{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2025:K5RN43FMGDESN5B5UASIRR6C3W","short_pith_number":"pith:K5RN43FM","schema_version":"1.0","canonical_sha256":"5762de6cac30c926f43da02488c7c2ddb885f3ec2002b4c0ef4b6e038b1bce74","source":{"kind":"arxiv","id":"2510.09023","version":1},"attestation_state":"computed","paper":{"title":"The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success.","cross_cats":["cs.CR"],"primary_cat":"cs.LG","authors_text":"Abhradeep Thakurta, Andreas Terzis, Chawin Sitawarin, Florian Tram\\`er, Harsh Chaudhari, Ilia Shumailov, Jamie Hayes, Juliette Pluto, Kai Yuanqing Xiao, Michael Ilie, Milad Nasr, Nicholas Carlini, Sander V. Schulhoff, Shuang Song","submitted_at":"2025-10-10T05:51:04Z","abstract_excerpt":"How should we evaluate the robustness of language model defenses? Current defenses against jailbreaks and prompt injections (which aim to prevent an attacker from eliciting harmful knowledge or remotely triggering malicious actions, respectively) are typically evaluated either against a static set of harmful attack strings, or against computationally weak optimization methods that were not designed with the defense in mind. We argue that this evaluation process is flawed.\n  Instead, we should evaluate defenses against adaptive attackers who explicitly modify their attack strategy to counter a "},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2510.09023","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.LG","submitted_at":"2025-10-10T05:51:04Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"b174234e6403764ed3fc1a0c33e209a434fec54ea215d443cfe73f4c4e31d5f1","abstract_canon_sha256":"5489c59026daf924dd2a56d570d092f4274c87bdfd22204cabcaa3d10fac6a9b"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:46.921480Z","signature_b64":"tM0u33PEhJ01VxLFx6+5Rcq+PlipfVvkvHk0PN/fcQNnx1ka9foC/edbEylKbApYk8aM+VHpZZPBYb2vWXFuBQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"5762de6cac30c926f43da02488c7c2ddb885f3ec2002b4c0ef4b6e038b1bce74","last_reissued_at":"2026-05-17T23:38:46.920915Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:46.920915Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success.","cross_cats":["cs.CR"],"primary_cat":"cs.LG","authors_text":"Abhradeep Thakurta, Andreas Terzis, Chawin Sitawarin, Florian Tram\\`er, Harsh Chaudhari, Ilia Shumailov, Jamie Hayes, Juliette Pluto, Kai Yuanqing Xiao, Michael Ilie, Milad Nasr, Nicholas Carlini, Sander V. Schulhoff, Shuang Song","submitted_at":"2025-10-10T05:51:04Z","abstract_excerpt":"How should we evaluate the robustness of language model defenses? Current defenses against jailbreaks and prompt injections (which aim to prevent an attacker from eliciting harmful knowledge or remotely triggering malicious actions, respectively) are typically evaluated either against a static set of harmful attack strings, or against computationally weak optimization methods that were not designed with the defense in mind. We argue that this evaluation process is flawed.\n  Instead, we should evaluate defenses against adaptive attackers who explicitly modify their attack strategy to counter a "},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"By systematically tuning and scaling general optimization techniques—gradient descent, reinforcement learning, random search, and human-guided exploration—we bypass 12 recent defenses with attack success rate above 90% for most; importantly, the majority of defenses originally reported near-zero attack success rates.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the adaptive optimization methods described fairly represent realistic attacker capabilities and were not over-optimized post-hoc against the specific defenses tested.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Adaptive attackers using optimization techniques bypass 12 recent LLM defenses with >90% success, showing that prior robustness claims relied on weak evaluations.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"f4d55d408b9954bb878422ccc94f9b6e2d92e74c9b5e175eb9e741b59636a3df"},"source":{"id":"2510.09023","kind":"arxiv","version":1},"verdict":{"id":"f1650265-2183-46eb-a304-e05000de6ba4","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T18:50:13.936733Z","strongest_claim":"By systematically tuning and scaling general optimization techniques—gradient descent, reinforcement learning, random search, and human-guided exploration—we bypass 12 recent defenses with attack success rate above 90% for most; importantly, the majority of defenses originally reported near-zero attack success rates.","one_line_summary":"Adaptive attackers using optimization techniques bypass 12 recent LLM defenses with >90% success, showing that prior robustness claims relied on weak evaluations.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the adaptive optimization methods described fairly represent realistic attacker capabilities and were not over-optimized post-hoc against the specific defenses tested.","pith_extraction_headline":"Adaptive optimization methods bypass 12 recent defenses against LLM jailbreaks and prompt injections with over 90% success."},"references":{"count":12,"sample":[{"doi":"10.18653/v1/n19-1423","year":2025,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","ref_index":1,"cited_arxiv_id":"2406.13352","is_internal_anchor":true},{"doi":"10.1109/sp61157.2025.00250","year":2024,"title":"Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection","work_id":"7a8cfce1-ada7-4a7a-8516-6f16b1bd077b","ref_index":2,"cited_arxiv_id":"2302.12173","is_internal_anchor":true},{"doi":"10.18653/v1/2023.emnlp-main.302","year":2025,"title":"Ignore Previous Prompt: Attack Techniques For Language Models","work_id":"a7c5b6ec-3407-4330-96c8-3fc58e7d410b","ref_index":3,"cited_arxiv_id":"2211.09527","is_internal_anchor":true},{"doi":"","year":2024,"title":"Similarly to prior works, we use this benchmark to evaluate the jailbreak defenses","work_id":"459882c5-9f63-47ac-b062-ac78206a2cd6","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"We follow Chen et