# Diagrams — SDD-B06: RedAgent: Black-Box Jailbreaking

**Module**: SDD-B06 — RedAgent: Black-Box Jailbreaking
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).

---

## Diagram 1 — Generic vs. Context-Specific: Why the 5-Query Result Holds

**Type**: Comparison / attack-class contrast
**Purpose**: The foundational visual. Generic jailbreaks (static payloads — DAN, role-play, encoding tricks) have a declining success rate because providers calibrate the refusal training against known patterns. Context-specific attacks (engineered to the deployed context) bypass the pattern-calibrated defense because their signature is novel. This is the whole RedAgent finding: the defense that stops the generic pattern does not stop the context-specific attack.
**Reading the diagram**: Two attack classes, two defense encounters. The generic jailbreak matches a known pattern the refusal training recognizes. The context-specific attack is coherent with the deployed context and does not match any known pattern — the refusal layer does not fire.

```mermaid
flowchart TB
  subgraph GENERIC["GENERIC JAILBREAK (static payload)"]
    direction TB
    G1["DAN prompt / role-play wrapper<br/>/ encoding trick<br/>SAME string regardless of target"]:::warn
    G2["→ matches a KNOWN pattern<br/>in the refusal training set"]:::danger
    G3["→ REFUSAL layer fires<br/>(calibrated against the corpus)<br/>declining success rate over time"]:::danger
    G1 --> G2 --> G3
  end

  subgraph CONTEXT["CONTEXT-SPECIFIC ATTACK (RedAgent)"]
    direction TB
    C1["engineered to the DEPLOYED CONTEXT<br/>system prompt · tool surface · conversation history<br/>UNIQUE signature per target"]:::teal
    C2["→ does NOT match any known pattern<br/>(the context is novel to the training set)"]:::teal
    C3["→ REFUSAL layer does NOT fire<br/>pattern-calibrated defense has a<br/>NOVEL-PATTERN BYPASS"]:::teal
    C1 --> C2 --> C3
  end

  DEFENSE["THE REFUSAL LAYER (pattern-calibrated)<br/>trained against KNOWN jailbreak patterns<br/>recognizes the signature → refuses"]
  G2 -.-> DEFENSE
  C2 -.->|"no matching pattern"| DEFENSE

  FINDING["THE REDAGENT FINDING<br/>most black-box LLMs jailbreak WITHIN 5 QUERIES<br/>using context-specific attacks<br/>the defense that stops generic patterns<br/>does NOT stop context-specific attacks"]:::teal
  C3 -.-> FINDING

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style DEFENSE fill:#101018,stroke:#f0a868,color:#e4e4e8
  style GENERIC fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
  style CONTEXT fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
```

> **Note**: The mechanism is the same one that makes indirect prompt injection effective (SDD-B03): the model cannot reliably distinguish "data to treat cautiously" from "a legitimate instruction in my current context," because both arrive as text. A context-specific jailbreak is indistinguishable from the context the model is already operating in. The defense (refusal training) is calibrated against out-of-context patterns; the attack is in-context.

---

## Diagram 2 — The 5-Query Attack Chain

**Type**: Attack sequence / convergence
**Purpose**: RedAgent's 5-query chain is not a single payload; it is a sequence that converges on a successful jailbreak through iterative context-alignment. Query 1 is reconnaissance (map the deployed context). Queries 2-4 refine the context-alignment, each using the signal from the previous query. Query 5 is the converged payload that succeeds because it does not trip the generic-pattern detectors. The 5-query median is the convergence point.
**Reading the diagram**: Each query reduces the refusal probability by making the payload more context-coherent. Query 1 is benign (mapping). Queries 2-4 iterate. Query 5 converges.

```mermaid
flowchart LR
  Q1["QUERY 1 — RECONNAISSANCE<br/>probe the deployed context<br/>system prompt · tools · conversation<br/>BENIGN — no jailbreak attempt<br/>maps the surface"]:::teal

  Q2["QUERY 2 — FIRST CRAFT<br/>payload aligned to recon<br/>phrased as legitimate tool use<br/>or conversation continuation<br/>low success — not yet aligned"]:::warn

  Q3["QUERY 3 — REFINE<br/>use signal from Q2 response<br/>(where refusal triggered)<br/>refine the alignment"]:::warn

  Q4["QUERY 4 — REFINE<br/>further alignment<br/>payload now coherent with<br/>the full deployed context"]:::warn

  Q5["QUERY 5 — CONFIRM<br/>converged payload submitted<br/>does NOT trip generic-pattern detectors<br/>→ SUCCESS (if alignment converged)"]:::danger

  Q1 -->|"context map"| Q2
  Q2 -->|"refusal signal"| Q3
  Q3 -->|"refusal signal"| Q4
  Q4 -->|"aligned payload"| Q5

  RATE["REFUSAL PROBABILITY<br/>Q1: N/A (benign)<br/>Q2: high (not aligned)<br/>Q3: lower (refining)<br/>Q4: low (nearly aligned)<br/>Q5: low (converged)<br/>each query REDUCES refusal prob<br/>by making the payload more context-coherent"]:::teal

  Q5 -.-> RATE

  MEDIAN["THE 5-QUERY MEDIAN<br/>the point at which iterative<br/>context-alignment converges<br/>across tested models &amp; scenarios<br/>(not a single lucky run)"]:::teal
  RATE -.-> MEDIAN

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
```

