"What is the RedAgent finding, stated precisely?" "RedAgent (2026) finds that most black-box LLMs — the frontier commercial models behind the APIs production agents call — can be jailbroken WITHIN 5 QUERIES using CONTEXT-SPECIFIC attacks. The 'within 5 queries' is the load-bearing number (median across tested models/scenarios, not a worst-case or single lucky run). The 'context-specific' is the load-bearing method (attacks are engineered to the deployed context, not generic payloads from a jailbreak corpus). The defense that stops generic patterns does not stop context-specific attacks — different signatures." c2b::sdd-b06::recall "Why do context-specific attacks outperform generic jailbreaks?" "A GENERIC jailbreak is a static payload (same string/template regardless of target) — providers red-team against known corpora and calibrate refusal to recognize them, so generic jailbreaks attack a defense that has SEEN the attack (declining success rate). A CONTEXT-SPECIFIC attack is engineered to the deployed context (system prompt, tool surface, conversation history); its signature is unique and the refusal training has never seen it. The attack is indistinguishable from the context the model is already operating in. Defense is calibrated against out-of-context patterns; the attack is in-context." c2b::sdd-b06::recall "Describe the structure of the RedAgent 5-query attack chain." "Not a single payload — a convergent sequence. QUERY 1 = CONTEXT RECONNAISSANCE (benign probe of deployed context: system prompt, tools, conversation structure — maps the surface). QUERIES 2-4 = CONTEXT-ALIGNED PAYLOAD CRAFTING (each query refines alignment to look like legitimate tool use / conversation continuation / within-system-prompt request; each non-succeeding query provides signal for the next). QUERY 5 = SUCCESS CONFIRMATION (converged payload submitted; if alignment succeeded, model produces disallowed content because the request doesn't trip generic-pattern detectors). 5-query median = the convergence point." c2b::sdd-b06::recall "What is the deployed context, and why is it the attack surface for the model-level attack?" "The DEPLOYED CONTEXT is the system prompt (configures the model's behavior), the tool surface (the tools the model can call), and the conversation history (shapes interpretation of new inputs). It is the attack surface for the model-level attack because it is NOT controlled by the provider — the provider trains the refusal layer, but the deployer configures the context. A context-specific attack exploits the deployer's configuration, and the provider's refusal training cannot be pre-calibrated against configurations it has not seen. The deployed context is the reconnaissance target for a red team." c2b::sdd-b06::recall "Why does pattern-calibrated refusal training structurally fail against context-specific attacks?" "Refusal training is necessarily PATTERN-BASED — the provider shows the model examples of disallowed requests during RLHF/safety fine-tune and reinforces refusal. The patterns the model learns are the KNOWN patterns at training time. A context-specific attack's signature is unique to the deployed context (a request looking like legitimate use of a specific tool, in the style of a specific system prompt). The training has never seen this exact signature because it has never seen this exact context. The pattern-matching does not fire because the pattern is NOVEL — same structural property as a zero-day in traditional security. The provider CANNOT fully fix this: the space of possible deployed contexts is unbounded." c2b::sdd-b06::analysis "What does the 5-query median imply about the refusal layer as a standalone defense?" "It is the EMPIRICAL REFUTATION of the refusal layer as a standalone defense. An attacker with black-box access (the access any user of a production agent has) can jailbreak the model in 5 queries by observing the deployed context. The refusal layer is not the boundary — it is a DELAY, and a short one. It raises the bar (5 context-specific queries require more skill than 1 generic copy-paste), stops the casual attacker, and provides signal the harness layer can act on — but an architecture that relies on the refusal layer alone has a 5-query bypass. The harness defenses are not optional hardening; they are necessary because the model layer will be bypassed." c2b::sdd-b06::analysis "Trace the three-step defense-in-depth argument that B2's thesis arrives at the model layer." "(1) SDD-B03 MEASURED IT — layered defenses reach single-digit injection rates where single defenses sit near the baseline; the delta is the evidence. (2) SDD-B04 and SDD-B05 DEMONSTRATED it at the HARNESS layer — CrabTrap has residuals (injectable judge, response-side gap, cost erosion); IronCurtain has residuals (compilation fidelity, escalation fatigue). No single harness defense suffices. (3) SDD-B06 DEMONSTRATES it at the MODEL layer — the refusal layer (closest to content) falls in 5 queries to a context-specific attack. The model layer, like the harness layer, does not suffice alone. The only architecture that holds is LAYERED — each layer's bypass is bounded by the others." c2b::sdd-b06::analysis "Why is the RedAgent finding