al","work_id":"d280f17e-a86a-4fe4-b595-85a965b6e448","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":12,"snapshot_sha256":"cf9b9dcc6a4624e279a063637d1a6395e5f212d40b023db1a25918951711192e","internal_anchors":3},"formal_canon":{"evidence_count":2,"snapshot_sha256":"341f2de6d9ceaa6ade6492896677f504454f37ea7d6c9b1f8ffc3d462bea0d6c"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2510.09023","created_at":"2026-05-17T23:38:46.921002+00:00"},{"alias_kind":"arxiv_version","alias_value":"2510.09023v1","created_at":"2026-05-17T23:38:46.921002+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2510.09023","created_at":"2026-05-17T23:38:46.921002+00:00"},{"alias_kind":"pith_short_12","alias_value":"K5RN43FMGDES","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"K5RN43FMGDESN5B5","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"K5RN43FM","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":27,"internal_anchor_count":27,"sample":[{"citing_arxiv_id":"2605.23330","citing_title":"Security, Privacy, and Ethical Risks in OpenClaw","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2605.21834","citing_title":"On-Policy Consistency Training Improves LLM Safety with Minimal Capability Degradation","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2605.18991","citing_title":"Agent Security is a Systems Problem","ref_index":39,"is_internal_anchor":true},{"citing_arxiv_id":"2605.20286","citing_title":"Adaptive Probe-based Steering for Robust LLM Jailbreaking","ref_index":43,"is_internal_anchor":true},{"citing_arxiv_id":"2605.20312","citing_title":"Pramana: A Protocol-Layer Treatment of Claim Verification in Autonomous Agent Networks","ref_index":24,"is_internal_anchor":true},{"citing_arxiv_id":"2604.18248","citing_title":"Beyond Pattern Matching: Seven Cross-Domain Techniques for Prompt Injection Detection","ref_index":13,"is_internal_anchor":true},{"citing_arxiv_id":"2605.16471","citing_title":"From AI-Generated Content to Agentic Action: Security and Safety Threats in Generative AI","ref_index":85,"is_internal_anchor":true},{"citing_arxiv_id":"2605.18991","citing_title":"Agent Security is a Systems Problem","ref_index":39,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01970","citing_title":"Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration","ref_index":52,"is_internal_anchor":true},{"citing_arxiv_id":"2512.20405","citing_title":"ChatGPT: Excellent Paper! Accept It. Editor: Imposter Found! Review Rejected","ref_index":15,"is_internal_anchor":true},{"citing_arxiv_id":"2602.03117","citing_title":"AgentDyn: Are Your Agent Security Defenses Deployable in Real-World Dynamic Environments?","ref_index":5,"is_internal_anchor":true},{"citing_arxiv_id":"2602.16708","citing_title":"Formal Policy Enforcement for Real-World Agentic Systems","ref_index":46,"is_internal_anchor":true},{"citing_arxiv_id":"2603.00991","citing_title":"Tracking Capabilities for Safer Agents","ref_index":54,"is_internal_anchor":true},{"citing_arxiv_id":"2605.14290","citing_title":"Web Agents Should Adopt the Plan-Then-Execute Paradigm","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2605.13471","citing_title":"Sleeper Channels and Provenance Gates: Persistent Prompt Injection in Always-on Autonomous AI Agents","ref_index":17,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11026","citing_title":"AgentShield: Deception-based Compromise Detection for Tool-using LLM Agents","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2604.28157","citing_title":"FlashRT: Towards Computationally and Memory Efficient Red-Teaming for Prompt Injection and Knowledge Corruption","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10763","citing_title":"MATRA: Modeling the Attack Surface of Agentic AI Systems -- OpenClaw Case Study","ref_index":13,"is_internal_anchor":true},{"citing_arxiv_id":"2605.03378","citing_title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","ref_index":137,"is_internal_anchor":true},{"citing_arxiv_id":"2604.02375","citing_title":"KAIJU: An Executive Kernel for Intent-Gated Execution of LLM Agents","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01970","citing_title":"Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration","ref_index":53,"is_internal_anchor":true},{"citing_arxiv_id":"2605.00081","citing_title":"Alignment Contracts for Agentic Security Systems","ref_index":37,"is_internal_anchor":true},{"citing_arxiv_id":"2604.19657","citing_title":"An AI Agent Execution Environment to Safeguard User Data","ref_index":49,"is_internal_anchor":true},{"citing_arxiv_id":"2604.12548","citing_title":"DeepSeek Robustness Against Semantic-Character Dual-Space Mutated Prompt Injection","ref_index":18,"is_internal_anchor":true},{"citing_arxiv_id":"2604.07536","citing_title":"TRUSTDESC: Preventing Tool Poisoning in LLM Applications via Trusted Description Generation","ref_index":54,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":2,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W","json":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W.json","graph_json":"https://pith.science/api/pith-number/K5RN43FMGDESN5B5UASIRR6C3W/graph.json","events_json":"https://pith.science/api/pith-number/K5RN43FMGDESN5B5UASIRR6C3W/events.json","paper":"https://pith.science/paper/K5RN43FM"},"agent_actions":{"view_html":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W","download_json":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W.json","view_paper":"https://pith.science/paper/K5RN43FM","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2510.09023&json=true","fetch_graph":"https://pith.science/api/pith-number/K5RN43FMGDESN5B5UASIRR6C3W/graph.json","fetch_events":"https://pith.science/api/pith-number/K5RN43FMGDESN5B5UASIRR6C3W/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/action/timestamp_anchor","attest_storage":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/action/storage_attestation","attest_author":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/action/author_attestation","sign_citation":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/action/citation_signature","submit_replication":"https://pith.science/pith/K5RN43FMGDESN5B5UASIRR6C3W/action/replication_record"}},"created_at":"2026-05-17T23:38:46.921002+00:00","updated_at":"2026-05-17T23:38:46.921002+00:00"}