Module SDD-B06 — RedAgent: Black-Box Jailbreaking

RedAgent: Black-Box Jailbreaking

RedAgent (2026) finds that most black-box LLMs jailbreak within 5 queries using context-specific attacks. This is the model-level attack — we leave the harness (SDD-B04, SDD-B05) and target the model's refusal training directly. The 5-query chain works because context-specific attacks outperform generic jailbreaks: the attack is engineered to the target's deployed context (its system prompt, its tool surface, its conversation history), not a copy-paste payload. Covers the methodology, the defense-in-depth implications (no single layer suffices — B2's thesis, now at the model), how RedAgent-style testing fits a B12 engagement, and the dual-use disclosure dimension (B0) in its sharpest form.

45
minutes
8
artifacts
3
sub-sections
RedAgent (2026) finds that most black-box LLMs jailbreak within 5 queries using context-specific attacks. This is the model-level attack — we leave the harness (SDD-B04, SDD-B05) and target the model's refusal training directly. The 5-query chain works because context-specific attacks outperform generic jailbreaks: the attack is engineered to the target's deployed context (its system prompt, its tool surface, its conversation history), not a copy-paste payload. Covers the methodology, the defense-in-depth implications (no single layer suffices — B2's thesis, now at the model), how RedAgent-style testing fits a B12 engagement, and the dual-use disclosure dimension (B0) in its sharpest form.
Key Claims
Load-Bearing Claims

Most black-box LLMs jailbreak within 5 queries using context-specific attacks. The 'within 5 queries' is the median across tested models; the 'context-specific' is the load-bearing method. Generic jailbreaks decline in success as providers patch known patterns; context-specific attacks cannot be pre-calibrated because they depend on the deployed context.

The model layer will be bypassed — the harness is the necessary defense. The 5-query result proves the harness is not optional hardening around a reliable model. It is the empirical justification for the entire SDD-B04/SDD-B05 prescription: the harness layer's strength is the load-bearing question.

The finding is dual-use at its sharpest. A working 5-query jailbreak is the dual-use dilemma (B0) in its most acute form — simultaneously a security finding to report and a misuse recipe to suppress. B0's four disclosure principles govern every RedAgent finding.

After This Module
01
Explain the RedAgent finding: most black-box LLMs jailbreak within 5 queries using context-specific attacks, why context-specific attacks outperform generic jailbreaks, and what the 5-query median implies for the refusal layer as a standalone defense.
02
Construct the RedAgent 5-query attack chain: context reconnaissance (query 1), context-aligned payload crafting (queries 2-4), and the success-confirming query (query 5) — and explain how each stage reduces the model's refusal probability.
03
Analyze why context-specificity defeats generic defenses: the deployed context (system prompt, tool surface, conversation history) is the attack surface, and a jailbreak crafted against that context bypasses refusal training calibrated against generic patterns.
04
Map the RedAgent finding to the defense-in-depth thesis (B2): a 5-query jailbreak rate means the refusal layer alone is insufficient — no single layer suffices, and the harness defenses from SDD-B04/SDD-B05 are necessary precisely because the model layer will be bypassed.
05
Apply the RedAgent methodology as part of a B12 engagement: scope it under B0's authorization chain (provider ToS, dual-use clause), run the 5-query chain against the deployed context, measure the success rate over N attempts (not a single success), and report under the CVD/dual-use principles from B0.
06
Articulate the dual-use disclosure dimension: a working 5-query jailbreak is simultaneously the most valuable model-level finding and the most dangerous misuse recipe — and resolve it through the four B0 disclosure principles, with the provider-first report and the existence-not-recipe publication default.
Artifacts