RedAgent: Black-Box Jailbreaking
RedAgent (2026) finds that most black-box LLMs jailbreak within 5 queries using context-specific attacks. This is the model-level attack — we leave the harness (SDD-B04, SDD-B05) and target the model's refusal training directly. The 5-query chain works because context-specific attacks outperform generic jailbreaks: the attack is engineered to the target's deployed context (its system prompt, its tool surface, its conversation history), not a copy-paste payload. Covers the methodology, the defense-in-depth implications (no single layer suffices — B2's thesis, now at the model), how RedAgent-style testing fits a B12 engagement, and the dual-use disclosure dimension (B0) in its sharpest form.
Most black-box LLMs jailbreak within 5 queries using context-specific attacks. The 'within 5 queries' is the median across tested models; the 'context-specific' is the load-bearing method. Generic jailbreaks decline in success as providers patch known patterns; context-specific attacks cannot be pre-calibrated because they depend on the deployed context.
The model layer will be bypassed — the harness is the necessary defense. The 5-query result proves the harness is not optional hardening around a reliable model. It is the empirical justification for the entire SDD-B04/SDD-B05 prescription: the harness layer's strength is the load-bearing question.
The finding is dual-use at its sharpest. A working 5-query jailbreak is the dual-use dilemma (B0) in its most acute form — simultaneously a security finding to report and a misuse recipe to suppress. B0's four disclosure principles govern every RedAgent finding.