Teaching Script — SDD-B06: RedAgent: Black-Box Jailbreaking

Course: Course 2B — Securing & Attacking Harnesses and LLMs Module: SDD-B06 — RedAgent: Black-Box Jailbreaking Duration: ~30 minutes (spoken at ~140 wpm) Format: Verbatim transcript with [SLIDE N] cues. Read aloud or use as speaker notes.


[SLIDE 1 — Title]

This is the model-level attack. SDD-B04 and SDD-B05 attacked the harness — CrabTrap's judge, IronCurtain's compilation pipeline and isolate boundary. The assumption was that the harness is the attack surface because the model's refusal training is, if not unbreakable, at least expensive to break. This deep-dive tests that assumption directly.

RedAgent, from 2026, finds that most black-box LLMs — the frontier commercial models behind the APIs that production agents call — can be jailbroken within five queries using context-specific attacks. The within-five-queries is the load-bearing number. The context-specific is the load-bearing method. And a working five-query chain is the dual-use dilemma in its sharpest form.

[SLIDE 2 — The finding, stated precisely]

The finding, stated precisely. Most black-box LLMs jailbreak within five queries using context-specific attacks. The within-five-queries is the median across tested models and scenarios, not a single lucky run. The context-specific is the method — the attacks are engineered to the deployed context, not generic payloads drawn from a jailbreak corpus.

The contrast with generic jailbreaks is the whole finding. Generic jailbreaks — the DAN prompts, the role-play wrappers, the encoding tricks — have a declining success rate. Providers actively red-team against known jailbreak corpora and calibrate the refusal to recognize them. A generic jailbreak is attacking a defense that has seen the attack before. RedAgent's contribution is to show that context-specific attacks, which cannot be pre-calibrated because they depend on the deployed context, achieve the five-query median against the same models. The defense that stops the generic pattern does not stop the context-specific attack, because the two have different signatures.

[SLIDE 3 — B06.1 The finding and the 5-query chain]

Sub-section one. The finding and the five-query chain.

[SLIDE 4 — Why context-specific beats generic]

Why context-specific attacks outperform generic jailbreaks. A generic jailbreak is a static payload — the same string regardless of target. The refusal layer is trained against these patterns. A context-specific attack is engineered to the deployed context. The attacker observes, or infers, the system prompt, the tool surface, the conversation history, and crafts a payload coherent with that context. The payload does not look like a known jailbreak — it looks like a legitimate continuation of the conversation, or a legitimate use of a tool. The refusal layer, calibrated against generic patterns, does not recognize it.

The mechanism is the same one that makes indirect prompt injection effective, from SDD-B03. The model cannot reliably distinguish data it should treat cautiously from a legitimate instruction in its current context, because both arrive as text. A context-specific jailbreak is indistinguishable from the context the model is already operating in. The defense is calibrated against out-of-context patterns; the attack is in-context.

[SLIDE 5 — The 5-query chain]

The five-query chain is not a single payload. It is a sequence that converges on a successful jailbreak through iterative context-alignment. Query one is reconnaissance. The attacker probes the deployed context — what is the system prompt, what tools does the model have, what is the conversation structure. This query is benign. It maps the surface. Queries two through four are context-aligned payload crafting. Each query refines the alignment. The payload is phrased to look like a legitimate use of the observed tools or a continuation of the inferred conversation. Each query that does not fully succeed provides signal — how the model responded, where the refusal triggered — which the next query uses. Query five is the converged payload. If the alignment succeeded, the model produces the disallowed content because the request does not trip the refusal training's generic-pattern detectors.

The key property. Each query reduces the refusal probability by making the payload more context-coherent. The five-query median is the point at which the iterative alignment converges. This is why the result is within five queries rather than in one query — context-specificity requires iteration, and the iteration defeats a defense calibrated against single-shot generic patterns.

[SLIDE 6 — B06.2 Why context-specificity defeats generic defenses]

Sub-section two. Why context-specificity defeats generic defenses.

[SLIDE 7 — The deployed context is the attack surface]

The RedAgent finding reframes the attack surface. For the harness attacks, the surface was the governance layer. For the model-level attack, the surface is the deployed context itself — the system prompt, the tool surface, the conversation history. These are not surfaces the model provider controls. The provider trains the refusal layer. The deployer configures the system prompt, selects the tools, generates the conversation. A context-specific attack exploits the deployer's configuration, and the provider's refusal training cannot be pre-calibrated against configurations it has not seen.

