RedAgent methodology as part of a B12 engagement: scope it under B0's authorization chain (provider ToS, dual-use clause), run the 5-query chain against the deployed context, measure the success rate over N attempts (not a single success), and report under the CVD/dual-use principles from B0.
6. Articulate the dual-use disclosure dimension: a working 5-query jailbreak is simultaneously the most valuable model-level finding and the most dangerous misuse recipe — and resolve it through the four B0 disclosure principles, with the provider-first report and the existence-not-recipe publication default.

---

## Why this deep-dive exists

SDD-B04 and SDD-B05 attacked the harness — the governance layer around the model. CrabTrap's judge, IronCurtain's compilation pipeline and isolate boundary. The assumption throughout was that the harness is the attack surface because the model's refusal training is, if not unbreakable, at least expensive to break. This deep-dive tests that assumption directly. RedAgent (2026) finds that it does not hold: most black-box LLMs jailbreak within 5 queries, and they do so not through a universal payload but through context-specific attacks engineered to the deployed system.

This is the model-level attack, and it changes the defensive calculus in two ways. First, it means the refusal layer is not a reliable standalone defense. A defense that falls in 5 queries is not a defense you build an architecture around — it is a layer, one among several, and the harness defenses (SDD-B04, SDD-B05) are necessary precisely because this layer will be bypassed. This is B2's thesis arriving at the model: no single layer suffices, and the 5-query result is the empirical proof.

Second, it raises the dual-use stakes to their maximum. A working 5-query jailbreak is simultaneously the most valuable model-level finding (it proves the refusal layer's limits, measurably) and the most dangerous misuse recipe (it is a concrete, copy-paste-usable chain that bypasses refusal). The disclosure principles from B0 — provider first, existence not recipe by default, longer embargoes, withhold pure-misuse — apply here in their sharpest form. Every engagement that runs RedAgent-style testing is holding a dual-use artifact, and the handling is decided in the RoE before testing begins, not in the moment.

Three sub-sections, fifteen minutes each:

- **B06.1 — The RedAgent Finding and the 5-Query Chain.** What the result means, why context-specific attacks outperform generic jailbreaks, and the structure of the 5-query attack chain (reconnaissance, context-aligned crafting, confirmation).
- **B06.2 — Why Context-Specificity Defeats Generic Defenses.** The deployed context as the attack surface, the failure of pattern-calibrated refusal training, and the implications for defense-in-depth (no single layer suffices).
- **B06.3 — Engagement Practice and the Dual-Use Disclosure.** Running RedAgent-style testing under B0's authorization chain, measuring success rates over N attempts, and resolving the dual-use dilemma through the four disclosure principles.

---

# B06.1 — The RedAgent Finding and the 5-Query Chain

*What the result means, and the structure of the attack that produces it.*

## The finding, stated precisely

RedAgent (2026) finds that most black-box LLMs — the frontier commercial models behind the APIs that production agents call — can be jailbroken within 5 queries using context-specific attacks. The "within 5 queries" is the load-bearing number: it is the median across the tested models and attack scenarios, not a worst-case or a single lucky run. The "context-specific" is the load-bearing method: the attacks that achieve the 5-query result are engineered to the target's deployed context, not generic payloads drawn from a jailbreak corpus.

The contrast with generic jailbreaks is the whole finding. Generic jailbreaks — the DAN prompts, the role-play wrappers, the encoding tricks that circulate in the jailbreak community — have a declining success rate as providers patch against them. A generic jailbreak that worked against a model six months ago often does not work today, because the refusal training was calibrated against the known patterns. RedAgent's contribution is to show that context-specific attacks, which cannot be pre-calibrated because they depend on the deployed context, achieve the 5-query median against the same models. The defense that stops the generic pattern does not stop the context-specific attack, because the two have different signatures.

This is the precise claim, and it is the one that matters for architecture: **the refusal layer, as a standalone defense, falls in 5 queries to an attacker who can observe the deployed context.** That is not a defense you build an architecture around. It is a layer.

## Why context-specific attacks outperform generic jailbreaks

A generic jailbreak is a static payload. It is the same string (or the same template) regardless of what model it targets, what system prompt the model is running, what tools the model has, or what the conversation history is. The refusal layer is trained against these patterns — providers actively red-team against known jailbreak corpora and calibrate the refusal to recognize them. A generic jailbreak is, in effect, attacking a defense that has seen the attack before.

