ShortSpan.ai logo Home

RedTWIZ Exposes LLM Jailbreaks with Adaptive Planner

Pentesting
Published: Thu, Oct 09, 2025 • By Clara Nyx
RedTWIZ Exposes LLM Jailbreaks with Adaptive Planner
RedTWIZ is an adaptive, multi-turn red teaming framework that systematically probes Large Language Model (LLM) safety. The authors show multi-turn, goal-oriented jailbreaks can coax state-of-the-art models to produce unsafe code and explanations. Their hierarchical planner and diverse attack suite outperform naive approaches, exposing gaps in guardrails for AI-assisted software development.

Large Language Model (LLM) safety is no longer about blocking single bad prompts. RedTWIZ, the framework under review, treats red teaming as a conversation that adapts to the target. It combines a systematic jailbreak assessment, a library of realistic multi-turn attacks, and a hierarchical planner that chooses which attacks to use and when. The result is not theatrical. It is practical and effective at revealing weaknesses in models used for software development tasks.

What RedTWIZ does

The framework has three linked parts. First, an automated multi-turn jailbreak assessment that avoids heavy manual labelling. Second, a diverse attack suite that includes strategies labelled Utility Poisoning, Coding Attacks such as Code Completion and Code Translation, MRT Ferret, RedTreez and Red-DAT. These are built to be compositional and goal oriented, so an attacker can chain them in realistic dialogues. Third, a hierarchical planner drives the attack selection. The paper evaluates several planners including Round Robin, Epsilon Greedy, Upper Confidence Bound and Thompson Sampling. Adaptive planners outperformed naive round robin, with Upper Confidence Bound giving balanced coverage and stable performance across defender models.

The authors also built a RedTWIZ Arena, a modular benchmarking environment, and trained Jailbreak Judges to score safety violations in real time. Judges come in three flavours: Zero Shot, SFT Encoder and SFT Decoder. Their behaviour differs. Some encoder-based judges tended to over predict unsafe content, while certain zero shot judges had high recall but low precision on malicious code detection. The work compares defender models too, noting, for example, that a LLaMA 3.3 70B base model achieved high recall but low precision on a zero shot malicious code task, and that a LLaMA 3.1 8B Instruct model tuned with LoRA offered a better precision-accuracy trade off for tournament use.

Why defenders should care

The headline finding is simple and uncomfortable. Multi-turn adversarial strategies can steer even safety-oriented models into producing unsafe outputs, including malicious code or detailed harmful explanations. Some attack variants, such as Red-DAT and MRT Ferret, show promise in producing transferable steering policies that work across different goals and models. RedTreez illustrates another subtle point: narrative tone and framing can change refusal behaviour, which matters when guardrails rely on style or surface cues.

The paper is candid about limits. Experiments run in a controlled arena against a selected set of defenders, and some datasets show imbalance. Judges can overpredict, and offline evaluation only approximates live deployments. The authors also stress responsible disclosure given the dual use of sophisticated red teaming.

Practical takeaways for security teams: don’t assume single-prompt tests are enough. Run multi-turn, adaptive red teams that try chained strategies, and evaluate detectors across multiple styles to avoid blind spots. Concrete actions: 1) add an adaptive, multi-turn red teaming phase to sanctioned testing cycles to uncover steering and transfer risks, and 2) evaluate detection models using diverse judge architectures and adversary planners rather than a single metric. That will not fix everything, but it makes the emperor a lot harder to fool.

Additional analysis of the original ArXiv paper

📋 Original Paper Title and Abstract

RedTWIZ: Diverse LLM Red Teaming via Adaptive Attack Planning

Authors: Artur Horal, Daniel Pina, Henrique Paz, Iago Paulo, João Soares, Rafael Ferreira, Diogo Tavares, Diogo Glória-Silva, João Magalhães, and David Semedo
This paper presents the vision, scientific contributions, and technical details of RedTWIZ: an adaptive and diverse multi-turn red teaming framework, to audit the robustness of Large Language Models (LLMs) in AI-assisted software development. Our work is driven by three major research streams: (1) robust and systematic assessment of LLM conversational jailbreaks; (2) a diverse generative multi-turn attack suite, supporting compositional, realistic and goal-oriented jailbreak conversational strategies; and (3) a hierarchical attack planner, which adaptively plans, serializes, and triggers attacks tailored to specific LLM's vulnerabilities. Together, these contributions form a unified framework -- combining assessment, attack generation, and strategic planning -- to comprehensively evaluate and expose weaknesses in LLMs' robustness. Extensive evaluation is conducted to systematically assess and analyze the performance of the overall system and each component. Experimental results demonstrate that our multi-turn adversarial attack strategies can successfully lead state-of-the-art LLMs to produce unsafe generations, highlighting the pressing need for more research into enhancing LLM's robustness.

