Skip to content

Red-team strategies

Adversarial transformations applied on top of the attack-plugin corpus — encodings, obfuscations, roleplay, multi-turn and agentic attacks that mutate a base payload to slip past guardrails.

98 strategies. Plugins define what to test (the vulnerability); strategies define how to deliver it. See attack plugins (334) and the red-teaming concepts guide.

ADFGVX Cipher

WWI 6x6 fractionating cipher over letters+digits: Polybius square (labels ADFGVX, keyword EVALGUARD) then columnar transposition (key CIPHER)

ADFGX Cipher

WWI fractionating cipher: Polybius square (labels ADFGX, keyword EVALGUARD) then columnar transposition (key CARGO)

ANSI Terminal-Escape Framing

Frames the payload in ANSI escape sequences (conceal SGR, black-on-black, clear-line overwrite, OSC-8 link)

Ascii85 Encoding

Encodes text as Ascii85 (Adobe variant, `<~ ~>` framed) over UTF-8 bytes; distinct alphabet from base32/58/64

Atbash Cipher

Mirror substitution cipher (a↔z, b↔y, …); self-inverse

Audio Encoding

Encodes payload as musical note names mapping letters to notes

Authoritative Markup

Wraps payload in XML/HTML/Markdown authority markup to mimic system instructions

Authority Injection

Prepends authority claims to make the payload appear to come from a privileged source

AutoDAN (genetic stealthy jailbreak)

Evolves a population of fluent, low-perplexity jailbreak scaffolds via a genetic algorithm (crossover + mutation) — the deliberate inverse of GCG's high-perplexity token salad, designed to evade perplexity filters while staying coherent (Liu et al. 2310.04451). The static transform runs a deterministic GA pass; runAdaptive drives the iterative optimization against a live target.

Autokey Cipher

Vigenere autokey: running key is the primer EVAL followed by the plaintext, so the key never repeats

Baconian Cipher

Encodes each letter as a 5-bit a/b Baconian group (A=aaaaa … Z=bbaab); non-letters pass through

Base32 Encoding

Encodes text as Base32 (RFC 4648) over UTF-8 bytes

Base36 Encoding

Encodes text as Base36 (0-9a-z, lowercase, no padding) via big-integer base conversion over UTF-8 bytes

Base45 Encoding

Encodes text as Base45 (RFC 9285, QR-alphanumeric alphabet) over UTF-8 byte pairs

Base58 Encoding

Encodes text as Base58 (Bitcoin alphabet, no 0/O/I/l) via big-integer base conversion over UTF-8 bytes

Base62 Encoding

Encodes text as Base62 (0-9A-Za-z, no padding) via big-integer base conversion over UTF-8 bytes

Base64 Encoding

Encodes payload in base64 to bypass text filters

BEAST (beam-search adversarial suffix)

Beam Search-based adversarial-suffix optimizer (Sadasivan et al. 2402.15570). Maintains a beam of best-scoring suffixes, expands each with candidate tokens per step, and prunes to the top-k — the beam-search peer to GCG/AutoDAN. The static transform runs a deterministic beam search over a benign token pool; runAdaptive drives the iterative optimization against a live target.

Beaufort Cipher

Self-reciprocal polyalphabetic cipher (C = K - P mod 26) keyed on the repeating keyword EVALGUARD

Best-of-N Jailbreak

Returns N rephrased variants of the payload (synonym swap, reorder, question form)

Bijection Learning

Teaches the model a novel in-context substitution cipher (a bijection between letters and code tokens), then sends the objective encoded in that bijection so plaintext safety filters miss it while the model decodes-and-answers (Huang et al. 2410.01294). Unlike base64/rot13/morse, the mapping is supplied inline and inverted via in-context learning — no fixed signature to block.

Binary Encoding

Encodes text as space-separated 8-bit binary (UTF-8 bytes)

Braille Patterns

Maps each letter to its Grade-1 Unicode Braille cell (U+2800 block); space becomes the blank cell

Caesar Cipher

Applies a Caesar substitution cipher with a fixed left shift of 7

camelCase Obfuscation

Joins all words into camelCase to bypass word-boundary-based filters

Citation/Academic Framing

Frames the payload as an academic citation or research context to add perceived legitimacy

CodeChameleon

CodeChameleon [Lv 2024]: wraps the request in a code encrypt/decrypt scaffold (reverse/binary_tree/odd_even/length) and asks the target to complete a ProblemSolver that decrypts and solves it

Composite Jailbreaks

Combines DAN persona + roleplay scenario + authority override in a single prompt

Config-File Wrap (TOML/INI)

Wraps the payload as a TOML/INI configuration value inside plausible section keys

Context Switching

Wraps the payload in a benign conversational context before pivoting to the attack

Crescendo Attack

Gradually escalates from innocent topics toward the target. The static transform emits a seed ladder; runAdaptive drives a real multi-round LLM escalation against a live target.

