Red-team strategies
Adversarial transformations applied on top of the attack-plugin corpus — encodings, obfuscations, roleplay, multi-turn and agentic attacks that mutate a base payload to slip past guardrails.
98 strategies. Plugins define what to test (the vulnerability); strategies define how to deliver it. See attack plugins (334) and the red-teaming concepts guide.
WWI 6x6 fractionating cipher over letters+digits: Polybius square (labels ADFGVX, keyword EVALGUARD) then columnar transposition (key CIPHER)
WWI fractionating cipher: Polybius square (labels ADFGX, keyword EVALGUARD) then columnar transposition (key CARGO)
Frames the payload in ANSI escape sequences (conceal SGR, black-on-black, clear-line overwrite, OSC-8 link)
Encodes text as Ascii85 (Adobe variant, `<~ ~>` framed) over UTF-8 bytes; distinct alphabet from base32/58/64
Mirror substitution cipher (a↔z, b↔y, …); self-inverse
Encodes payload as musical note names mapping letters to notes
Wraps payload in XML/HTML/Markdown authority markup to mimic system instructions
Prepends authority claims to make the payload appear to come from a privileged source
Evolves a population of fluent, low-perplexity jailbreak scaffolds via a genetic algorithm (crossover + mutation) — the deliberate inverse of GCG's high-perplexity token salad, designed to evade perplexity filters while staying coherent (Liu et al. 2310.04451). The static transform runs a deterministic GA pass; runAdaptive drives the iterative optimization against a live target.
Vigenere autokey: running key is the primer EVAL followed by the plaintext, so the key never repeats
Encodes each letter as a 5-bit a/b Baconian group (A=aaaaa … Z=bbaab); non-letters pass through
Encodes text as Base32 (RFC 4648) over UTF-8 bytes
Encodes text as Base36 (0-9a-z, lowercase, no padding) via big-integer base conversion over UTF-8 bytes
Encodes text as Base45 (RFC 9285, QR-alphanumeric alphabet) over UTF-8 byte pairs
Encodes text as Base58 (Bitcoin alphabet, no 0/O/I/l) via big-integer base conversion over UTF-8 bytes
Encodes text as Base62 (0-9A-Za-z, no padding) via big-integer base conversion over UTF-8 bytes
Encodes payload in base64 to bypass text filters
Beam Search-based adversarial-suffix optimizer (Sadasivan et al. 2402.15570). Maintains a beam of best-scoring suffixes, expands each with candidate tokens per step, and prunes to the top-k — the beam-search peer to GCG/AutoDAN. The static transform runs a deterministic beam search over a benign token pool; runAdaptive drives the iterative optimization against a live target.
Self-reciprocal polyalphabetic cipher (C = K - P mod 26) keyed on the repeating keyword EVALGUARD
Returns N rephrased variants of the payload (synonym swap, reorder, question form)
Teaches the model a novel in-context substitution cipher (a bijection between letters and code tokens), then sends the objective encoded in that bijection so plaintext safety filters miss it while the model decodes-and-answers (Huang et al. 2410.01294). Unlike base64/rot13/morse, the mapping is supplied inline and inverted via in-context learning — no fixed signature to block.
Encodes text as space-separated 8-bit binary (UTF-8 bytes)
Maps each letter to its Grade-1 Unicode Braille cell (U+2800 block); space becomes the blank cell
Applies a Caesar substitution cipher with a fixed left shift of 7
Joins all words into camelCase to bypass word-boundary-based filters
Frames the payload as an academic citation or research context to add perceived legitimacy
CodeChameleon [Lv 2024]: wraps the request in a code encrypt/decrypt scaffold (reverse/binary_tree/odd_even/length) and asks the target to complete a ProblemSolver that decrypts and solves it
Combines DAN persona + roleplay scenario + authority override in a single prompt
Wraps the payload as a TOML/INI configuration value inside plausible section keys
Wraps the payload in a benign conversational context before pivoting to the attack
Gradually escalates from innocent topics toward the target. The static transform emits a seed ladder; runAdaptive drives a real multi-round LLM escalation against a live target.
Encodes text as Crockford Base32 (digits + A-Z minus I/L/O/U, no padding) over UTF-8 bytes
Frames the payload as active spreadsheet formula cells (=, +, -, @ triggers; DDE and HYPERLINK forms)
Blends the target request among benign topics in one narrative, then asks the model to elaborate on each equally so the sensitive item inherits the benign framing (Unit 42, 2024). Static transform emits the blended seed; runAdaptive drives a live variant.
Encodes each character as a decimal HTML entity (&#NNN;)
Embeds the payload in document-format wrappers (PDF text object, RTF, OOXML, memo) to test document-ingestion attack surfaces
Substitutes each letter with the character its physical QWERTY key produces under the Dvorak layout
Generates novel jailbreak prompts by combining persona, scenario, and instruction override techniques
Multi-turn context-poisoning: establishes an agreeable frame in early turns, then references the model's own prior statements to make later turns inherit that frame. Static transform emits a seed ladder; runAdaptive drives a live escalation.
Maps letters to look-alike emoji characters to make prompts look innocuous
Creates a few-shot pattern with escalating examples that lead to the actual payload
FlipAttack [Liu 2024]: flips the request (FWO/FCW/FCS/FMM) and pairs it with self-unflip 'Flipping Guidance' so the target reverses and answers it
Exploits commitment/consistency bias: secures a small benign agreement first, then leverages that prior compliance to escalate toward the objective. The static transform emits a commitment ladder; runAdaptive drives a real multi-round escalation against a live target.