🔍 ShortSpan Analysis of the Paper

Problem

The paper presents RedTWIZ, a framework for adaptive and diverse red teaming of large language models in the context of AI assisted software development. It addresses the need to robustly assess LLM safety by systematically probing conversational jailbreaks, generating a wide range of realistic multi turn jailbreak strategies, and planning adaptive attack sequences tailored to specific model vulnerabilities. The work argues that state of the art LLMs remain susceptible to sophisticated, interactive attacks, underscoring gaps in guardrails and the urgency of stronger mitigations. It also highlights societal and security implications, showing how advanced red teaming can reveal unsafe model behaviours and stressing the importance of robust controls to reduce risk in AI guided development environments.

Approach

RedTWIZ combines three linked strands: first, a robust and systematic jailbreak assessment that operates in multi turn conversations without heavy manual annotation; second, a diverse multi turn attack suite that supports compositional and goal oriented strategies including prompt based repurposing and adaptive, evolving conversations; and third, a hierarchical attack planner that adaptively schedules attacks and target goals according to the defender model’s vulnerabilities. The framework is embodied in the RedTWIZ Arena, a modular benchmarking platform enabling offline and online testing, with LLM based Jailbreak Judges providing real time scoring to inform the planner. The architecture integrates an automated assessment module, a library of attack strategies, and a planning component to enable realistic red teaming in scenarios such as code generation and cyber security tasks.

Key Findings

  • Extensive evaluation shows that multi turn adversarial strategies can drive even safety oriented models to produce unsafe or vulnerable outputs, emphasising the need for more robust, context aware mitigations.
  • The Jailbreak Judges are implemented in three styles: Zero Shot, SFT Encoder and SFT Decoder, trained to detect safety violations in Malicious Code and Malicious Explanation categories, with results indicating strong recall for some models (for Malicious Code) and a tendency to over predict unsafe content for encoder based judges in certain settings.
  • In practice the LLaMA 3.3 70B base model in a zero shot Malicious Code task achieved high recall but low precision, while LLaMA 3.1 8B Instruct tuned with LoRA achieved the best precision and overall accuracy among the tested models for that task, making it preferable for tournament use. For Malicious Explanations, zero shot LLaMA 3.3 70B also performed best overall, whereas other models showed trade offs between precision and recall.
  • RedTWIZ embeds several attack strategies including Utility Poisoning, Coding Attacks (Code Completion and Code Translation), MRT Ferret, RedTreez and Red-DAT, each designed to reveal different defender weaknesses and to test guard rails under realistic dialogue dynamics.
  • Hierarchical planning using multiple planners (Round Robin, Epsilon Greedy, Upper Confidence Bound and Thompson Sampling) demonstrates that adaptive planners significantly outperform naive round robin in overall success rates, with UCB offering a balanced coverage of strategies and sustained performance across different defender models.
  • Red-DAT and MRT Ferret show particular promise in generating transferable attacker strategies and steering policies that improve elicitation of unsafe outputs, while RedTreez highlights how narrative tone can affect defender refusals and outcomes, informing defence design even when certain attacker styles are out of distribution.
  • Generalisation experiments indicate that steering policies trained in one setting can improve performance on unseen malicious goals, suggesting potential for simulation driven defence enhancement across evolving threat landscapes.

Limitations

The study acknowledges its evaluation within a controlled red teaming arena and with a selected set of defender models, which may limit generalisation to broader real world deployments. Some judges, notably encoder based detectors, tended to over predict unsafe content, limiting their tournament use. Dataset imbalances in Malicious Explanation data and the reliance on offline datasets pose potential threats to external validity. The research also emphasizes the need for responsible disclosure and ethical considerations given the dual use potential of advanced red teaming techniques.

Why It Matters

RedTWIZ provides a practical, scalable framework for systematically probing LLM safety through automated jailbreak assessment, diverse adversarial prompts, and adaptive planning. Its hierarchical planner optimises the allocation of attack resources while sustaining coverage across a wide attack surface, enabling threat modelling and informing defence design. The demonstrated ability to reveal unsafe model behaviours across multiple defender architectures underscores the imperative for stronger alignment, more context aware guardrails, and robust, transferable mitigations in AI assisted software development. The framework also highlights ethical considerations and the value of confidential, sanctioned red teaming to support responsible disclosure and resilience enhancement in real world AI systems.

Attribution Original paper on arXiv
← Back to Latest