RedAgent: Black-Box Jailbreaking
SDD-B06 · Course 2B — Securing & Attacking Harnesses and LLMs
45 minutes · The model-level attack
RedAgent (2026) finds most black-box LLMs jailbreak within 5 queries using context-specific attacks. We leave the harness (SDD-B04, SDD-B05) and target the model's refusal training directly. The 5-query result proves the refusal layer is a layer, not a boundary — and a working chain is the dual-use dilemma in its sharpest form.
Deep-Dives · SDD-B06
The finding, stated precisely
Most black-box LLMs jailbreak within 5 queries using context-specific attacks. The "within 5 queries" is the median across tested models, not a single lucky run. The "context-specific" is the method: attacks engineered to the deployed context, not generic payloads.
| Attack class | Defense encounter | Result |
| Generic jailbreak (DAN, role-play, encoding) | Matches a known pattern in refusal training | Declining success rate — providers patch against known patterns |
| Context-specific (RedAgent) | Novel signature — no pattern match | 5-query median — the defense stops generic, not context-specific |
B06.1 — The finding and the 5-query chain
What the result means
Why context-specific beats generic
Generic jailbreak: a static payload, the same string regardless of target. The refusal layer is trained against known patterns — providers red-team against jailbreak corpora. The defense has seen the attack before.
Context-specific attack: engineered to the deployed context (system prompt, tools, conversation). The payload looks like a legitimate continuation, not a known jailbreak. The refusal layer does not fire — the signature is novel.
Same mechanism as indirect injection (SDD-B03): the model cannot distinguish "data to treat cautiously" from "a legitimate instruction in my context." A context-specific jailbreak is indistinguishable from the context the model is already in.
The 5-query chain
QUERY 1 — RECONNAISSANCE (benign — map the deployed context)
│ system prompt · tools · conversation structure
▼
QUERY 2 — FIRST CRAFT (low success — not yet aligned)
│ payload phrased as legit tool use / conversation continuation
▼ (use refusal signal to refine)
QUERY 3 — REFINE (lower refusal — aligning)
▼
QUERY 4 — REFINE (low refusal — nearly aligned)
▼
QUERY 5 — CONFIRM (converged — does not trip detectors)
→ SUCCESS (if alignment converged)
Each query reduces refusal probability by making the payload more context-coherent. The 5-query median is the convergence point — context-specificity requires iteration, and the iteration defeats a defense calibrated against single-shot generic patterns.
B06.2 — Why context-specificity defeats generic defenses
The deployed context is the attack surface
The deployed context is the attack surface
| Surface | Controlled by | Pre-calibrated in refusal training? |
| Model weights | Provider | Yes (the training itself) |
| System prompt | Deployer | No — unbounded space |
| Tool surface | Deployer | No |
| Conversation history | Deployer | No |
The provider cannot fully fix this. They can broaden training patterns, but the space of deployed contexts is unbounded. The residual is structural: pattern-calibrated defense has a novel-pattern bypass. The model-layer analogue of a zero-day.
Defense-in-depth, at the model
The RedAgent finding is where B2's thesis — no single layer suffices — arrives at the model layer.
- Layer 1 — Refusal training (the model): falls in 5 queries (context-specific). Raises the bar, provides signal. NOT a boundary.
- Layer 2 — Harness governance (SDD-B04/B05): judge is injectable; deterministic has compilation residual. Necessary BECAUSE Layer 1 falls.
- Layer 3 — Deterministic boundary: the boundary the probabilistic layers cannot provide. Has its own residuals (B05) but is load-bearing.
The 5-query result is the empirical justification for the entire harness architecture. The harness is not optional hardening around a reliable model — it is the necessary defense because the model layer will be bypassed.
B06.3 — Engagement practice & dual-use disclosure
Scoping, measuring, disclosing
Measuring: success rate, not single success
A single successful 5-query jailbreak is a weak finding (anecdote). The honest measurement is a success rate over N attempts under fixed sampling parameters.
Run the 5-query chain M times. Record with every run: model version (most important — silent updates), temperature, sampling config, deployed context at test time.
Report the rate (e.g. "62% of 5-query chains succeeded against model Y at temp 1.0"). The before/after delta (refusal success rate before and after a provider mitigation) is the honest metric for whether the mitigation worked.
The dual-use dilemma in its sharpest form
Most valuable model finding — proves the refusal layer's limits, measurably. The deployed context is the attack surface. Justifies the harness architecture.
Most dangerous misuse recipe — copy-paste-usable by a non-technical attacker. Narrower gap than a buffer-overflow exploit. Publishing hands a weapon to anyone.
Four B0 principles resolve it: (1) provider first, always; (2) publish existence + severity, not the recipe, by default; (3) ≥180-day embargo for model-level; (4) withhold pure-misuse with no defensive lesson. The decision was made in the RoE before testing — not when the chain succeeded.
Scoping under B0
RedAgent-style testing attacks the refusal layer — a provider-controlled surface. The deployer cannot authorize violation of the provider's terms.
Before the first query, verify one of: (a) provider ToS explicitly permits jailbreak testing; (b) a provider waiver / preview enrollment is on file; (c) the model is self-hosted and the deployer owns it.
The scope file must carry a provider_authorization entry for the jailbreak technique, and the harness gate must enforce it. Several providers' AUPs explicitly prohibit jailbreaking — running the chain without authorization is a ToS breach.
Lab & what's next
Lab (07): build a context-specific 5-query attack simulator (recon → craft → confirm against a simulated refusal layer), measure the success rate over N chains, contrast with a generic-jailbreak baseline, walk through the dual-use disclosure decision. No GPU; Python 3.10+, type hints, runs offline.
Next — SDD-B07: Agent SBOM and Supply Chain Assessment. We leave the model and the harness and attack the supply chain: the dependencies, the model registry, the tool sources. The agent's SBOM is the attack surface you cannot see — and a compromised dependency bypasses every layer we have built.