Large Empirical Case Study: Go-Explore adapted for AI Red Team Testing
Manish Bhatt, Adrian Wood, Idan Habler, Ammar Al-Kahfah
TL;DR
The paper presents a large empirical study adapting Go-Explore for security testing of safety-trained LLMs (GPT-4o-mini) across 28 runs and six research questions. It finds that random seed variance dominates algorithmic parameters, and that multi-seed averaging materially stabilizes results, often outweighing nuanced algorithmic tweaks. Reward shaping generally harms exploration and can induce false positives, while simple state signatures can outperform more complex variants. Ensembles provide diversity across attack types, whereas a single enhanced agent may yield more instances within one class; together, these findings highlight the importance of seed management and domain knowledge for robust security testing in highly guarded LLM environments. Overall, the study argues for pragmatic strategies—favoring seed diversification, targeted exploration, and ensemble approaches—over chasing algorithmic sophistication in safety-focused red teaming.
Abstract
Production LLM agents with tool-using capabilities require security testing despite their safety training. We adapt Go-Explore to evaluate GPT-4o-mini across 28 experimental runs spanning six research questions. We find that random-seed variance dominates algorithmic parameters, yielding an 8x spread in outcomes; single-seed comparisons are unreliable, while multi-seed averaging materially reduces variance in our setup. Reward shaping consistently harms performance, causing exploration collapse in 94% of runs or producing 18 false positives with zero verified attacks. In our environment, simple state signatures outperform complex ones. For comprehensive security testing, ensembles provide attack-type diversity, whereas single agents optimize coverage within a given attack type. Overall, these results suggest that seed variance and targeted domain knowledge can outweigh algorithmic sophistication when testing safety-trained models.
