{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:6RHRJQSIKLPIJZIJ2ZHYZEBBD3","short_pith_number":"pith:6RHRJQSI","canonical_record":{"source":{"id":"2605.15118","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:30:36Z","cross_cats_sorted":["cs.CL"],"title_canon_sha256":"954300aec7970a5462bde3e8cbf0c233edc9a969e204f17bc262adb066dcfbeb","abstract_canon_sha256":"0f79131bbe6b7db8455eff07f8490db82e902e9f6294bfc4f4b8e76439ac8905"},"schema_version":"1.0"},"canonical_sha256":"f44f14c24852de84e509d64f8c90211eeef0d9714f1db4a73fd355ba09b7bc37","source":{"kind":"arxiv","id":"2605.15118","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.15118","created_at":"2026-05-17T21:18:33Z"},{"alias_kind":"arxiv_version","alias_value":"2605.15118v1","created_at":"2026-05-17T21:18:33Z"},{"alias_kind":"pith_short_12","alias_value":"6RHRJQSIKLPI","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"6RHRJQSIKLPIJZIJ","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"6RHRJQSI","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:6RHRJQSIKLPIJZIJ2ZHYZEBBD3","target":"record","payload":{"canonical_record":{"source":{"id":"2605.15118","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:30:36Z","cross_cats_sorted":["cs.CL"],"title_canon_sha256":"954300aec7970a5462bde3e8cbf0c233edc9a969e204f17bc262adb066dcfbeb","abstract_canon_sha256":"0f79131bbe6b7db8455eff07f8490db82e902e9f6294bfc4f4b8e76439ac8905"},"schema_version":"1.0"},"canonical_sha256":"f44f14c24852de84e509d64f8c90211eeef0d9714f1db4a73fd355ba09b7bc37","receipt":{"kind":"pith_receipt","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.2","canonical_sha256":"f44f14c24852de84e509d64f8c90211eeef0d9714f1db4a73fd355ba09b7bc37","last_reissued_at":"2026-05-17T21:57:19.046842Z","signature_status":"unsigned_v0","first_computed_at":"2026-05-17T21:40:25.709298Z"},"source_kind":"arxiv","source_id":"2605.15118","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T21:18:33Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"TNza3jd2jCLFP3xjIcMDqKEwBTYiwJWQFVWLZmIUH0yZ2itNPeoTkcamGDuaA5DiLUDVZ/ZOoF/XCnR0aoe9AQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-01T20:34:44.879005Z"},"content_sha256":"aebd0dcf55168b9094cafb7e98b6ee657d2ea04fb78576121e32396b3f969376","schema_version":"1.0","event_id":"sha256:aebd0dcf55168b9094cafb7e98b6ee657d2ea04fb78576121e32396b3f969376"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:6RHRJQSIKLPIJZIJ2ZHYZEBBD3","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Talk is (Not) Cheap: A Taxonomy and Benchmark Coverage Audit for LLM Attacks","license":"http://creativecommons.org/licenses/by/4.0/","headline":"A new taxonomy and matrix audit shows leading LLM attack benchmarks cover at most 25% of the STRIDE threat surface, with entire categories such as Service Disruption and Model Internals lacking any standardized tests.","cross_cats":["cs.CL"],"primary_cat":"cs.CR","authors_text":"Alexey A. Shvets, Karthik Raghu Iyer, Nicholas Bray, Yazdan Jamshidi","submitted_at":"2026-05-14T17:30:36Z","abstract_excerpt":"We introduce a reusable framework for auditing whether LLM attack benchmarks collectively cover the threat surface: a 4$\\times$6 Target $\\times$ Technique matrix grounded in STRIDE, constructed from a 507-leaf taxonomy -- 401 data-populated and 106 threat-model-derived leaves -- of inference-time attacks extracted from 932 arXiv security studies (2023--2026). The matrix enables benchmark-external validation -- auditing collective coverage rather than individual benchmark consistency. Applying it to six public benchmarks reveals that the three primary frameworks (HarmBench, InjecAgent, AgentDoj"},"claims":{"count":3,"items":[{"kind":"strongest_claim","text":"Applying it to six public benchmarks reveals that the three primary frameworks (HarmBench, InjecAgent, AgentDojo) occupy non-overlapping cells covering at most 25% of the matrix, while entire STRIDE threat categories (Service Disruption, Model Internals) lack any standardized evaluation, despite published attacks in these categories achieving 46× token amplification and 96% attack success rates.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the 507-leaf taxonomy extracted from the 932 arXiv studies comprehensively and without major omission represents the full threat surface of inference-time LLM attacks.