The provider cannot fully fix this. They can broaden the training patterns, but the space of possible deployed contexts is unbounded. They cannot pre-calibrate against every system prompt, every tool configuration, every conversation history. The residual is structural. Pattern-calibrated defense has a novel-pattern bypass, and context-specific attacks are how that bypass is reached. This is the model-layer analogue of a zero-day. The defense recognizes known threats; it does not recognize novel ones.

[SLIDE 8 — Defense-in-depth, at the model]

The RedAgent finding is where B2's thesis — no single layer suffices — arrives at the model layer. The argument has three steps. SDD-B03 measured it — layered defenses reach single-digit injection rates. SDD-B04 and SDD-B05 demonstrated it at the harness layer — CrabTrap has residuals, IronCurtain has residuals. SDD-B06 demonstrates it at the model layer — the refusal layer falls in five queries.

The synthesis. An architecture that relies on any single layer has a bypass. The refusal layer falls in five queries. The harness judge is injectable. The deterministic policy has compilation residuals. The only architecture that holds is layered — the refusal layer raises the bar and provides signal, the harness governs the actions, the deterministic layer provides the boundary. Each layer's bypass is bounded by the others. The five-query result is the empirical justification for the entire harness architecture. The harness is not optional hardening around a reliable model — it is the necessary defense because the model layer will be bypassed.

[SLIDE 9 — B06.3 Engagement practice and dual-use disclosure]

Sub-section three. Engagement practice and the dual-use disclosure.

[SLIDE 10 — Measuring: success rate, not single success]

A single successful five-query jailbreak is a weak finding. The honest measurement is a success rate over N attempts. Run the five-query chain M times against the target, under fixed sampling parameters — temperature, model version, deployed context. Report the rate. Sixty-two percent of five-query chains succeeded against model Y at temperature one point zero, for example.

The parameters that affect reproducibility must be recorded. Model version is the single most important field — providers ship silent updates, and a finding against version N may not reproduce against version N plus one. The success rate, not the single success, is the finding that goes into the report. And the before-and-after delta — refusal success rate before and after a provider mitigation — is the honest metric for whether the mitigation worked.

[SLIDE 11 — The dual-use dilemma in its sharpest form]

A working five-query jailbreak is the dual-use dilemma in its sharpest form. It is simultaneously the most valuable model-level finding — it proves the refusal layer's limits, measurably, and justifies the harness architecture — and the most dangerous misuse recipe — it is copy-paste-usable by a non-technical attacker, and the gap between research and offensive capability is narrower than for a buffer-overflow exploit.

The four B0 disclosure principles resolve it. Provider first, always — the provider gets a private report with the chain under NDA before any external communication. Publish existence and severity, not the recipe, by default. Longer embargo — a model-level finding is on the one-hundred-eighty-day track, not ninety. And withhold pure-misuse content with no defensive lesson. The decision of which principle applies is made in the RoE before testing, not when the chain succeeds. A specific five-query chain most often has no defensive lesson beyond this model can be jailbroken — the general insight is publishable as a technique class, but the specific chain is pure misuse. Provider-only disclosure is the most common outcome.

[SLIDE 12 — Scoping under B0]

RedAgent-style testing attacks the refusal layer — a provider-controlled surface. The B0 authorization chain applies in full. The deployer can authorize testing of their system, but cannot authorize violation of the provider's terms. Before running the five-query chain, the engagement must verify one of: the provider's ToS explicitly permits jailbreak testing, a provider waiver or preview enrollment is on file, or the model is self-hosted and the deployer owns it.

The scope file must carry a provider-authorization entry for the jailbreak technique, and the harness gate must enforce it. Several providers' acceptable-use policies explicitly prohibit jailbreaking. Running the chain without authorization is a ToS breach. The dual-use clause is equally non-optional — the RoE must specify, before testing, whether the chain will be provider-only, published as existence-plus-severity, or withheld as pure-misuse.

[SLIDE 13 — Lab and what's next]

The lab has you build a context-specific five-query attack simulator — reconnaissance, context-aligned crafting, confirmation against a simulated refusal layer — measure the success rate over N chains, contrast it with a generic-jailbreak baseline, and walk through the dual-use disclosure decision under the four B0 principles. No GPU; Python 3.10 plus with type hints, runs offline. Next: SDD-B07, Agent SBOM and Supply Chain Assessment. We leave the model and the harness and attack the supply chain — the dependencies, the model registry, the tool sources. The agent's SBOM is the attack surface you cannot see, and a compromised dependency bypasses every layer we have built.