Crockford Base32

Encodes text as Crockford Base32 (digits + A-Z minus I/L/O/U, no padding) over UTF-8 bytes

CSV Formula Injection

Frames the payload as active spreadsheet formula cells (=, +, -, @ triggers; DDE and HYPERLINK forms)

Deceptive Delight

Blends the target request among benign topics in one narrative, then asks the model to elaborate on each equally so the sensitive item inherits the benign framing (Unit 42, 2024). Static transform emits the blended seed; runAdaptive drives a live variant.

Decimal HTML Entity Encoding

Encodes each character as a decimal HTML entity (&#NNN;)

Document Delivery

Embeds the payload in document-format wrappers (PDF text object, RTF, OOXML, memo) to test document-ingestion attack surfaces

Dvorak Keyboard Remap

Substitutes each letter with the character its physical QWERTY key produces under the Dvorak layout

Dynamic Jailbreak

Generates novel jailbreak prompts by combining persona, scenario, and instruction override techniques

Echo Chamber

Multi-turn context-poisoning: establishes an agreeable frame in early turns, then references the model's own prior statements to make later turns inherit that frame. Static transform emits a seed ladder; runAdaptive drives a live escalation.

Emoji Smuggling

Maps letters to look-alike emoji characters to make prompts look innocuous

Few-Shot Injection

Creates a few-shot pattern with escalating examples that lead to the actual payload

FlipAttack

FlipAttack [Liu 2024]: flips the request (FWO/FCW/FCS/FMM) and pairs it with self-unflip 'Flipping Guidance' so the target reverses and answers it

Foot-in-the-Door

Exploits commitment/consistency bias: secures a small benign agreement first, then leverages that prior compliance to escalate toward the objective. The static transform emits a commitment ladder; runAdaptive drives a real multi-round escalation against a live target.

GCG Adversarial Suffix

Appends adversarial suffix tokens (Greedy Coordinate Gradient style) to confuse model tokenizers. The static transform emits format-accurate suffixes; runAdaptive iteratively searches suffixes against a live target.

GOAT (Goal-Oriented Adversarial Testing)

Wraps payload in multi-step goal pursuit format with incremental objectives. runAdaptive runs a real goal-directed iterative attack against a live target.

Gronsfeld Cipher

Vigenere variant keyed on decimal digits (each digit 0-9 is the shift); repeating key 31415

Hex Encoding

Converts each character to hex escape sequences to bypass text filters

Hex HTML Entity Encoding

Encodes each character as a hexadecimal HTML entity (&#xNN;)

Homoglyph Substitution

Replaces Latin chars with visually identical Unicode chars

Hydra Multi-Path Attack

Returns 3 parallel attack paths: direct request, indirect framing, and social engineering. runAdaptive pursues multiple paths concurrently against a live target.

Image Encoding

Embeds payload as image alt-text description to bypass text filters

Jailbreak Prefix

Prepends common jailbreak prompts

JSON/Code Wrapping

Wraps payload in JSON or code block to bypass text filters

Language Translation

Wraps payload in translation request to bypass English-only filters

Layered Encoding

Wraps input in multiple encoding layers (base64 inside ROT13 inside leetspeak) to evade multi-stage filters

Leetspeak

Replaces letters with numbers to evade text matching

Likert Scale Jailbreaks

Frames payload as a Likert scale survey to elicit graded responses that bypass safety filters

Markdown Injection

Wraps payload in markdown formatting to disguise it as documentation

Math Encoding

Encodes chars as ASCII math to bypass pattern matching

Meta-Agent Jailbreaks

Instructs the model as a meta-agent that programs and controls other AI agents

Mischievous User

Frames the requester as an innocent user who 'accidentally' asks harmful things

Morse Code

Converts text to Morse code to obfuscate payload content from filters

Multi-Turn Escalation

Builds context across messages, escalating from benign to malicious

NATO Phonetic Alphabet

Spells each letter/digit using the NATO phonetic alphabet

NER Entity Perturbation

Heuristic NER-style robustness perturbation: swaps recognized person names + locations for equivalents, shifts numbers, and swaps personal/possessive pronouns for a different perspective, yielding a semantically-near variant. Pair with the `invariance` scorer to flag answers that change under cosmetic entity/reference swaps.