A context-specific attack is engineered to the deployed context. The attacker observes (or infers) the target's system prompt, its tool surface, its conversation history, and crafts a payload that is coherent with that context. The payload does not look like a known jailbreak pattern — it looks like a legitimate continuation of the conversation the model is already having, or a legitimate use of a tool the model already has. The refusal layer, calibrated against generic patterns, does not recognize it as an attack, because its signature is unique to the deployed context.

The mechanism is the same one that makes indirect prompt injection (SDD-B03) effective: the model cannot reliably distinguish "this is data I should treat cautiously" from "this is a legitimate instruction in my current context," because both arrive as text in the same channel. A context-specific jailbreak exploits this by making the attack indistinguishable from the context the model is already operating in. The defense (refusal training) is calibrated against out-of-context patterns; the attack is in-context.

## The 5-query attack chain

RedAgent's 5-query chain is not a single payload; it is a sequence that converges on a successful jailbreak through iterative context-alignment. The structure:

- **Query 1 — Context reconnaissance.** The attacker probes the deployed context: what is the system prompt (or what can be inferred about it), what tools does the model have, what is the conversation structure. This query is benign — it does not attempt the jailbreak. It maps the surface the subsequent queries will align to.
- **Queries 2-4 — Context-aligned payload crafting.** The attacker crafts a payload that is coherent with the reconnaissance. Each query refines the alignment: the payload is phrased to look like a legitimate use of the observed tools, a legitimate continuation of the inferred conversation, or a legitimate request within the inferred system-prompt boundaries. Each query that does not fully succeed still provides signal (how the model responded, where the refusal triggered), which the next query uses to refine the alignment.
- **Query 5 — Success confirmation.** The converged payload is submitted. If the context-alignment succeeded, the model produces the disallowed content (or takes the disallowed action) because the request does not trip the refusal training's generic-pattern detectors. The 5-query median is the point at which the iterative alignment converges.

The key property: each query reduces the model's refusal probability by making the payload more context-coherent. The first query has a low success rate (the payload is not yet aligned); the fifth query has a high success rate (the alignment has converged). This is why the result is "within 5 queries" rather than "in 1 query" — the context-specificity requires iteration, and the iteration is what makes it effective against a defense calibrated against single-shot generic patterns.

## What the 5-query median implies

The 5-query median is the empirical refutation of the refusal layer as a standalone defense. If an attacker with black-box access — the access any user of a production agent has — can jailbreak the model in 5 queries by observing the deployed context, then the refusal layer is not the boundary. It is a delay, and a short one.

This does not mean the refusal layer is useless. It raises the bar (5 context-specific queries require more skill than 1 generic copy-paste), it stops the casual attacker, and it provides a signal that a more sophisticated defense (the harness layer, SDD-B04/SDD-B05) can act on. But it does mean that an architecture that relies on the refusal layer alone — "the model will refuse, so we are safe" — is an architecture with a 5-query bypass. The harness defenses are not optional hardening; they are necessary precisely because the model layer will be bypassed.

---

# B06.2 — Why Context-Specificity Defeats Generic Defenses

*The deployed context is the attack surface, and the defense-in-depth thesis arrives at the model.*

## The deployed context as the attack surface

The RedAgent finding reframes the attack surface. For the harness attacks (SDD-B04, SDD-B05), the surface was the governance layer — the judge, the compilation pipeline, the isolate. For the model-level attack, the surface is the deployed context itself: the system prompt that configures the model's behavior, the tool surface the model can call, and the conversation history that shapes the model's interpretation of new inputs.

These are not surfaces the model provider controls. The provider trains the refusal layer; the deployer configures the system prompt, selects the tools, and generates the conversation history. A context-specific attack exploits the deployer's configuration, not the provider's training — and the provider's refusal training cannot be pre-calibrated against configurations it has not seen. This is why the attack works against models whose generic-jailbreak resistance is high: the defense is calibrated against the wrong surface.

The implication for a red-team: the deployed context is the reconnaissance target. Query 1 of the 5-query chain is not a formality; it is the attack's dependence on the surface that the refusal training does not cover. An engagement that runs RedAgent-style testing must map the deployed context (system prompt, tools, conversation structure) as the first step — the same way a traditional pentest maps the network before attacking it.

## Why pattern-calibrated refusal training fails

The refusal layer is trained to recognize and refuse disallowed requests. The training is, necessarily, pattern-based: the provider shows the model examples of disallowed requests (during RLHF or a safety fine-tune) and reinforces refusal. The patterns the model learns are the patterns in the training set — which is to say, the known jailbreak patterns at the time of training.