# Teaching Script — SDD-B06: RedAgent: Black-Box Jailbreaking

**Course**: Course 2B — Securing & Attacking Harnesses and LLMs
**Module**: SDD-B06 — RedAgent: Black-Box Jailbreaking
**Duration**: ~30 minutes (spoken at ~140 wpm)
**Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes.

---

[SLIDE 1 — Title]

This is the model-level attack. SDD-B04 and SDD-B05 attacked the harness — CrabTrap's judge, IronCurtain's compilation pipeline and isolate boundary. The assumption was that the harness is the attack surface because the model's refusal training is, if not unbreakable, at least expensive to break. This deep-dive tests that assumption directly.

RedAgent, from 2026, finds that most black-box LLMs — the frontier commercial models behind the APIs that production agents call — can be jailbroken within five queries using context-specific attacks. The within-five-queries is the load-bearing number. The context-specific is the load-bearing method. And a working five-query chain is the dual-use dilemma in its sharpest form.

[SLIDE 2 — The finding, stated precisely]

The finding, stated precisely. Most black-box LLMs jailbreak within five queries using context-specific attacks. The within-five-queries is the median across tested models and scenarios, not a single lucky run. The context-specific is the method — the attacks are engineered to the deployed context, not generic payloads drawn from a jailbreak corpus.

The contrast with generic jailbreaks is the whole finding. Generic jailbreaks — the DAN prompts, the role-play wrappers, the encoding tricks — have a declining success rate. Providers actively red-team against known jailbreak corpora and calibrate the refusal to recognize them. A generic jailbreak is attacking a defense that has seen the attack before. RedAgent's contribution is to show that context-specific attacks, which cannot be pre-calibrated because they depend on the deployed context, achieve the five-query median against the same models. The defense that stops the generic pattern does not stop the context-specific attack, because the two have different signatures.

[SLIDE 3 — B06.1 The finding and the 5-query chain]

Sub-section one. The finding and the five-query chain.

[SLIDE 4 — Why context-specific beats generic]

Why context-specific attacks outperform generic jailbreaks. A generic jailbreak is a static payload — the same string regardless of target. The refusal layer is trained against these patterns. A context-specific attack is engineered to the deployed context. The attacker observes, or infers, the system prompt, the tool surface, the conversation history, and crafts a payload coherent with that context. The payload does not look like a known jailbreak — it looks like a legitimate continuation of the conversation, or a legitimate use of a tool. The refusal layer, calibrated against generic patterns, does not recognize it.

The mechanism is the same one that makes indirect prompt injection effective, from SDD-B03. The model cannot reliably distinguish data it should treat cautiously from a legitimate instruction in its current context, because both arrive as text. A context-specific jailbreak is indistinguishable from the context the model is already operating in. The defense is calibrated against out-of-context patterns; the attack is in-context.

[SLIDE 5 — The 5-query chain]

The five-query chain is not a single payload. It is a sequence that converges on a successful jailbreak through iterative context-alignment. Query one is reconnaissance. The attacker probes the deployed context — what is the system prompt, what tools does the model have, what is the conversation structure. This query is benign. It maps the surface. Queries two through four are context-aligned payload crafting. Each query refines the alignment. The payload is phrased to look like a legitimate use of the observed tools or a continuation of the inferred conversation. Each query that does not fully succeed provides signal — how the model responded, where the refusal triggered — which the next query uses. Query five is the converged payload. If the alignment succeeded, the model produces the disallowed content because the request does not trip the refusal training's generic-pattern detectors.

The key property. Each query reduces the refusal probability by making the payload more context-coherent. The five-query median is the point at which the iterative alignment converges. This is why the result is within five queries rather than in one query — context-specificity requires iteration, and the iteration defeats a defense calibrated against single-shot generic patterns.

[SLIDE 6 — B06.2 Why context-specificity defeats generic defenses]

Sub-section two. Why context-specificity defeats generic defenses.

[SLIDE 7 — The deployed context is the attack surface]

The RedAgent finding reframes the attack surface. For the harness attacks, the surface was the governance layer. For the model-level attack, the surface is the deployed context itself — the system prompt, the tool surface, the conversation history. These are not surfaces the model provider controls. The provider trains the refusal layer. The deployer configures the system prompt, selects the tools, generates the conversation. A context-specific attack exploits the deployer's configuration, and the provider's refusal training cannot be pre-calibrated against configurations it has not seen.

