Saved in:
Bibliographic Details
Main Authors: Shamsi, Zafir, Chekuru, Nikhil, Guzman, Zachary, Garg, Shivank
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.19247
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912974969503744
author Shamsi, Zafir
Chekuru, Nikhil
Guzman, Zachary
Garg, Shivank
author_facet Shamsi, Zafir
Chekuru, Nikhil
Guzman, Zachary
Garg, Shivank
contents Large Language Models (LLMs) are increasingly integrated into high-stakes applications, making robust safety guarantees a central practical and commercial concern. Existing safety evaluations predominantly rely on fixed collections of harmful prompts, implicitly assuming non-adaptive adversaries and thereby overlooking realistic attack scenarios in which inputs are iteratively refined to evade safeguards. In this work, we examine the vulnerability of contemporary language models to automated, adversarial prompt refinement. We repurpose black-box prompt optimization techniques, originally designed to improve performance on benign tasks, to systematically search for safety failures. Using DSPy, we apply three such optimizers to prompts drawn from HarmfulQA and JailbreakBench, explicitly optimizing toward a continuous danger score in the range 0 to 1 provided by an independent evaluator model (GPT-5.1). Our results demonstrate a substantial reduction in effective safety safeguards, with the effects being especially pronounced for open-source small language models. For example, the average danger score of Qwen 3 8B increases from 0.09 in its baseline setting to 0.79 after optimization. These findings suggest that static benchmarks may underestimate residual risk, indicating that automated, adaptive red-teaming is a necessary component of robust safety evaluation.
format Preprint
id arxiv_https___arxiv_org_abs_2603_19247
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle When Prompt Optimization Becomes Jailbreaking: Adaptive Red-Teaming of Large Language Models
Shamsi, Zafir
Chekuru, Nikhil
Guzman, Zachary
Garg, Shivank
Computation and Language
Artificial Intelligence
Large Language Models (LLMs) are increasingly integrated into high-stakes applications, making robust safety guarantees a central practical and commercial concern. Existing safety evaluations predominantly rely on fixed collections of harmful prompts, implicitly assuming non-adaptive adversaries and thereby overlooking realistic attack scenarios in which inputs are iteratively refined to evade safeguards. In this work, we examine the vulnerability of contemporary language models to automated, adversarial prompt refinement. We repurpose black-box prompt optimization techniques, originally designed to improve performance on benign tasks, to systematically search for safety failures. Using DSPy, we apply three such optimizers to prompts drawn from HarmfulQA and JailbreakBench, explicitly optimizing toward a continuous danger score in the range 0 to 1 provided by an independent evaluator model (GPT-5.1). Our results demonstrate a substantial reduction in effective safety safeguards, with the effects being especially pronounced for open-source small language models. For example, the average danger score of Qwen 3 8B increases from 0.09 in its baseline setting to 0.79 after optimization. These findings suggest that static benchmarks may underestimate residual risk, indicating that automated, adaptive red-teaming is a necessary component of robust safety evaluation.
title When Prompt Optimization Becomes Jailbreaking: Adaptive Red-Teaming of Large Language Models
topic Computation and Language
Artificial Intelligence
url https://arxiv.org/abs/2603.19247