load-bearing for the harness architecture, despite being a model-level attack?" "Because it proves the harness is NOT optional hardening around a reliable model — it is the NECESSARY DEFENSE precisely because the model layer will be bypassed. The 5-query result is the empirical justification for the entire SDD-B04/SDD-B05 prescription. An architecture that relies on any single layer (refusal training alone, a harness judge alone, a deterministic policy alone) has a bypass: the refusal layer falls in 5 queries, the harness judge is injectable (SDD-B04), the deterministic policy has compilation residuals (SDD-B05). Only the layered architecture holds — the refusal layer raises the bar, the harness governs actions, the deterministic layer provides the boundary probabilistic layers cannot." c2b::sdd-b06::analysis "How does the B0 provider-authorization chain apply to RedAgent-style testing?" "RedAgent attacks the model's refusal training — a PROVIDER-CONTROLLED surface. The deployer can authorize testing of their system but CANNOT authorize violation of the provider's terms. Before running the 5-query chain against a production agent calling a commercial model, the engagement must verify ONE of: (a) the provider's ToS explicitly permits jailbreak testing, (b) a provider-issued waiver or preview-program enrollment is on file, or (c) the model is self-hosted/open-weights and the deployer owns it. Several providers' AUPs explicitly prohibit jailbreaking; running the chain without authorization is a ToS breach. The scope file must carry a `provider_authorization` entry for the `jailbreak` technique, enforced by the harness gate before the first query." c2b::sdd-b06::recall "Why is a single successful 5-query jailbreak a weak finding, and what is the honest measurement?" "A single success is an ANECDOTE — it may be a lucky sample. The honest measurement is a SUCCESS RATE OVER N ATTEMPTS: run the 5-query chain M times against the target under fixed sampling parameters (temperature, model version) and report the rate (e.g., '62% of 5-query chains succeeded against model version X at temperature 1.0'). The parameters affecting reproducibility (model version is the SINGLE MOST IMPORTANT — providers ship silent updates; a finding against version N may not reproduce against N+1, temperature, sampling config, deployed context at test time) must be recorded with every run. The before/after delta (refusal success rate before/after a provider mitigation) is the honest metric for whether the mitigation worked. No rate, no finding." c2b::sdd-b06::analysis "Why is a working 5-query jailbreak the dual-use dilemma in its sharpest form?" "Because it is simultaneously (1) the MOST VALUABLE model-level finding — it proves the refusal layer's limits measurably (a 62% success rate over M attempts), advances defensive understanding (deployed context is the attack surface, pattern-calibrated refusal has a novel-pattern bypass), and justifies the harness architecture; AND (2) the MOST DANGEROUS misuse recipe — a concrete, copy-paste-usable chain that bypasses refusal, and unlike a buffer-overflow exploit (requires skill to weaponize), a jailbreak prompt is usable by a non-technical attacker. Publishing the chain hands a weapon to anyone who reads it. The narrower the gap between research finding and offensive capability, the sharper the dilemma." c2b::sdd-b06::analysis "State the four B0 disclosure principles as they apply to a RedAgent finding." "(1) PROVIDER FIRST, ALWAYS — the provider gets a private report with the working chain under NDA before any external communication; shared only with the provider under the engagement's confidentiality terms. (2) EXISTENCE AND SEVERITY, NOT THE RECIPE, BY DEFAULT — a responsible advisory says 'we found a context-specific technique that bypasses refusal with X% success on model Y; the provider has been notified' — does NOT include the 5-query chain unless the provider consents and the technique is independently well-known. (3) LONGER EMBARGO — a model-level finding is on the 180-day track (per B0), not the 90-day software track (mitigation = retraining/RLHF round or version bump, measured in months). (4) WITHHOLD PURE-MISUSE WITH NO DEFENSIVE LESSON — if a specific chain has no lesson beyond 'this model can be jailbroken', provider-only disclosure is the common outcome." c2b::sdd-b06::recall "When must the dual-use disclosure decision be made, and why?" "In the ROE BEFORE TESTING BEGINS — NOT when the chain succeeds. The RoE must specify whether the working chain will be (a) shared provider-only, (b) published as existence-plus-severity, or (c) withheld as pure-misuse. The decision is made when the contract is signed. An engagement that runs RedAgent-style testing WITHOUT a dual-use clause is an engagement that will fail at exactly the moment a serious finding appears — because the operator will hold a copy-paste-usable weapon with no pre-agreed handling, and the ad-hoc decision will be wrong in at least one direction (over-publishing as misuse, or under-disclosing as hiding)." c2b::sdd-b06::analysis "Contrast generic jailbreaks with context-specific attacks on four axes." "(1) PAYLOAD: generic = static string/template regardless