AJAR: Adaptive Jailbreak Architecture for Red-teaming
Yipu Dou, Wang Yang
TL;DR
AJAR introduces a protocol-driven red-teaming framework that decouples adversarial logic from execution using the Model Context Protocol (MCP) and Petri-based agentic runtimes. By employing an Auditor Agent, AJAR enables stateful backtracking and dynamic tool simulations within multi-turn interactions, uniting advanced strategies like X-Teaming as MCP services. A qualitative case study demonstrates architectural feasibility and reveals a nuanced Agentic Gap, where tool usage both creates new injection vectors and can impede certain persona-based attacks due to cognitive load. The work provides open-source tooling to standardize environment-aware evaluation of action safety in autonomous agents and outlines future directions including multimodal attacks and automated defenses via Guardian Protocols.
Abstract
As Large Language Models (LLMs) evolve from static chatbots into autonomous agents capable of tool execution, the landscape of AI safety is shifting from content moderation to action security. However, existing red-teaming frameworks remain bifurcated: they either focus on rigid, script-based text attacks or lack the architectural modularity to simulate complex, multi-turn agentic exploitations. In this paper, we introduce AJAR (Adaptive Jailbreak Architecture for Red-teaming), a proof-of-concept framework designed to bridge this gap through Protocol-driven Cognitive Orchestration. Built upon the robust runtime of Petri, AJAR leverages the Model Context Protocol (MCP) to decouple adversarial logic from the execution loop, encapsulating state-of-the-art algorithms like X-Teaming as standardized, plug-and-play services. We validate the architectural feasibility of AJAR through a controlled qualitative case study, demonstrating its ability to perform stateful backtracking within a tool-use environment. Furthermore, our preliminary exploration of the "Agentic Gap" reveals a complex safety dynamic: while tool usage introduces new injection vectors via code execution, the cognitive load of parameter formatting can inadvertently disrupt persona-based attacks. AJAR is open-sourced to facilitate the standardized, environment-aware evaluation of this emerging attack surface. The code and data are available at https://github.com/douyipu/ajar.