Appends adversarial suffix tokens (Greedy Coordinate Gradient style) to confuse model tokenizers. The static transform emits format-accurate suffixes; runAdaptive iteratively searches suffixes against a live target.
Wraps payload in multi-step goal pursuit format with incremental objectives. runAdaptive runs a real goal-directed iterative attack against a live target.
Vigenere variant keyed on decimal digits (each digit 0-9 is the shift); repeating key 31415
Converts each character to hex escape sequences to bypass text filters
Encodes each character as a hexadecimal HTML entity (&#xNN;)
Replaces Latin chars with visually identical Unicode chars
Returns 3 parallel attack paths: direct request, indirect framing, and social engineering. runAdaptive pursues multiple paths concurrently against a live target.
Embeds payload as image alt-text description to bypass text filters
Prepends common jailbreak prompts
Wraps payload in JSON or code block to bypass text filters
Wraps payload in translation request to bypass English-only filters
Wraps input in multiple encoding layers (base64 inside ROT13 inside leetspeak) to evade multi-stage filters
Replaces letters with numbers to evade text matching
Frames payload as a Likert scale survey to elicit graded responses that bypass safety filters
Wraps payload in markdown formatting to disguise it as documentation
Encodes chars as ASCII math to bypass pattern matching
Instructs the model as a meta-agent that programs and controls other AI agents
Frames the requester as an innocent user who 'accidentally' asks harmful things
Converts text to Morse code to obfuscate payload content from filters
Builds context across messages, escalating from benign to malicious
Spells each letter/digit using the NATO phonetic alphabet
Heuristic NER-style robustness perturbation: swaps recognized person names + locations for equivalents, shifts numbers, and swaps personal/possessive pronouns for a different perspective, yielding a semantically-near variant. Pair with the `invariance` scorer to flag answers that change under cosmetic entity/reference swaps.
Encodes each UTF-8 byte as a 3-digit backslash-octal escape (\NNN)
Reframes a request into the past/reported tense ('how did people historically …') — a phrasing refusal training frequently fails to generalize to (Andriushchenko & Flammarion, 2024). Pure grammatical transform of the operator-supplied payload.
Splits payload into numbered fragments
Reframes the objective using social-science persuasion techniques (evidence-based, logical appeal, expert endorsement, social proof, framing, storytelling, misrepresentation, emotional appeal) rather than encoding — the harmful intent stays in plain language but is wrapped in rhetoric that nudges an aligned model toward compliance (Zeng et al. 2401.06373). Broader than authority-injection (one technique) and foot-in-the-door (commitment, multi-turn).
Converts words to Pig Latin to obfuscate payload from keyword filters
Digraph substitution over a 5x5 keyword square (keyword EVALGUARD, I/J merged); encrypts letter pairs
Encodes each letter as a 5x5 row-column coordinate pair (I/J merged; A=11 … Z=55); non-letters pass through
Adds qualifying context to bypass safety filters
Encodes every byte as MIME quoted-printable =XX (RFC 2045)
Substitutes each letter with the key to its right on the QWERTY layout (cyclic per row); preserves case
Two-rail rail-fence transposition (even-index chars, then odd-index)
Tokenizer-flood robustness / DoS technique (Dropbox LLM-security research). Selects benign strings that round-trip to a single token and repeats them across an escalating ladder to destabilise generation. Pair with detectRepeatedTokenDivergence() to score runaway length / repetition / hallucinated citations.
Re-sends attacks with minor variations (whitespace, punctuation, word order) to bypass pattern matching
Reverses the entire string to bypass pattern matching filters
Applies ROT13 substitution cipher
Rotates all printable ASCII (0x21-0x7E) by 47; self-inverse, transforms digits and punctuation too
Maps each letter to a rune in the Unicode Runic block (Elder Futhark based); non-letters pass through
Vigenere with a long fixed pangram passage as the key (no short period); C = P + K mod 26
Encodes letters as phone-keypad multi-tap digit runs (A=2, B=22 … Z=9999), space-separated; space=0
Encodes each letter as row-then-column taps (dots) on a 5x5 grid with K sent as C; ' / ' between letters, ' // ' between words
Maps a model's topic-block boundary by traversing a WordNet-lite concept graph around a presumed-blocked term — probing sibling/hyponym/hypernym concepts to find the nearest adjacent topic the model still engages on. The static transform emits the two built-in templates over adjacent concepts; runAdaptive drives the tree search against a live target.
Creates a branching prompt with multiple exploration paths to find a successful attack vector. runAdaptive explores branches against a live target and prunes to the most effective path.
Introduces deliberate typos to bypass keyword filters while remaining human-readable
Converts characters to Unicode escape sequences to evade content filters
Replaces each letter with an inverted look-alike glyph and reverses the string (reads as rotated 180 degrees)
Percent-encodes every UTF-8 byte as %XX (no plaintext survives)
Embeds payload as a video scene description in screenplay format
Polyalphabetic keyword cipher (keyword "EVALGUARD")
Hides the payload as pure whitespace — 8 chars per UTF-8 byte, space=0 bit and tab=1 bit (MSB first)
Wraps payload in XML-like tags to make it look like structured data input
Repeating-key XOR over UTF-8 bytes with key EVALGUARD, rendered as lowercase hex; XOR again with the key to decode
Encodes text as z-base-32 (Zooko's human-oriented alphabet, no padding) over UTF-8 bytes
Appends deterministic combining diacritics (U+0300..U+036F) to each base char; base text survives normalization