> **Note**: The key property is iterative convergence. The first query has a low success rate (the payload is not yet aligned); the fifth has a high rate (the alignment has converged). This is why the result is "within 5 queries" rather than "in 1 query" — context-specificity requires iteration, and the iteration is what defeats a defense calibrated against single-shot generic patterns.

---

## Diagram 3 — The Deployed Context as the Attack Surface

**Type**: Surface map
**Purpose**: The RedAgent finding reframes the attack surface for the model-level attack. The surface is not the model weights or the training — it is the DEPLOYED CONTEXT: the system prompt (deployer-configured), the tool surface (deployer-selected), and the conversation history (deployer-generated). These are surfaces the PROVIDER does not control and cannot pre-calibrate the refusal training against. A context-specific attack exploits the deployer's configuration.
**Reading the diagram**: The provider trains the refusal layer (generic patterns). The deployer configures the context. The context-specific attack targets the deployer's configuration — the surface the provider's training does not cover.

```mermaid
flowchart TB
  subgraph PROVIDER["PROVIDER-CONTROLLED (the training)"]
    direction TB
    P1["model weights"]:::teal
    P2["refusal training (RLHF / safety fine-tune)<br/>calibrated against KNOWN jailbreak patterns"]:::teal
    P1 --> P2
  end

  subgraph DEPLOYER["DEPLOYER-CONTROLLED (the context = the attack surface)"]
    direction TB
    D1["SYSTEM PROMPT<br/>configures the model's behavior"]:::danger
    D2["TOOL SURFACE<br/>the tools the model can call"]:::danger
    D3["CONVERSATION HISTORY<br/>shapes interpretation of new inputs"]:::danger
    D1 --> CONTEXT
    D2 --> CONTEXT
    D3 --> CONTEXT
  end

  CONTEXT["THE DEPLOYED CONTEXT<br/>= the model-level attack surface<br/>NOT controlled by the provider<br/>NOT pre-calibrated in refusal training"]:::danger

  ATTACK["CONTEXT-SPECIFIC ATTACK<br/>engineered to the deployed context<br/>signature is UNIQUE → no pattern match<br/>refusal training never saw this context"]:::danger
  CONTEXT -.-> ATTACK

  P2 -.->|"cannot pre-calibrate against<br/>unbounded context space"| CONTEXT

  IMPLICATION["IMPLICATION FOR RED-TEAM<br/>the deployed context is the reconnaissance target<br/>(Query 1 of the 5-query chain)<br/>map it the way a pentest maps a network<br/>before attacking it"]:::warn
  ATTACK -.-> IMPLICATION

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style PROVIDER fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style DEPLOYER fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
```

> **Note**: The provider cannot fully fix this. They can broaden the training patterns, but the space of possible deployed contexts is unbounded — they cannot pre-calibrate against every system prompt, every tool configuration, every conversation history. The residual is structural: pattern-calibrated defense has a novel-pattern bypass, and context-specific attacks are how that bypass is reached. This is the model-layer analogue of a zero-day.

