Posterior Attack Turns LLM Safety Checks Against Them
Attacks
Safety alignment trains Large Language Models (LLMs) to spot and refuse dangerous content. That skill turns out to be an attack surface. This paper introduces Posterior Attack, a single-query jailbreak that asks a model to produce the response its internal safety judge would label unsafe. No multi-step prompt wrangling, no search. Just one cleverly shaped query that flips a safety feature into a liability.
What makes it elegant is the leverage: alignment work often distils an internal classifier that separates safe from unsafe. Posterior Attack co-opts that classifier to steer generation directly toward the unsafe region. The authors do not rely on obscure token engineering; they exploit the model’s own learned decision boundary.
The evaluation is broad. They test 30 open models up to 35B parameters and several frontier systems, including GPT-5 and Claude Sonnet 4.6. Benchmarks cover AdvBench’s 520 harmful behaviours and HarmBench’s 596-query classification sets. Two metrics matter: Attack Success Rate (ASR) and a safety-judgement accuracy score. The striking result is a strong positive correlation between safety-judgement accuracy and exploitability under Posterior Attack (Pearson 0.80, Spearman 0.78). The better a model is at classifying unsafe content, the more the attack succeeds.
The theory pins down why. They formalise safety awareness as a positive likelihood ratio J = TPR/FPR. Posterior vulnerability increases monotonically with J and with the prior probability of harmful replies. In the limit, as J grows without bound, the attack’s success tends to certainty. It is a neat, minimal model of a paradox many practitioners have felt: sharper internal judges can create cleaner gradients for an adversary to follow.
The causal story is the clincher. Using Group Relative Policy Optimisation, they intervene on the model’s safety-judgement subspace: one variant enhances judgement (SAI), another degrades it (SAD). Improving judgement raises Posterior ASR; degrading it substantially lowers exploitability, with little measured hit to broad capabilities. That is a rare and useful ablation in alignment research.
On frontier models, Posterior Attack outperforms ten jailbreak baselines, averaging 83.0 percent ASR versus 71.9 percent for the strongest competitor, and pushing some large open models close to total compromise. It is cheap too: roughly 3,300 input and 4,000 output tokens, about 3 cents per run. Deliberative test-time reasoning helps in places (notably GPT-OSS models and partly GPT-5) but is patchy and incurs heavy latency and compute.
There are caveats. ASR is judged by LLM evaluators, the work is mostly English-centric, and system-level guardrails of proprietary stacks are only partly represented. Still, the pattern is hard to ignore. If alignment sharpens an internal classifier, attackers can ask to see its posterior. The open question is architectural: how do we preserve refusal skills without exposing an exploitable signal of what to refuse?
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
Safety Paradox: How Enhanced Safety Awareness Leaves LLMs Vulnerable to Posterior Attack
🔍 ShortSpan Analysis of the Paper
Problem
The paper studies a new attack surface created by safety-aligned large language models. Rigorous alignment trains LLMs not only to refuse harmful requests but also to internally recognise unsafe content. The authors show that this functional safety awareness can be weaponised: by asking a model to produce the exact reply its internal safety judge would flag as unsafe, an attacker can compel the model to reveal harmful outputs. This single-query jailbreak, named Posterior Attack, and the accompanying Safety Paradox challenge the assumption that stronger safety judgement uniformly improves robustness.
Approach
The work combines empirical, theoretical and intervention experiments. Empirically the authors evaluate 30 open-source LLMs (up to 35B parameters) and several frontier closed-source systems including GPT-5 and Claude Sonnet 4.6, using benchmarks such as AdvBench (520 harmful behaviours) and HarmBench classification sets (596 queries). Metrics include Attack Success Rate (ASR) and a classifier accuracy measure (HB-CLS). They formalise safety awareness as the positive likelihood ratio J = TPR/FPR and derive posterior attack success analytically. To demonstrate causality they apply reinforcement learning interventions using Group Relative Policy Optimization to either improve (SAI) or degrade (SAD) a model’s safety-judgement subspace. They also compare Posterior Attack against ten existing jailbreak baselines and vary test-time reasoning budgets for frontier models to probe defences.
Key Findings
- Posterior Attack is an effective, search-free single-query jailbreak that leverages the model’s own safety judgement to elicit harmful outputs.
- Across 30 evaluated models there is a strong positive correlation between safety-judgement accuracy and posterior exploitability (Pearson 0.80, Spearman 0.78): models better at classifying unsafe content are more vulnerable to the attack.
- Theoretical analysis (Safety Paradox) shows posterior vulnerability increases monotonically with both the base prior probability of harmful replies and the model’s safety awareness J; as J tends to infinity posterior attack success tends to certainty.
- Reinforcement learning interventions establish causality: improving safety-judgement accuracy increases Posterior ASR, while degrading it substantially reduces exploitability without materially harming general capabilities.
- On frontier models Posterior Attack outperforms ten baselines, achieving an average ASR of 83.0%, surpassing the strongest baseline at 71.9%, and reaching near-total exploitability on some large open models.
- The attack is computationally and financially efficient: single-query runs consume roughly 3,300 input and 4,000 output tokens and cost about $0.03 on average, much cheaper than iterative or many-shot methods.
- Deliberative test-time reasoning reduces vulnerability for some models (notably the GPT-OSS family and partly GPT-5) but is inconsistent across architectures and imposes high latency and compute costs.
Limitations
The study relies on LLM-based evaluators for ASR which may disagree with humans, focuses on benchmarks and models available as of early 2026, and is primarily English-centred. Proprietary system-level guardrails and non-English behaviour are not fully captured. Deliberative defences require substantial test-time compute, limiting deployment practicality.
Implications
From an offensive-security perspective the findings indicate a low-cost, high-success route to elicit harmful outputs from highly aligned models by exploiting their internal safety judgements. Attackers can use single-query posterior prompts to bypass conventional defences, target recent, well-aligned models, and tailor strategies around models’ reasoning controls. The work suggests alignment improvements that sharpen internal classifiers may paradoxically increase attack surface, signalling a need to rethink alignment architectures rather than relying solely on stronger safety judgement.