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"A new taxonomy and matrix audit shows leading LLM attack benchmarks cover at most 25% of the STRIDE threat surface, with entire categories such as Service Disruption and Model Internals lacking any standardized tests.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"}],"snapshot_sha256":"40d43ad59591808a2709bac95979f81bd79cfda2c08ff3b2dc19993ada1fe673"},"source":{"id":"2605.15118","kind":"arxiv","version":1},"verdict":{"id":"76ceaef2-cc34-4a1a-b853-0deccec1a3c5","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T03:17:03.769535Z","strongest_claim":"Applying it to six public benchmarks reveals that the three primary frameworks (HarmBench, InjecAgent, AgentDojo) occupy non-overlapping cells covering at most 25% of the matrix, while entire STRIDE threat categories (Service Disruption, Model Internals) lack any standardized evaluation, despite published attacks in these categories achieving 46× token amplification and 96% attack success rates.","one_line_summary":"A new taxonomy and matrix audit shows leading LLM attack benchmarks cover at most 25% of the STRIDE threat surface, with entire categories such as Service Disruption and Model Internals lacking any standardized tests.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the 507-leaf taxonomy extracted from the 932 arXiv studies comprehensively and without major omission represents the full threat surface of inference-time LLM attacks.","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"76ceaef2-cc34-4a1a-b853-0deccec1a3c5"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T21:57:19Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"JZMUbYt8xNGJ1QM8cMTEZf1iMSXfuFB7GWkux+F+ykysSX4gHA6ECLXN8SBAZxeB4p4y4uz8FGXvLckMtY6vAA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-01T20:34:44.879451Z"},"content_sha256":"eea054558b298f9576e5a87dcc570cd615b257801a6442e89bf7f00df713f79f","schema_version":"1.0","event_id":"sha256:eea054558b298f9576e5a87dcc570cd615b257801a6442e89bf7f00df713f79f"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/6RHRJQSIKLPIJZIJ2ZHYZEBBD3/bundle.json","state_url":"https://pith.science/pith/6RHRJQSIKLPIJZIJ2ZHYZEBBD3/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/6RHRJQSIKLPIJZIJ2ZHYZEBBD3/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-01T20:34:44Z","links":{"resolver":"https://pith.science/pith/6RHRJQSIKLPIJZIJ2ZHYZEBBD3","bundle":"https://pith.science/pith/6RHRJQSIKLPIJZIJ2ZHYZEBBD3/bundle.json","state":"https://pith.science/pith/6RHRJQSIKLPIJZIJ2ZHYZEBBD3/state.json","well_known_bundle":"https://pith.science/.well-known/pith/6RHRJQSIKLPIJZIJ2ZHYZEBBD3/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:6RHRJQSIKLPIJZIJ2ZHYZEBBD3","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"0f79131bbe6b7db8455eff07f8490db82e902e9f6294bfc4f4b8e76439ac8905","cross_cats_sorted":["cs.CL"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:30:36Z","title_canon_sha256":"954300aec7970a5462bde3e8cbf0c233edc9a969e204f17bc262adb066dcfbeb"},"schema_version":"1.0","source":{"id":"2605.15118","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.15118","created_at":"2026-05-17T21:18:33Z"},{"alias_kind":"arxiv_version","alias_value":"2605.15118v1","created_at":"2026-05-17T21:18:33Z"},{"alias_kind":"pith_short_12","alias_value":"6RHRJQSIKLPI","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"6RHRJQSIKLPIJZIJ","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"6RHRJQSI","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:eea054558b298f9576e5a87dcc570cd615b257801a6442e89bf7f00df713f79f","target":"graph","created_at":"2026-05-17T21:57:19Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":3,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"Applying it to six public benchmarks reveals that the three primary frameworks (HarmBench, InjecAgent, AgentDojo) occupy non-overlapping cells covering at most 25% of the matrix, while entire STRIDE threat categories (Service Disruption, Model Internals) lack any standardized evaluation, despite published attacks in these categories achieving 46× token amplification and 96% attack success rates."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the 507-leaf taxonomy extracted from the 932 arXiv studies comprehensively and without major omission represents the full threat surface of inference-time LLM attacks."