RedAgent: Black-Box Jailbreaking

SDD-B06 · Course 2B — Securing & Attacking Harnesses and LLMs

45 minutes · The model-level attack

RedAgent (2026) finds most black-box LLMs jailbreak within 5 queries using context-specific attacks. We leave the harness (SDD-B04, SDD-B05) and target the model's refusal training directly. The 5-query result proves the refusal layer is a layer, not a boundary — and a working chain is the dual-use dilemma in its sharpest form.

Deep-Dives · SDD-B06

The finding, stated precisely

Most black-box LLMs jailbreak within 5 queries using context-specific attacks. The "within 5 queries" is the median across tested models, not a single lucky run. The "context-specific" is the method: attacks engineered to the deployed context, not generic payloads.
Attack classDefense encounterResult
Generic jailbreak (DAN, role-play, encoding)Matches a known pattern in refusal trainingDeclining success rate — providers patch against known patterns
Context-specific (RedAgent)Novel signature — no pattern match5-query median — the defense stops generic, not context-specific

B06.1 — The finding and the 5-query chain

What the result means

Why context-specific beats generic

Generic jailbreak: a static payload, the same string regardless of target. The refusal layer is trained against known patterns — providers red-team against jailbreak corpora. The defense has seen the attack before.
Context-specific attack: engineered to the deployed context (system prompt, tools, conversation). The payload looks like a legitimate continuation, not a known jailbreak. The refusal layer does not fire — the signature is novel.
Same mechanism as indirect injection (SDD-B03): the model cannot distinguish "data to treat cautiously" from "a legitimate instruction in my context." A context-specific jailbreak is indistinguishable from the context the model is already in.

The 5-query chain

QUERY 1 — RECONNAISSANCE      (benign — map the deployed context)
   │  system prompt · tools · conversation structure
   ▼
QUERY 2 — FIRST CRAFT          (low success — not yet aligned)
   │  payload phrased as legit tool use / conversation continuation
   ▼  (use refusal signal to refine)
QUERY 3 — REFINE               (lower refusal — aligning)
   ▼
QUERY 4 — REFINE               (low refusal — nearly aligned)
   ▼
QUERY 5 — CONFIRM              (converged — does not trip detectors)
   → SUCCESS (if alignment converged)
Each query reduces refusal probability by making the payload more context-coherent. The 5-query median is the convergence point — context-specificity requires iteration, and the iteration defeats a defense calibrated against single-shot generic patterns.

B06.2 — Why context-specificity defeats generic defenses

The deployed context is the attack surface

The deployed context is the attack surface

SurfaceControlled byPre-calibrated in refusal training?
Model weightsProviderYes (the training itself)
System promptDeployerNo — unbounded space
Tool surfaceDeployerNo
Conversation historyDeployerNo
The provider cannot fully fix this. They can broaden training patterns, but the space of deployed contexts is unbounded. The residual is structural: pattern-calibrated defense has a novel-pattern bypass. The model-layer analogue of a zero-day.

Defense-in-depth, at the model

The RedAgent finding is where B2's thesis — no single layer suffices — arrives at the model layer.
  1. Layer 1 — Refusal training (the model): falls in 5 queries (context-specific). Raises the bar, provides signal. NOT a boundary.
  2. Layer 2 — Harness governance (SDD-B04/B05): judge is injectable; deterministic has compilation residual. Necessary BECAUSE Layer 1 falls.
  3. Layer 3 — Deterministic boundary: the boundary the probabilistic layers cannot provide. Has its own residuals (B05) but is load-bearing.
The 5-query result is the empirical justification for the entire harness architecture. The harness is not optional hardening around a reliable model — it is the necessary defense because the model layer will be bypassed.

B06.3 — Engagement practice & dual-use disclosure

Scoping, measuring, disclosing

Measuring: success rate, not single success

A single successful 5-query jailbreak is a weak finding (anecdote). The honest measurement is a success rate over N attempts under fixed sampling parameters.

Run the 5-query chain M times. Record with every run: model version (most important — silent updates), temperature, sampling config, deployed context at test time.

Report the rate (e.g. "62% of 5-query chains succeeded against model Y at temp 1.0"). The before/after delta (refusal success rate before and after a provider mitigation) is the honest metric for whether the mitigation worked.

The dual-use dilemma in its sharpest form

Most valuable model finding — proves the refusal layer's limits, measurably. The deployed context is the attack surface. Justifies the harness architecture.
Most dangerous misuse recipe — copy-paste-usable by a non-technical attacker. Narrower gap than a buffer-overflow exploit. Publishing hands a weapon to anyone.
Four B0 principles resolve it: (1) provider first, always; (2) publish existence + severity, not the recipe, by default; (3) ≥180-day embargo for model-level; (4) withhold pure-misuse with no defensive lesson. The decision was made in the RoE before testing — not when the chain succeeded.

Scoping under B0

RedAgent-style testing attacks the refusal layer — a provider-controlled surface. The deployer cannot authorize violation of the provider's terms.

Before the first query, verify one of: (a) provider ToS explicitly permits jailbreak testing; (b) a provider waiver / preview enrollment is on file; (c) the model is self-hosted and the deployer owns it.

The scope file must carry a provider_authorization entry for the jailbreak technique, and the harness gate must enforce it. Several providers' AUPs explicitly prohibit jailbreaking — running the chain without authorization is a ToS breach.

Lab & what's next

Lab (07): build a context-specific 5-query attack simulator (recon → craft → confirm against a simulated refusal layer), measure the success rate over N chains, contrast with a generic-jailbreak baseline, walk through the dual-use disclosure decision. No GPU; Python 3.10+, type hints, runs offline.

Next — SDD-B07: Agent SBOM and Supply Chain Assessment. We leave the model and the harness and attack the supply chain: the dependencies, the model registry, the tool sources. The agent's SBOM is the attack surface you cannot see — and a compromised dependency bypasses every layer we have built.