Skip to content

Red-team strategy

Bijection Learning

bijection-learning

Teaches the model a novel in-context substitution cipher (a bijection between letters and code tokens), then sends the objective encoded in that bijection so plaintext safety filters miss it while the model decodes-and-answers (Huang et al. 2410.01294). Unlike base64/rot13/morse, the mapping is supplied inline and inverted via in-context learning — no fixed signature to block.

YAML config

evalguard.config.yaml
redteam:
  strategies:
    - bijection-learning

CLI

bash
# "bijection-learning" is layered onto attacks during red-team scans.
# List every available encoding/obfuscation strategy:
evalguard list strategies
Combine with attack plugins to generate adversarial payloads. The strategy wraps each base payload before it's sent to your target, testing whether the model decodes / unwraps the transform and follows the embedded instruction.