A context-specific attack does not match those patterns. Its signature is unique to the deployed context: a request that looks like a legitimate use of a specific tool, phrased in the style of a specific system prompt, building on a specific conversation history. The refusal training has never seen this exact signature, because it has never seen this exact context. The model's pattern-matching — which is what the refusal layer is — does not fire, because the pattern is novel. This is the same structural property as a zero-day in traditional security: the defense recognizes known threats; it does not recognize novel ones.

This is not a flaw the provider can fully fix. They can broaden the training patterns (red-team harder, include more diverse jailbreak attempts), but the space of possible deployed contexts is unbounded — they cannot pre-calibrate against every system prompt, every tool configuration, every conversation history. The residual is structural: pattern-calibrated defense has a novel-pattern bypass, and context-specific attacks are how that bypass is reached.

## The defense-in-depth thesis, at the model

The RedAgent finding is where B2's thesis — no single layer suffices — arrives at the model layer. The argument has three steps, and this deep-dive is the third:

1. **SDD-B03 measured it.** Layered defenses reach single-digit injection rates where single defenses sit near the baseline. The delta is the evidence.
2. **SDD-B04 and SDD-B05 demonstrated it at the harness layer.** CrabTrap has residuals; IronCurtain has residuals. No single harness defense suffices.
3. **SDD-B06 demonstrates it at the model layer.** The refusal layer — the defense closest to the content — falls in 5 queries to a context-specific attack. The model layer, like the harness layer, does not suffice alone.

The synthesis: an architecture that relies on any single layer (refusal training alone, a harness judge alone, a deterministic policy alone) has a bypass. The refusal layer falls in 5 queries; the harness judge is injectable (SDD-B04); the deterministic policy has compilation residuals (SDD-B05). The only architecture that holds is layered: the refusal layer raises the bar and provides signal, the harness layer governs the actions the model takes, and the deterministic layer provides the boundary the probabilistic layers cannot. Each layer's bypass is bounded by the others.

This is why the RedAgent finding, despite being a model-level attack, is load-bearing for the harness architecture. It proves that the harness is not optional hardening around a reliable model — it is the necessary defense precisely because the model layer will be bypassed. The 5-query result is the empirical justification for the entire SDD-B04/SDD-B05 prescription.

---

# B06.3 — Engagement Practice and the Dual-Use Disclosure

*Running RedAgent-style testing under B0, measuring success rates, and resolving the dual-use dilemma.*

## Scoping under B0's authorization chain

RedAgent-style testing attacks the model's refusal training — a provider-controlled surface (per B0). The authorization chain from B0 applies in full: the deployer can authorize testing of their system, but they cannot authorize violation of the provider's terms. Before running the 5-query chain against a production agent that calls a commercial model, the engagement must verify one of: (a) the provider's ToS explicitly permits jailbreak testing, (b) a provider-issued waiver or preview-program enrollment is on file, or (c) the model is self-hosted or open-weights and the deployer owns it.

This is the B0 provider-authorization check, made concrete for the model-level attack. The check is not optional. Several providers' acceptable-use policies explicitly prohibit jailbreaking; running the 5-query chain without authorization is a ToS breach, and in some readings a CFAA exposure. The engagement scope file must carry a `provider_authorization` entry for the `jailbreak` technique, and the harness gate must enforce it before the first query.

The dual-use clause is equally non-optional. The RoE must specify, before testing: will the working 5-query chain be shared with the provider only, published as existence-plus-severity, or withheld as pure-misuse? This decision is not made when the jailbreak succeeds — it is made when the contract is signed.

## Measuring success rates over N attempts

A single successful 5-query jailbreak is a weak finding (per B0 and SDD-B03). The honest measurement is a success rate over N attempts: run the 5-query chain M times against the target, under fixed sampling parameters (temperature, model version), and report the success rate (e.g., "62% of 5-query chains succeeded against model version X at temperature 1.0").

The parameters that affect reproducibility — model version, temperature, sampling config, the deployed context at test time — must be recorded with every run. The model version is the single most important field: providers ship silent updates, and a finding against version N may not reproduce against version N+1. The success rate, not the single success, is the finding that goes into the report and the CVD coordination.