The provider cannot fully fix this. They can broaden the training patterns, but the space of possible deployed contexts is unbounded. They cannot pre-calibrate against every system prompt, every tool configuration, every conversation history. The residual is structural. Pattern-calibrated defense has a novel-pattern bypass, and context-specific attacks are how that bypass is reached. This is the model-layer analogue of a zero-day. The defense recognizes known threats; it does not recognize novel ones.

[SLIDE 8 — Defense-in-depth, at the model]

The RedAgent finding is where B2's thesis — no single layer suffices — arrives at the model layer. The argument has three steps. SDD-B03 measured it — layered defenses reach single-digit injection rates. SDD-B04 and SDD-B05 demonstrated it at the harness layer — CrabTrap has residuals, IronCurtain has residuals. SDD-B06 demonstrates it at the model layer — the refusal layer falls in five queries.

The synthesis. An architecture that relies on any single layer has a bypass. The refusal layer falls in five queries. The harness judge is injectable. The deterministic policy has compilation residuals. The only architecture that holds is layered — the refusal layer raises the bar and provides signal, the harness governs the actions, the deterministic layer provides the boundary. Each layer's bypass is bounded by the others. The five-query result is the empirical justification for the entire harness architecture. The harness is not optional hardening around a reliable model — it is the necessary defense because the model layer will be bypassed.

[SLIDE 9 — B06.3 Engagement practice and dual-use disclosure]

Sub-section three. Engagement practice and the dual-use disclosure.

[SLIDE 10 — Measuring: success rate, not single success]

A single successful five-query jailbreak is a weak finding. The honest measurement is a success rate over N attempts. Run the five-query chain M times against the target, under fixed sampling parameters — temperature, model version, deployed context. Report the rate. Sixty-two percent of five-query chains succeeded against model Y at temperature one point zero, for example.

The parameters that affect reproducibility must be recorded. Model version is the single most important field — providers ship silent updates, and a finding against version N may not reproduce against version N plus one. The success rate, not the single success, is the finding that goes into the report. And the before-and-after delta — refusal success rate before and after a provider mitigation — is the honest metric for whether the mitigation worked.

[SLIDE 11 — The dual-use dilemma in its sharpest form]

A working five-query jailbreak is the dual-use dilemma in its sharpest form. It is simultaneously the most valuable model-level finding — it proves the refusal layer's limits, measurably, and justifies the harness architecture — and the most dangerous misuse recipe — it is copy-paste-usable by a non-technical attacker, and the gap between research and offensive capability is narrower than for a buffer-overflow exploit.

The four B0 disclosure principles resolve it. Provider first, always — the provider gets a private report with the chain under NDA before any external communication. Publish existence and severity, not the recipe, by default. Longer embargo — a model-level finding is on the one-hundred-eighty-day track, not ninety. And withhold pure-misuse content with no defensive lesson. The decision of which principle applies is made in the RoE before testing, not when the chain succeeds. A specific five-query chain most often has no defensive lesson beyond this model can be jailbroken — the general insight is publishable as a technique class, but the specific chain is pure misuse. Provider-only disclosure is the most common outcome.

[SLIDE 12 — Scoping under B0]

RedAgent-style testing attacks the refusal layer — a provider-controlled surface. The B0 authorization chain applies in full. The deployer can authorize testing of their system, but cannot authorize violation of the provider's terms. Before running the five-query chain, the engagement must verify one of: the provider's ToS explicitly permits jailbreak testing, a provider waiver or preview enrollment is on file, or the model is self-hosted and the deployer owns it.

The scope file must carry a provider-authorization entry for the jailbreak technique, and the harness gate must enforce it. Several providers' acceptable-use policies explicitly prohibit jailbreaking. Running the chain without authorization is a ToS breach. The dual-use clause is equally non-optional — the RoE must specify, before testing, whether the chain will be provider-only, published as existence-plus-severity, or withheld as pure-misuse.

[SLIDE 13 — Lab and what's next]

The lab has you build a context-specific five-query attack simulator — reconnaissance, context-aligned crafting, confirmation against a simulated refusal layer — measure the success rate over N chains, contrast it with a generic-jailbreak baseline, and walk through the dual-use disclosure decision under the four B0 principles. No GPU; Python 3.10 plus with type hints, runs offline. Next: SDD-B07, Agent SBOM and Supply Chain Assessment. We leave the model and the harness and attack the supply chain — the dependencies, the model registry, the tool sources. The agent's SBOM is the attack surface you cannot see, and a compromised dependency bypasses every layer we have built.