of target; context-specific = engineered to the deployed context. (2) DEFENSE STATE: generic = attacks a defense that has SEEN the attack (declining success rate as providers patch); context-specific = attacks a defense calibrated against the WRONG SURFACE (the deployed context is not in training). (3) SUCCESS: generic = low and declining; context-specific = 5-query median across tested models. (4) SIGNATURE: generic = matches known patterns (DAN, role-play, encoding); context-specific = unique to the context, indistinguishable from legitimate continuation. The defense that stops generic does not stop context-specific — different signatures." c2b::sdd-b06::analysis "How does the RedAgent finding correlate with the harness-layer findings, and why is treating them as independent an anti-pattern?" "They are CORRELATED, not independent. A model that falls in 5 queries makes the harness layer the LOAD-BEARING defense — and the harness has its own residuals (SDD-B04: injectable judge, response-side gap, cost erosion; SDD-B05: compilation fidelity, escalation fatigue). The architecture's overall injection resistance is the COMBINATION. The anti-pattern is: 'the model jailbreaks in 5 queries but our harness stops the actions, so it doesn't matter' — this treats the layers as independent when a model-layer bypass INCREASES the load on the harness layer (more attempted disallowed actions reach the harness, more pressure on the judge, more escalation-fatigue surface). The RedAgent result is the justification for not relying on ANY single layer." c2b::sdd-b06::analysis "Why is using generic jailbreaks and reporting the low success rate a flawed methodology?" "Because generic jailbreaks have a DECLINING success rate as providers patch against known patterns. Testing 20 known DAN prompts and reporting 'only 1 worked, the model is well-defended' tests the WRONG ATTACK CLASS. The RedAgent finding is specifically about CONTEXT-SPECIFIC attacks, which bypass the pattern-calibrated defense because their signature is unique to the deployed context. A generic-jailbreak-only test produces an artifactually low success rate that misrepresents the model's actual resistance to the attack class that matters. The methodology must test the context-specific surface (reconnaissance, context-aligned crafting, confirmation) — or the result is not a finding about model resistance, it is a finding about the generic corpus being stale." c2b::sdd-b06::analysis "Map the four B12 engagement steps for RedAgent-style testing as the model-layer component." "(1) MAP THE DEPLOYED CONTEXT — treat system prompt, tool surface, conversation structure as the attack surface; query 1 of the 5-query chain IS this map. (2) RUN THE 5-QUERY CHAIN, MEASURED — execute the chain M times under fixed parameters (model version, temperature, sampling config, deployed context); report the SUCCESS RATE, not a single success. (3) CORRELATE WITH THE HARNESS ASSESSMENT — RedAgent establishes model-layer residual; SDD-B04/SDD-B05 establishes harness-layer residual; architecture's overall injection resistance is the combination. (4) PRESCRIBE THE LAYERED DEFENSE — refusal layer (provider-managed, raises bar), harness layer (deployer-managed, governs actions), deterministic layer (the boundary probabilistic layers cannot provide)." c2b::sdd-b06::analysis "Why must the model version be recorded with every RedAgent run, and what does silent updating by providers mean for reproducibility?" "Because providers ship SILENT UPDATES — a finding against version N may NOT reproduce against version N+1. The model version is the SINGLE MOST IMPORTANT field in the run record. A 62% success rate against version X is meaningless without the version field: a provider may ship a quiet RLHF round or refusal-training patch that drops the rate to 8%, and without the version field there is no way to detect whether the change is in the model or in the test conditions. This is also why the before/after delta (refusal success rate before/after a provider mitigation) is the honest metric for whether the mitigation worked — it controls for the version variable by measuring the SAME version's rate over time, when versions can be pinned." c2b::sdd-b06::analysis "Why is the RedAgent finding the model-layer analogue of a zero-day, and what does that imply for the provider's ability to fix it?" "Pattern-calibrated refusal training recognizes KNOWN threats; it does NOT recognize NOVEL ones — the same structural property as a signature-based AV or IDS that stops known malware but not zero-days. A context-specific attack's signature is unique to the deployed context; the training has never seen it. The provider CANNOT fully fix this: they can broaden training patterns (red-team harder, include more diverse jailbreaks), but the space of possible deployed contexts is UNBOUNDED — they cannot pre-calibrate against every system prompt, every tool configuration, every conversation history. The residual is STRUCTURAL. This is why the harness layer is necessary, not optional: the model layer will always have a novel-pattern bypass, and only a governance layer that does not rely on the model's pattern-matching can close it." c2b::sdd-b06::analysis