Saved in:
Bibliographic Details
Main Authors: Diwan, Nirav, Wang, Han, Kapusuzoglu, Berkcan, Moradi, Ramin, Chakraborty, Supriyo, Iyengar, Giri, Sahu, Sambit, Zhang, Huan, Wang, Gang
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.12746
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910213951455232
author Diwan, Nirav
Wang, Han
Kapusuzoglu, Berkcan
Moradi, Ramin
Chakraborty, Supriyo
Iyengar, Giri
Sahu, Sambit
Zhang, Huan
Wang, Gang
author_facet Diwan, Nirav
Wang, Han
Kapusuzoglu, Berkcan
Moradi, Ramin
Chakraborty, Supriyo
Iyengar, Giri
Sahu, Sambit
Zhang, Huan
Wang, Gang
contents Monitoring the chain-of-thought (CoT) of reasoning models is a promising approach for detecting covert misbehavior (i.e., hidden objectives) in code generation tasks. While large models (GPT-5, Gemini-3-Flash) can serve as effective CoT monitors, they are expensive to deploy due to the lengthy reasoning traces and high API cost, emphasizing the need for smaller, cheaper alternatives. Nevertheless, we find that current small models (4B--8B) struggle to detect hidden objectives despite access to the CoT, frequently misattributing them as part of the user query. To address this, we propose a post-training pipeline combining supervised fine-tuning (SFT) and reinforcement learning (RL), where SFT narrows the gap for in-domain tasks by distilling detection behavior from stronger monitors, and RL on hard and subtly crafted hidden objectives helps the model generalize to out-of-domain monitoring tasks. To validate this generalization, we evaluate under a realistic threat model motivated by practical supply-chain attacks, where the adversary is a third-party LLM router injecting hidden objectives into code-generation requests through either prompt manipulation or code manipulation attacks. To push beyond objectives that large monitors already saturate, we also introduce four new challenging tasks even for strong monitors. Finally, we introduce CoT-Guard, a 4B-parameter monitor that demonstrates superior generalization performance under both prompt and code manipulation attacks, achieving a G-mean^2 (i.e., TNR x TPR) of 75% and outperforming GPT-5.4 (56%), GPT-5-mini (41%), and Qwen3-32B (54%), while closing the gap to Gemini-3-Flash (83%). These results demonstrate that CoT-Guard provides a practical and cost-effective user-side defense, substantially improving hidden-objective detection while avoiding the deployment cost of large monitors.
format Preprint
id arxiv_https___arxiv_org_abs_2605_12746
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle CoT-Guard: Small Models for Strong Monitoring
Diwan, Nirav
Wang, Han
Kapusuzoglu, Berkcan
Moradi, Ramin
Chakraborty, Supriyo
Iyengar, Giri
Sahu, Sambit
Zhang, Huan
Wang, Gang
Cryptography and Security
Artificial Intelligence
Monitoring the chain-of-thought (CoT) of reasoning models is a promising approach for detecting covert misbehavior (i.e., hidden objectives) in code generation tasks. While large models (GPT-5, Gemini-3-Flash) can serve as effective CoT monitors, they are expensive to deploy due to the lengthy reasoning traces and high API cost, emphasizing the need for smaller, cheaper alternatives. Nevertheless, we find that current small models (4B--8B) struggle to detect hidden objectives despite access to the CoT, frequently misattributing them as part of the user query. To address this, we propose a post-training pipeline combining supervised fine-tuning (SFT) and reinforcement learning (RL), where SFT narrows the gap for in-domain tasks by distilling detection behavior from stronger monitors, and RL on hard and subtly crafted hidden objectives helps the model generalize to out-of-domain monitoring tasks. To validate this generalization, we evaluate under a realistic threat model motivated by practical supply-chain attacks, where the adversary is a third-party LLM router injecting hidden objectives into code-generation requests through either prompt manipulation or code manipulation attacks. To push beyond objectives that large monitors already saturate, we also introduce four new challenging tasks even for strong monitors. Finally, we introduce CoT-Guard, a 4B-parameter monitor that demonstrates superior generalization performance under both prompt and code manipulation attacks, achieving a G-mean^2 (i.e., TNR x TPR) of 75% and outperforming GPT-5.4 (56%), GPT-5-mini (41%), and Qwen3-32B (54%), while closing the gap to Gemini-3-Flash (83%). These results demonstrate that CoT-Guard provides a practical and cost-effective user-side defense, substantially improving hidden-objective detection while avoiding the deployment cost of large monitors.
title CoT-Guard: Small Models for Strong Monitoring
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2605.12746