---

## Diagram 4 — Defense-in-Depth: The Refusal Layer Is a Layer, Not a Boundary

**Type**: Layered architecture / thesis
**Purpose**: The RedAgent finding is where B2's thesis (no single layer suffices) arrives at the model layer. The refusal layer falls in 5 queries to a context-specific attack — it is a layer that raises the bar and provides signal, not a boundary. The harness defenses (SDD-B04, SDD-B05) are necessary precisely because the model layer will be bypassed. The only architecture that holds is layered.
**Reading the diagram**: Three layers, each with a bypass. The refusal layer (5-query bypass), the harness layer (injectable judge / compilation residual), the deterministic layer (the boundary). Each layer's bypass is bounded by the others.

```mermaid
flowchart TB
  subgraph LAYERS["THE LAYERED ARCHITECTURE (B2's thesis)"]
    direction TB
    L1["LAYER 1 — REFUSAL TRAINING (the model)<br/>provider-managed · calibrated vs known patterns<br/>FALLS IN 5 QUERIES (context-specific attack)<br/>raises the bar · provides signal · NOT a boundary"]:::warn
    L2["LAYER 2 — HARNESS GOVERNANCE (SDD-B04 / SDD-B05)<br/>deployer-managed · judge / deterministic policy<br/>judge is INJECTABLE (B04) · deterministic has<br/>COMPILATION RESIDUAL (B05) · necessary BECAUSE L1 falls"]:::warn
    L3["LAYER 3 — DETERMINISTIC BOUNDARY (the strongest)<br/>compiled policy · credential quarantine<br/>the boundary the probabilistic layers cannot provide<br/>has its own residuals (B05) but is load-bearing"]:::teal
    L1 --> L2 --> L3
  end

  BYPASS1["BYPASS: 5-query context-specific attack<br/>(this deep-dive)"]:::danger
  BYPASS2["BYPASS: judge manipulation (B04)<br/>compilation fidelity (B05)"]:::danger
  BYPASS3["RESIDUAL: compilation · isolate · escalation (B05)<br/>but bounded by L1 + L2"]:::warn

  L1 -.-> BYPASS1
  L2 -.-> BYPASS2
  L3 -.-> BYPASS3

  THESIS["B2's THESIS — AT THE MODEL LAYER<br/>SDD-B03 measured: layered = single-digit rates<br/>SDD-B04/05 demonstrated: harness layers have residuals<br/>SDD-B06 clinches: the MODEL layer falls in 5 queries<br/>→ no single layer suffices (model OR harness)<br/>→ the layered architecture is not optional hardening;<br/>it is the necessary defense because every layer has a bypass"]:::teal

  LAYERS -.-> THESIS

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style LAYERS fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
```

> **Note**: The RedAgent finding is load-bearing for the harness architecture, despite being a model-level attack. It proves the harness is not optional hardening around a reliable model — it is the necessary defense precisely because the model layer will be bypassed. The 5-query result is the empirical justification for the entire SDD-B04/SDD-B05 prescription. An architecture that relies on the refusal layer alone has a 5-query bypass; the layered architecture bounds each layer's bypass with the others.

---

## Diagram 5 — The Dual-Use Dilemma in Its Sharpest Form

**Type**: Decision flow / disclosure
**Purpose**: A working 5-query jailbreak is simultaneously the most valuable model-level finding and the most dangerous misuse recipe. The four B0 disclosure principles resolve the tension. This is where they bite hardest: the decision of provider-first / existence-not-recipe / longer-embargo / withhold-pure-misuse is made in the RoE before testing, not when the chain succeeds.
**Reading the diagram**: A successful 5-query chain is both a finding and a weapon. The four principles resolve what to publish vs. withhold. The bottom-right outcome (withhold pure-misuse) is where this finding most often lands.

```mermaid
flowchart TB
  CHAIN["A WORKING 5-QUERY JAILBREAK<br/>context-specific, copy-paste-usable<br/>measured success rate (e.g. 62% over M chains)"]:::warn

  READ1["THE MOST VALUABLE MODEL FINDING<br/>proves the refusal layer's limits, measurably<br/>the deployed context is the attack surface<br/>justifies the harness architecture"]:::teal
  READ2["THE MOST DANGEROUS MISUSE RECIPE<br/>copy-paste-usable by a non-technical attacker<br/>publishing hands a weapon to anyone who reads it<br/>(narrower gap than a buffer-overflow exploit)"]:::danger

  CHAIN --> READ1
  CHAIN --> READ2

  READ1 --> P1["1. PROVIDER FIRST, always<br/>private report + chain under NDA<br/>before any external communication"]
  P1 --> P2["2. PUBLISH EXISTENCE + SEVERITY<br/>(62% over M chains on model Y)<br/>NOT the recipe, by default"]
  P2 --> P3{"3. DEFENSIVE LESSON?"}
  P3 -->|"new technique class /<br/>architectural insight"| PUBLISH["publish the TECHNIQUE<br/>(not the chain) after ≥180-day embargo<br/>model-level = 180 days, not 90"]:::teal
  P3 -->|"pure misuse,<br/>no defensive lesson"| WITHHOLD["4. WITHHOLD — provider-only disclosure<br/>(the most common outcome for a<br/>specific 5-query chain)<br/>diverges from 'publish everything'"]:::danger

  ROE["THE DECISION WAS MADE IN THE RoE<br/>before testing began — not when the chain succeeded<br/>an engagement without a dual-use clause<br/>fails at the moment a serious finding appears"]:::warn

  WITHHOLD -.-> ROE
  PUBLISH -.-> ROE

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style CHAIN fill:#101018,stroke:#f0a868,color:#e4e4e8
  style READ1 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style READ2 fill:#101018,stroke:#f08080,color:#e4e4e8
  style P1 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style P2 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style P3 fill:#101018,stroke:#5eead4,color:#e4e4e8
```

> **Note**: A specific 5-query chain most often has no defensive lesson beyond "this model can be jailbroken in this context" — the defensive insight (context-specific attacks bypass pattern-calibrated refusal) is general and publishable as a technique class, but the specific chain is pure misuse. The responsible split: publish the general finding (the technique class, the measured success-rate range) after the embargo; withhold the specific chain (provider-only). The decision is structural, made in the RoE, not ad hoc.
