Table of Contents
Fetching ...

Constitutional Classifiers++: Efficient Production-Grade Defenses against Universal Jailbreaks

Hoagy Cunningham, Jerry Wei, Zihan Wang, Andrew Persic, Alwin Peng, Jordan Abderrachid, Raj Agarwal, Bobby Chen, Austin Cohen, Andy Dau, Alek Dimitriev, Rob Gilson, Logan Howard, Yijin Hua, Jared Kaplan, Jan Leike, Mu Lin, Christopher Liu, Vladimir Mikulik, Rohit Mittapalli, Clare O'Hara, Jin Pan, Nikhil Saxena, Alex Silverstein, Yue Song, Xunjie Yu, Giulio Zhou, Ethan Perez, Mrinank Sharma

TL;DR

This work tackles the tension between jailbreak robustness and production costs for large language models by advancing Constitutional Classifiers through exchange classifiers that evaluate outputs in full conversational context, a two-stage cascade to reduce compute, and efficient linear probes with ensemble techniques. The proposed production-grade system achieves a ${0.05\%}$ production-refusal rate while delivering substantial compute savings (up to ${40\times}$ over the baseline exchange classifier) and demonstrates superior protection against universal jailbreaks after extensive red-teaming. Key innovations include in-context output evaluation, a cascade architecture with adaptive computation, and streaming, low-cost probes that can complement external classifiers in ensembles. The results establish Constitutional Classifiers as practical, deployment-friendly safeguards for defending against universal jailbreaks in production LLM systems.

Abstract

We introduce enhanced Constitutional Classifiers that deliver production-grade jailbreak robustness with dramatically reduced computational costs and refusal rates compared to previous-generation defenses. Our system combines several key insights. First, we develop exchange classifiers that evaluate model responses in their full conversational context, which addresses vulnerabilities in last-generation systems that examine outputs in isolation. Second, we implement a two-stage classifier cascade where lightweight classifiers screen all traffic and escalate only suspicious exchanges to more expensive classifiers. Third, we train efficient linear probe classifiers and ensemble them with external classifiers to simultaneously improve robustness and reduce computational costs. Together, these techniques yield a production-grade system achieving a 40x computational cost reduction compared to our baseline exchange classifier, while maintaining a 0.05% refusal rate on production traffic. Through extensive red-teaming comprising over 1,700 hours, we demonstrate strong protection against universal jailbreaks -- no attack on this system successfully elicited responses to all eight target queries comparable in detail to an undefended model. Our work establishes Constitutional Classifiers as practical and efficient safeguards for large language models.

Constitutional Classifiers++: Efficient Production-Grade Defenses against Universal Jailbreaks

TL;DR

This work tackles the tension between jailbreak robustness and production costs for large language models by advancing Constitutional Classifiers through exchange classifiers that evaluate outputs in full conversational context, a two-stage cascade to reduce compute, and efficient linear probes with ensemble techniques. The proposed production-grade system achieves a production-refusal rate while delivering substantial compute savings (up to over the baseline exchange classifier) and demonstrates superior protection against universal jailbreaks after extensive red-teaming. Key innovations include in-context output evaluation, a cascade architecture with adaptive computation, and streaming, low-cost probes that can complement external classifiers in ensembles. The results establish Constitutional Classifiers as practical, deployment-friendly safeguards for defending against universal jailbreaks in production LLM systems.

Abstract

We introduce enhanced Constitutional Classifiers that deliver production-grade jailbreak robustness with dramatically reduced computational costs and refusal rates compared to previous-generation defenses. Our system combines several key insights. First, we develop exchange classifiers that evaluate model responses in their full conversational context, which addresses vulnerabilities in last-generation systems that examine outputs in isolation. Second, we implement a two-stage classifier cascade where lightweight classifiers screen all traffic and escalate only suspicious exchanges to more expensive classifiers. Third, we train efficient linear probe classifiers and ensemble them with external classifiers to simultaneously improve robustness and reduce computational costs. Together, these techniques yield a production-grade system achieving a 40x computational cost reduction compared to our baseline exchange classifier, while maintaining a 0.05% refusal rate on production traffic. Through extensive red-teaming comprising over 1,700 hours, we demonstrate strong protection against universal jailbreaks -- no attack on this system successfully elicited responses to all eight target queries comparable in detail to an undefended model. Our work establishes Constitutional Classifiers as practical and efficient safeguards for large language models.
Paper Structure (21 sections, 5 equations, 6 figures, 1 table)

This paper contains 21 sections, 5 equations, 6 figures, 1 table.