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"A new taxonomy and matrix audit shows leading LLM attack benchmarks cover at most 25% of the STRIDE threat surface, with entire categories such as Service Disruption and Model Internals lacking any standardized tests."}],"snapshot_sha256":"40d43ad59591808a2709bac95979f81bd79cfda2c08ff3b2dc19993ada1fe673"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"We introduce a reusable framework for auditing whether LLM attack benchmarks collectively cover the threat surface: a 4$\\times$6 Target $\\times$ Technique matrix grounded in STRIDE, constructed from a 507-leaf taxonomy -- 401 data-populated and 106 threat-model-derived leaves -- of inference-time attacks extracted from 932 arXiv security studies (2023--2026). The matrix enables benchmark-external validation -- auditing collective coverage rather than individual benchmark consistency. Applying it to six public benchmarks reveals that the three primary frameworks (HarmBench, InjecAgent, AgentDoj","authors_text":"Alexey A. Shvets, Karthik Raghu Iyer, Nicholas Bray, Yazdan Jamshidi","cross_cats":["cs.CL"],"headline":"A new taxonomy and matrix audit shows leading LLM attack benchmarks cover at most 25% of the STRIDE threat surface, with entire categories such as Service Disruption and Model Internals lacking any standardized tests.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:30:36Z","title":"Talk is (Not) Cheap: A Taxonomy and Benchmark Coverage Audit for LLM Attacks"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.15118","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-15T03:17:03.769535Z","id":"76ceaef2-cc34-4a1a-b853-0deccec1a3c5","model_set":{"reader":"grok-4.3"},"one_line_summary":"A new taxonomy and matrix audit shows leading LLM attack benchmarks cover at most 25% of the STRIDE threat surface, with entire categories such as Service Disruption and Model Internals lacking any standardized tests.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"","strongest_claim":"Applying it to six public benchmarks reveals that the three primary frameworks (HarmBench, InjecAgent, AgentDojo) occupy non-overlapping cells covering at most 25% of the matrix, while entire STRIDE threat categories (Service Disruption, Model Internals) lack any standardized evaluation, despite published attacks in these categories achieving 46× token amplification and 96% attack success rates.","weakest_assumption":"That the 507-leaf taxonomy extracted from the 932 arXiv studies comprehensively and without major omission represents the full threat surface of inference-time LLM attacks."}},"verdict_id":"76ceaef2-cc34-4a1a-b853-0deccec1a3c5"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:aebd0dcf55168b9094cafb7e98b6ee657d2ea04fb78576121e32396b3f969376","target":"record","created_at":"2026-05-17T21:18:33Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"0f79131bbe6b7db8455eff07f8490db82e902e9f6294bfc4f4b8e76439ac8905","cross_cats_sorted":["cs.CL"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:30:36Z","title_canon_sha256":"954300aec7970a5462bde3e8cbf0c233edc9a969e204f17bc262adb066dcfbeb"},"schema_version":"1.0","source":{"id":"2605.15118","kind":"arxiv","version":1}},"canonical_sha256":"f44f14c24852de84e509d64f8c90211eeef0d9714f1db4a73fd355ba09b7bc37","receipt":{"builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"f44f14c24852de84e509d64f8c90211eeef0d9714f1db4a73fd355ba09b7bc37","first_computed_at":"2026-05-17T21:40:25.709298Z","kind":"pith_receipt","last_reissued_at":"2026-05-17T21:57:19.046842Z","receipt_version":"0.2","signature_status":"unsigned_v0"},"source_id":"2605.15118","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:aebd0dcf55168b9094cafb7e98b6ee657d2ea04fb78576121e32396b3f969376","sha256:eea054558b298f9576e5a87dcc570cd615b257801a6442e89bf7f00df713f79f"],"state_sha256":"01016a1bfe7a485004712730146cc52c29e527fa0ee9338c6953c3d8dcb84d5b"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"zNDVtJj4LrnJS7KEdbu6dCafM4CBUmJpFFH65XCP/Zims/EX2YIzIQPsqRf+GDQLEd/f/UYow8ViWO50KcmCBA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-01T20:34:44.881496Z","bundle_sha256":"e98f125d340c816ad357da792f5c7a48e15fd22fe141599b01fb1fd76eb191f4"}}