The RedAgent methodology is well-suited to this measurement because the 5-query chain is repeatable. Unlike a single-shot jailbreak (which may be a lucky sample), the iterative context-alignment produces a convergent chain that can be run M times to establish the rate. The rate is the effectiveness claim about the refusal layer — and the before/after delta (refusal success rate before and after a provider mitigation) is the honest metric for whether the mitigation worked.

## RedAgent-style testing in a B12 engagement

In a B12 engagement (the capstone assessment module), RedAgent-style testing is the model-layer component of a defense-in-depth assessment. The structure:

1. **Map the deployed context.** Treat the system prompt, tool surface, and conversation structure as the attack surface. Query 1 of the 5-query chain is this map.
2. **Run the 5-query chain, measured.** Execute the chain M times under fixed parameters. Report the success rate, not a single success. Record model version, temperature, sampling config, deployed context.
3. **Correlate with the harness assessment.** The RedAgent result establishes the model-layer residual; the SDD-B04/SDD-B05 harness assessment establishes the harness-layer residual. The architecture's overall injection resistance is the combination — and a model layer that falls in 5 queries makes the harness layer's strength the load-bearing question.
4. **Prescribe the layered defense.** The finding motivates the layered prescription: the refusal layer (provider-managed, raises the bar), the harness layer (deployer-managed, governs actions), the deterministic layer (the boundary the probabilistic layers cannot provide). The RedAgent result is the justification for not relying on the refusal layer alone.

## The dual-use dilemma in its sharpest form

A working 5-query jailbreak is the dual-use dilemma (B0.2) in its sharpest form. It is simultaneously:

- **The most valuable model-level finding.** It proves the refusal layer's limits, measurably (a 62% success rate over M attempts). It advances the defensive understanding: the deployed context is the attack surface, and pattern-calibrated refusal has a novel-pattern bypass. This is the finding that justifies the harness architecture.
- **The most dangerous misuse recipe.** It is a concrete, copy-paste-usable chain that bypasses refusal — and unlike a buffer-overflow exploit (which requires skill to weaponize), a jailbreak prompt is usable by a non-technical attacker. Publishing the chain hands a weapon to anyone who reads it.

The four B0 disclosure principles resolve the tension, and RedAgent findings are where they bite hardest:

1. **Provider first, always.** The provider gets a private report with the working chain under NDA before any external communication. The chain is shared only with the provider, under the engagement's confidentiality terms.
2. **Existence and severity, not the recipe, by default.** A responsible advisory says "we found a context-specific technique that bypasses refusal with X% success on model Y; the provider has been notified." It does not include the 5-query chain unless the provider consents and the technique is independently well-known.
3. **Longer embargo.** A model-level finding (the refusal layer) is on the 180-day track (per B0), not the 90-day software track. The mitigation is a retraining/RLHF round or a model-version bump, measured in months.
4. **Withhold pure-misuse with no defensive lesson.** If a specific 5-query chain has no defensive lesson beyond "this model can be jailbroken" (no new technique class, no architectural insight), the responsible choice is often provider-only disclosure. The defensive value of publishing the chain is near zero; the misuse risk is high.

The decision of which principle applies to a given finding is made in the RoE before testing — not when the chain succeeds. An engagement that runs RedAgent-style testing without a dual-use clause is an engagement that will fail at exactly the moment a serious finding appears.

---

## Anti-Patterns

### Relying on the refusal layer as a standalone defense
"The model is safety-trained; it will refuse disallowed requests." Cure: RedAgent finds most black-box LLMs jailbreak within 5 queries via context-specific attacks. The refusal layer is a layer, not a boundary. The harness defenses (SDD-B04, SDD-B05) are necessary precisely because this layer will be bypassed.

### Reporting a single successful jailbreak as the finding
"I jailbroke the model in 5 queries." Cure: a single success is a weak finding (anecdote). The honest measurement is a success rate over N attempts under fixed sampling parameters. Report the rate (e.g., 62% over M chains), the model version, the temperature. No rate, no finding.

### Running RedAgent-style testing without provider authorization
"The deployer authorized testing of their agent, so I can jailbreak the model it calls." Cure: the deployer cannot authorize violation of the provider's terms. The B0 provider-authorization check must verify ToS permission, a waiver, or self-hosted ownership before the first query. The `jailbreak` technique needs a `provider_authorization` entry in the scope file.

### Publishing the working 5-query chain in the advisory
"Including the chain proves the finding and helps the community." Cure: publish existence and severity, not the recipe, by default (B0). A copy-paste-usable chain is a misuse weapon. Share the chain with the provider under NDA; withhold publication unless the provider consents and there is a defensive lesson. The decision was made in the RoE.