Figures (6)

  • Figure 1: Systematic vulnerabilities in last-generation Constitutional Classifiers.(a) Reconstruction attacks bypass input filters by fragmenting a harmful request across a benign context. In this illustrative example, the attacker embeds a query across function return values, then instructs the model to reconstruct and respond using character-separated formatting to evade output detection. (b) Obfuscation attacks exploit the output classifier's inability to interpret context-dependent transformations. Here, the attacker masks a request for synthesizing hydrochloric acid using metaphorical language ("winter's breath" from "sun's fire" and "sea's gift"), which appears benign to isolated output classification but reveals harmful content when paired with the decoded input context.
  • Figure 2: Analysis of linear probe performance for CBRN-related harmfulness detection using static jailbreak data.(a) Attack success rates for different models. We find that probes achieve competitive robustness to fine-tuned Constitutional Classifiers. (b) Ablation study of loss function. Combining logit smoothing and softmax weighting yields the best performance. (c) Impact of layer selection on probe performance. Performance degrades as fewer layers are utilized for probing. All evaluations were conducted on static jailbreak datasets of CBRN-related queries. All classifiers are exchange classifiers and are calibrated to 0.1% refusal rates on WildChat.
  • Figure 3: Combining linear probes with external classifiers improves robustness and reduces costs.(a) Attack success rates for classifier systems. We find that combining our probe and a small external classifier yields the best performance, outperforming the more expensive external-classifier ensemble. (b) Spearman rank correlation between classifier predictions on jailbreak attempts. Probes and external classifiers make more independent errors than pairs of external classifiers. (c) Compute-robustness tradeoff curves for two-stage configurations. We use the probe predictions to determine routing to the second-stage classifier, which uses the average logit across the probe and small classifier for prediction. We present the cost relative to using the small-sized classifier on all traffic. On our dataset of CBRN-related exchanges, our system that combines probes and the small external classifier can exceed the robustness of the small classifier alone whilst simultaneously offering a 100x reduction in compute costs. All systems are exchange classifiers calibrated to have a 0.1% refusal rate on WildChat. The linear probe uses activations from Claude Sonnet 4, which is the protected model. The 'S' classifier is fine-tuned from Claude Haiku 4.5, while the 'XS' classifier is fine-tuned from an internal model at approximately one-third the size. We evaluate robustness using LLM-based rubric grading on a dataset of CBRN-related human red-teaming exchanges.
  • Figure 4: Comprehensive comparison of Constitutional Classifier systems across robustness, computational efficiency, and false positive rates. (a) High-risk vulnerability discovery rate normalized per thousand queries, with total query counts shown for each system. (b) Mean time in hours for discovering high-risk vulnerabilities. (c) Minimum time to first vulnerability discovery. (d) Absolute count of high-risk vulnerabilities discovered. (e) Relative computational cost compared to our implementation of the last-generation defense system. (f) Refusal rates on production traffic, measured using the refusal rates in the first week after deployment to production traffic. The production-grade system achieves the best robustness and computational efficiency with acceptable refusal rates.
  • Figure 5: Additional probe ablations on loss functions and hyperparameters. (a) Comparison of different loss functions showing that our smoothed softmax approach additionally outperforms cumulative maximum and annealed cumulative max loss, which were proposed by sharma2025constitutional. (b) Impact of sliding window size $M$ on attack success rate, demonstrating optimal performance at moderate window sizes (around $M=16$), with degradation at both extremes.
  • ...and 1 more figures