Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Defensive Refusal Bias: How Safety Alignment Fails Cyber Defenders

David Campbell, Neil Kale, Udari Madhushani Sehwag, Bert Herring, Nick Price, Dan Borges, Alex Levinson, Christina Q Knight

TL;DR

The findings suggest that current LLM cybersecurity alignment relies on semantic similarity to harmful content rather than reasoning about intent or authorization, and calls for mitigations that analyze intent to maximize defensive capabilities while still preventing harmful compliance.

Abstract

Safety alignment in large language models (LLMs), particularly for cybersecurity tasks, primarily focuses on preventing misuse. While this approach reduces direct harm, it obscures a complementary failure mode: denial of assistance to legitimate defenders. We study Defensive Refusal Bias -- the tendency of safety-tuned frontier LLMs to refuse assistance for authorized defensive cybersecurity tasks when those tasks include similar language to an offensive cyber task. Based on 2,390 real-world examples from the National Collegiate Cyber Defense Competition (NCCDC), we find that LLMs refuse defensive requests containing security-sensitive keywords at $2.72\times$ the rate of semantically equivalent neutral requests ($p < 0.001$). The highest refusal rates occur in the most operationally critical tasks: system hardening (43.8%) and malware analysis (34.3%). Interestingly, explicit authorization, where the user directly instructs the model that they have authority to complete the target task, increases refusal rates, suggesting models interpret justifications as adversarial rather than exculpatory. These findings are urgent for interactive use and critical for autonomous defensive agents, which cannot rephrase refused queries or retry. Our findings suggest that current LLM cybersecurity alignment relies on semantic similarity to harmful content rather than reasoning about intent or authorization. We call for mitigations that analyze intent to maximize defensive capabilities while still preventing harmful compliance.

Defensive Refusal Bias: How Safety Alignment Fails Cyber Defenders

TL;DR

The findings suggest that current LLM cybersecurity alignment relies on semantic similarity to harmful content rather than reasoning about intent or authorization, and calls for mitigations that analyze intent to maximize defensive capabilities while still preventing harmful compliance.

Abstract

Safety alignment in large language models (LLMs), particularly for cybersecurity tasks, primarily focuses on preventing misuse. While this approach reduces direct harm, it obscures a complementary failure mode: denial of assistance to legitimate defenders. We study Defensive Refusal Bias -- the tendency of safety-tuned frontier LLMs to refuse assistance for authorized defensive cybersecurity tasks when those tasks include similar language to an offensive cyber task. Based on 2,390 real-world examples from the National Collegiate Cyber Defense Competition (NCCDC), we find that LLMs refuse defensive requests containing security-sensitive keywords at the rate of semantically equivalent neutral requests (). The highest refusal rates occur in the most operationally critical tasks: system hardening (43.8%) and malware analysis (34.3%). Interestingly, explicit authorization, where the user directly instructs the model that they have authority to complete the target task, increases refusal rates, suggesting models interpret justifications as adversarial rather than exculpatory. These findings are urgent for interactive use and critical for autonomous defensive agents, which cannot rephrase refused queries or retry. Our findings suggest that current LLM cybersecurity alignment relies on semantic similarity to harmful content rather than reasoning about intent or authorization. We call for mitigations that analyze intent to maximize defensive capabilities while still preventing harmful compliance.
Paper Structure (42 sections, 4 figures, 1 table)

This paper contains 42 sections, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Experimental Setup
  4. Dataset: NCCDC Competition Interactions
  5. Refusal Detection
  6. Annotation Dimensions
  7. Statistical Methods
  8. Results
  9. Overall Refusal Rates
  10. Terminology Related to Offensive Attacks Drives Refusals
  11. Authorization Signals Backfire
  12. Critical Tasks Experience Highest Refusals
  13. Semantic Analysis: What Triggers Refusals?
  14. Discussion
  15. Semantic Similarity vs. Intent Understanding
  16. ...and 27 more sections

Figures (4)

  • Figure 1: Defensive Refusal Bias at a Glance. Cybersecurity defenders and attackers use identical terminology, so safety-tuned LLMs refuse both, correctly blocking attackers while incorrectly denying legitimate defenders. Prompts containing offensive terminology (e.g., "exploit," "payload") and explicit authorization signals (e.g., "I'm on the blue team") are more likely to be refused. The most operationally critical tasks (system hardening, malware analysis, vulnerability assessment) experience the highest denial rates. All 2,390 prompts originate from a real-world cyber defense competition.
  • Figure 2: Analysis of refusal behavior across (a) terms related to offensive tasks, and (b) models.
  • Figure 3: Impact of authorization signals and task categories on model refusal behavior.
  • Figure 4: Refused prompts cluster in embedding space. Among refused prompts, 32.7% of 10-nearest neighbors are also refused versus 12.3% base rate ($p < 10^{-16}$, binomial test). This concentration, combined with high refusal prediction accuracy from embeddings alone (AUC = 0.827), suggests models learn a harm-adjacent decision boundary that captures legitimate defensive prompts.