### Treating the model-layer finding as independent of the harness
"The model jailbreaks in 5 queries, but our harness (CrabTrap/IronCurtain) stops the actions, so it doesn't matter." Cure: the model-layer finding and the harness-layer finding are correlated, not independent. A model that falls in 5 queries makes the harness layer the load-bearing defense — and the harness has its own residuals (SDD-B04, SDD-B05). The architecture's overall injection resistance is the combination, and the RedAgent result is the justification for not relying on any single layer.

### Using generic jailbreaks and reporting the low success rate as the finding
"I tried 20 known DAN prompts and only 1 worked; the model is well-defended." Cure: generic jailbreaks have a declining success rate because providers patch against known patterns. The RedAgent finding is specifically about context-specific attacks, which bypass the pattern-calibrated defense. Test the context-specific surface, not the generic corpus — or the low success rate is an artifact of testing the wrong attack class.

---

## Key Terms

| Term | Definition |
| --- | --- |
| **RedAgent finding** | Most black-box LLMs jailbreak within 5 queries using context-specific attacks; the empirical refutation of the refusal layer as a standalone defense |
| **Context-specific attack** | A jailbreak engineered to the deployed context (system prompt, tools, conversation history); bypasses pattern-calibrated refusal because its signature is novel |
| **Generic jailbreak** | A static payload (DAN, role-play, encoding tricks) with a declining success rate as providers patch against known patterns |
| **5-query chain** | RedAgent's attack structure: query 1 reconnaissance, queries 2-4 context-aligned crafting, query 5 success confirmation; the median convergence point |
| **Deployed context** | The model-level attack surface: the system prompt, tool surface, and conversation history that a context-specific attack aligns to |
| **Pattern-calibrated refusal** | Refusal training based on known jailbreak patterns; has a novel-pattern bypass (the structural residual context-specific attacks exploit) |
| **Defense-in-depth at the model** | B2's thesis at the model layer: the refusal layer falls in 5 queries, so the harness defenses are necessary, not optional — no single layer suffices |
| **Dual-use dilemma (sharpest form)** | A working 5-query jailbreak is both the most valuable model finding and the most dangerous misuse recipe; resolved by the four B0 disclosure principles |

---

## Lab Exercise

See `07-lab-spec.md`. The lab has you build a context-specific 5-query attack simulator (reconnaissance, context-aligned crafting, confirmation against a simulated refusal layer), measure the success rate over N chains, contrast it with a generic-jailbreak baseline, and walk through the dual-use disclosure decision under the four B0 principles. No GPU; Python 3.10+ with type hints; the refusal layer and the deployed context are simulated so the lab runs deterministically offline.

---

## References

1. **RedAgent (2026)** — the finding that most black-box LLMs jailbreak within 5 queries using context-specific attacks. The primary subject of this deep-dive.
2. **Course 2B B0** — the authorization chain (provider ToS, provider-authorization check), the dual-use dilemma, and the four disclosure principles that govern a RedAgent finding's handling.
3. **Course 2B B2** — the injection-defense layer; the defense-in-depth thesis (no single layer suffices) that the RedAgent finding arrives at the model layer.
4. **Course 2B SDD-B03 (InjecAgent)** — the measurement instrument; the RedAgent success rate over N chains is the model-layer analogue of the InjecAgent injection-rate delta.
5. **Course 2B SDD-B04 (CrabTrap Offensive Analysis)** — the harness-layer attack; the RedAgent finding justifies why the harness is necessary (the model layer will be bypassed).
6. **Course 2B SDD-B05 (IronCurtain Offensive Analysis)** — the strongest harness defense and its residuals; the RedAgent finding completes the argument that no single layer (model or harness) suffices.
7. **Course 2B B12** — the capstone assessment module where RedAgent-style testing is the model-layer component of a defense-in-depth assessment.
8. **OWASP Agentic AI Top 10 (2026)** — the context-specific jailbreak maps to ASI01 (goal hijacking) at the model layer, distinct from the harness-layer ASI05/ASI07.
9. **Provider acceptable-use policies** — the ToS layer that governs whether jailbreak testing is authorized; the B0 provider-authorization check for the `jailbreak` technique.
10. **Coordinated disclosure norms (CERT/CC, Project Zero)** — the baseline extended to ~180 days for model-level findings (per B0); the RedAgent finding's coordination window.