Automated Red-Teaming Framework for Large Language Model Security Assessment

Focus: This framework automates the discovery and testing of LLM vulnerabilities across six threat categories: reward hacking, deceptive alignment, data exfiltration, sandbagging, inappropriate tool use, and chain-of-thought manipulation. The meta-prompting attack synthesiser generates attacks that are specifically tailored to the model under test.

Key Insights

• Six-category threat model: By grounding the attack taxonomy in behavioural threat categories rather than syntactic jailbreak families, the framework surfaces vulnerabilities that generic jailbreak datasets miss — particularly deceptive alignment and sandbagging, which are behavioural rather than content-level failures.
• Meta-prompting synthesis: The attack generator reasons about the model’s instruction-following tendencies before crafting the attack, producing higher-fidelity adversarial inputs than template-based approaches.
• Chain-of-thought manipulation as a distinct threat: The explicit inclusion of CoT manipulation — causing the model to produce plausible-looking but incorrect reasoning chains — is particularly relevant to safety-critical applications where operators inspect the reasoning but not just the final output.

Failure-First Relevance

The six-category threat model directly extends the Failure-First labelling system. Sandbagging and deceptive alignment are behaviours that cannot be detected by output-only inspection, reinforcing the Failure-First methodology of testing both final outputs and latent continuation signals. The meta-prompting synthesis approach is a more principled form of the operator-generation step in the Failure-First attack evolution pipeline.