Table of Contents
Fetching ...

Automated Red-Teaming Framework for Large Language Model Security Assessment: A Comprehensive Attack Generation and Detection System

Zhang Wei, Peilu Hu, Shengning Lang, Hao Yan, Li Mei, Yichao Zhang, Chen Yang, Junfeng Hao, Zhimo Han

TL;DR

The paper addresses the scalability gap in LLM security assessment by introducing an automated red-teaming framework that autonomously generates adversarial prompts via meta-prompting, detects vulnerabilities using multi-modal analysis, and evaluates findings through standardized protocols across six threat categories. It demonstrates substantial improvements in vulnerability discovery (47 total, including 21 high-severity and 12 novel) and detection accuracy (89%), achieving a 3.9× efficiency gain over manual testing. The framework's modular architecture, ablation insights, and case studies illustrate its capability to systematically probe LLMs like GPT-OSS-20B while exposing trade-offs between defense robustness and operational overhead. These results advance scalable, reproducible AI safety evaluations and provide actionable guidance for strengthening alignment and security in real-world deployments.

Abstract

As large language models (LLMs) are increasingly deployed in high-stakes domains, ensuring their security and alignment has become a critical challenge. Existing red-teaming practices depend heavily on manual testing, which limits scalability and fails to comprehensively cover the vast space of potential adversarial behaviors. This paper introduces an automated red-teaming framework that systematically generates, executes, and evaluates adversarial prompts to uncover security vulnerabilities in LLMs. Our framework integrates meta-prompting-based attack synthesis, multi-modal vulnerability detection, and standardized evaluation protocols spanning six major threat categories -- reward hacking, deceptive alignment, data exfiltration, sandbagging, inappropriate tool use, and chain-of-thought manipulation. Experiments on the GPT-OSS-20B model reveal 47 distinct vulnerabilities, including 21 high-severity and 12 novel attack patterns, achieving a $3.9\times$ improvement in vulnerability discovery rate over manual expert testing while maintaining 89\% detection accuracy. These results demonstrate the framework's effectiveness in enabling scalable, systematic, and reproducible AI safety evaluations. By providing actionable insights for improving alignment robustness, this work advances the state of automated LLM red-teaming and contributes to the broader goal of building secure and trustworthy AI systems.

Automated Red-Teaming Framework for Large Language Model Security Assessment: A Comprehensive Attack Generation and Detection System

TL;DR

The paper addresses the scalability gap in LLM security assessment by introducing an automated red-teaming framework that autonomously generates adversarial prompts via meta-prompting, detects vulnerabilities using multi-modal analysis, and evaluates findings through standardized protocols across six threat categories. It demonstrates substantial improvements in vulnerability discovery (47 total, including 21 high-severity and 12 novel) and detection accuracy (89%), achieving a 3.9× efficiency gain over manual testing. The framework's modular architecture, ablation insights, and case studies illustrate its capability to systematically probe LLMs like GPT-OSS-20B while exposing trade-offs between defense robustness and operational overhead. These results advance scalable, reproducible AI safety evaluations and provide actionable guidance for strengthening alignment and security in real-world deployments.

Abstract

As large language models (LLMs) are increasingly deployed in high-stakes domains, ensuring their security and alignment has become a critical challenge. Existing red-teaming practices depend heavily on manual testing, which limits scalability and fails to comprehensively cover the vast space of potential adversarial behaviors. This paper introduces an automated red-teaming framework that systematically generates, executes, and evaluates adversarial prompts to uncover security vulnerabilities in LLMs. Our framework integrates meta-prompting-based attack synthesis, multi-modal vulnerability detection, and standardized evaluation protocols spanning six major threat categories -- reward hacking, deceptive alignment, data exfiltration, sandbagging, inappropriate tool use, and chain-of-thought manipulation. Experiments on the GPT-OSS-20B model reveal 47 distinct vulnerabilities, including 21 high-severity and 12 novel attack patterns, achieving a improvement in vulnerability discovery rate over manual expert testing while maintaining 89\% detection accuracy. These results demonstrate the framework's effectiveness in enabling scalable, systematic, and reproducible AI safety evaluations. By providing actionable insights for improving alignment robustness, this work advances the state of automated LLM red-teaming and contributes to the broader goal of building secure and trustworthy AI systems.
Paper Structure (34 sections, 5 equations, 6 figures, 5 tables, 1 algorithm)

This paper contains 34 sections, 5 equations, 6 figures, 5 tables, 1 algorithm.

Figures (6)

  • Figure 1: Overall architecture of the automated red-teaming framework showing the four main modules and their data flows. The feedback loop enables iterative improvement of attack generation based on evaluation results.
  • Figure 2: Overall architecture of the automated red-teaming framework showing the four main modules and their data flows. The feedback loop enables iterative improvement of attack generation based on evaluation results.
  • Figure 3: Comprehensive multi-panel comparison of vulnerability discovery methods. (a) Total vulnerabilities with severity breakdown showing our framework's superior performance. (b) Radar chart illustrating coverage across six vulnerability categories. (c) Cumulative discovery rate demonstrating efficiency gains over time. (d) Precision-reproducibility trade-off where marker size indicates total vulnerabilities found. (e) Ablation study of multi-level detection components. (f) Defense mechanism cost-benefit analysis.
  • Figure 4: Multi-dimensional defense mechanism analysis using radar charts. (a) Individual defense mechanisms showing trade-offs between block rate, cost-benefit, overhead, false positive rate, deployment complexity, and scalability. (b) Combined defense strategies compared against the best single mechanism baseline, illustrating the advantages and costs of integrated approaches.
  • Figure 5: Vulnerability distribution heatmap across methods and categories. (a) Absolute vulnerability counts showing our framework's comprehensive coverage and superior discovery capability across all six categories. (b) Average severity scores (scale 1--10) indicating that our framework not only discovers more vulnerabilities but also identifies higher-severity issues across all categories.
  • ...and 1 more figures