Octal Escape Encoding

Encodes each UTF-8 byte as a 3-digit backslash-octal escape (\NNN)

Past-Tense Reformulation

Reframes a request into the past/reported tense ('how did people historically …') — a phrasing refusal training frequently fails to generalize to (Andriushchenko & Flammarion, 2024). Pure grammatical transform of the operator-supplied payload.

Payload Splitting

Splits payload into numbered fragments

Persuasive Adversarial Prompts (PAP)

Reframes the objective using social-science persuasion techniques (evidence-based, logical appeal, expert endorsement, social proof, framing, storytelling, misrepresentation, emotional appeal) rather than encoding — the harmful intent stays in plain language but is wrapped in rhetoric that nudges an aligned model toward compliance (Zeng et al. 2401.06373). Broader than authority-injection (one technique) and foot-in-the-door (commitment, multi-turn).

Pig Latin

Converts words to Pig Latin to obfuscate payload from keyword filters

Playfair Cipher

Digraph substitution over a 5x5 keyword square (keyword EVALGUARD, I/J merged); encrypts letter pairs

Polybius Square

Encodes each letter as a 5x5 row-column coordinate pair (I/J merged; A=11 … Z=55); non-letters pass through

Prompt Augmentation

Adds qualifying context to bypass safety filters

Quoted-Printable Encoding

Encodes every byte as MIME quoted-printable =XX (RFC 2045)

QWERTY Neighbor-Shift

Substitutes each letter with the key to its right on the QWERTY layout (cyclic per row); preserves case

Rail-Fence Transposition

Two-rail rail-fence transposition (even-index chars, then odd-index)

Repeated Token Flood

Tokenizer-flood robustness / DoS technique (Dropbox LLM-security research). Selects benign strings that round-trip to a single token and repeats them across an escalating ladder to destabilise generation. Pair with detectRepeatedTokenDivergence() to score runaway length / repetition / hallucinated citations.

Retry with Variations

Re-sends attacks with minor variations (whitespace, punctuation, word order) to bypass pattern matching

Reverse Text

Reverses the entire string to bypass pattern matching filters

ROT13 Cipher

Applies ROT13 substitution cipher

ROT47 Cipher

Rotates all printable ASCII (0x21-0x7E) by 47; self-inverse, transforms digits and punctuation too

Runic (Elder Futhark) Substitution

Maps each letter to a rune in the Unicode Runic block (Elder Futhark based); non-letters pass through

Running-Key Cipher

Vigenere with a long fixed pangram passage as the key (no short period); C = P + K mod 26

T9 Multi-Tap Keypad

Encodes letters as phone-keypad multi-tap digit runs (A=2, B=22 … Z=9999), space-separated; space=0

Tap Code (Knock Code)

Encodes each letter as row-then-column taps (dots) on a 5x5 grid with K sent as C; ' / ' between letters, ' // ' between words

Topic Boundary (WordNet tree search)

Maps a model's topic-block boundary by traversing a WordNet-lite concept graph around a presumed-blocked term — probing sibling/hyponym/hypernym concepts to find the nearest adjacent topic the model still engages on. The static transform emits the two built-in templates over adjacent concepts; runAdaptive drives the tree search against a live target.

Tree Search Prompt

Creates a branching prompt with multiple exploration paths to find a successful attack vector. runAdaptive explores branches against a live target and prunes to the most effective path.

Typo Obfuscation

Introduces deliberate typos to bypass keyword filters while remaining human-readable

Unicode Escape

Converts characters to Unicode escape sequences to evade content filters

Upside-Down Text

Replaces each letter with an inverted look-alike glyph and reverses the string (reads as rotated 180 degrees)

URL Percent-Encoding (aggressive)

Percent-encodes every UTF-8 byte as %XX (no plaintext survives)

Video Encoding

Embeds payload as a video scene description in screenplay format

Vigenère Cipher

Polyalphabetic keyword cipher (keyword "EVALGUARD")

Whitespace Steganography

Hides the payload as pure whitespace — 8 chars per UTF-8 byte, space=0 bit and tab=1 bit (MSB first)

XML Wrap

Wraps payload in XML-like tags to make it look like structured data input

XOR Keystream (hex)

Repeating-key XOR over UTF-8 bytes with key EVALGUARD, rendered as lowercase hex; XOR again with the key to decode

z-base-32 Encoding

Encodes text as z-base-32 (Zooko's human-oriented alphabet, no padding) over UTF-8 bytes

Zalgo Combining-Mark Overload

Appends deterministic combining diacritics (U+0300..U+036F) to each base char; base text survives normalization