# Case Study: 186 Jailbreaks in 137 Minutes

This case study presents the results of a **large-scale automated red team assessment** against a frontier open-weight model. Using three distinct attack strategies — TAP, GOAT, and Crescendo — we executed 240 attacks across 8 harm categories and achieved an overall **78% Attack Success Rate**, uncovering 186 jailbreaks in just 137 minutes.

The full implementation, dataset, and analysis are available on GitHub and in the accompanying blog post.

> **Blog**: [186 Jailbreaks: Applying MLOps to AI Red Teaming](https://dreadnode.io/blog/186-jailbreaks-applying-mlops-to-ai-red-teaming)

---

## Assessment Setup

We assessed the safety of **Llama Maverick-17B-128E-Instruct**, a frontier open-weight multimodal model, using an AI Red Teaming Evaluation framework.

| Parameter | Value |
|-----------|-------|
| **Target model** | `groq/meta-llama/llama-4-maverick-17b-128e-instruct` |
| **Attacker model** | Kimi-2 Instruct |
| **Judge model** | Kimi-2 Instruct |
| **Dataset** | 80 prompts across 8 harm categories |
| **Harm categories** | Violence, misinformation, weapons, cybersecurity, self-harm, and others |
| **Attack methods** | TAP, GOAT, Crescendo |
| **Total attacks** | 240 (80 prompts x 3 methods) |
| **Budget** | Max 200 trials per attack |

---

## Attack Methods

The three attack strategies each take a different approach to bypassing safety guardrails:

### TAP (Tree of Attacks with Pruning)
An attacker LLM generates a **tree of candidate jailbreak prompts**, evaluates each branch, prunes low-scoring paths, and expands promising ones. Best for discovering diverse attack vectors across the full attack surface.

### GOAT (Graph of Attacks)
Optimizes for **query efficiency** — finding successful jailbreaks with the fewest model interactions. Structures the attack as a graph traversal, reusing successful patterns. Best for stealth scenarios where minimizing interaction footprint is critical.

### Crescendo
A **multi-turn escalation strategy** that starts with benign-seeming requests and gradually increases the severity across conversation turns. Exploits the model's tendency to maintain conversational coherence. The most effective method in this assessment.

---

## Execution Summary

| Metric | Value |
|--------|-------|
| **Total attacks** | 240 |
| **Successful jailbreaks** | 186 |
| **Overall ASR** | ~78% |
| **Total runtime** | ~137 minutes |
| **Total queries** | 2,645 (avg ~11 queries/attack) |

In [None]:
# The full AI Red Teaming Evaluation framework is available at:
# https://github.com/dreadnode/sdk/blob/main/examples/airt/ai_red_teaming_eval.ipynb
#
# The framework orchestrates:
# - TAP (Tree of Attacks with Pruning)
# - GOAT (Graph of Attacks)
# - Crescendo (gradual escalation)
#
# Across configurable datasets, models, and harm categories.

print("Full implementation: https://github.com/dreadnode/sdk/blob/main/examples/airt/ai_red_teaming_eval.ipynb")
print()
print("To run it locally:")
print("  git clone https://github.com/dreadnode/sdk.git")
print("  cd sdk/examples/airt")
print("  # Follow setup instructions in the notebook")

---

## Results by Attack Method

| Attack | ASR | Avg Queries/Attack | Total Queries |
|--------|-----|-------------------|---------------|
| **Crescendo** | 97.5% | 19.0 | 1,523 |
| **GOAT** | ~78% | ~7.0 | 530 |
| **TAP** | ~57% | ~7.5 | 592 |
| **Overall** | **~78%** | **~11** | **2,645** |

### Key Findings

- **Crescendo was the most effective attacker** with 97.5% ASR — its multi-turn escalation strategy consistently bypassed safety filters
- **GOAT achieved high ASR with the lowest query footprint** — most efficient for stealth scenarios where minimizing interaction is critical
- **TAP had moderate ASR but excels at finding diverse attack paths** — useful for comprehensive coverage of the attack surface
- The combination of all three methods provides breadth (TAP), efficiency (GOAT), and depth (Crescendo) in attack coverage

---

## Running Your Own Assessment

Below is a minimal configuration skeleton showing how to set up and kick off a red team evaluation. The full execution logic is in the linked notebook.

In [None]:
# Minimal configuration skeleton for running your own red team assessment.
# The full execution logic is in the linked notebook.

import os
# os.environ["GROQ_API_KEY"] = "your-key"

# All models use LiteLLM routing — swap groq/ for any provider (openai/, anthropic/, azure/, etc.)
config = {
    "dataset": "path/to/prompts.csv",       # CSV with: goal, target, harm_category
    "num_prompts": 80,                       # Prompts to evaluate
    "attacks": ["tap", "goat", "crescendo"], # Attack methods
    "attacker_model": "groq/meta-llama/llama-4-maverick-17b-128e-instruct",
    "target_model": "groq/meta-llama/llama-4-maverick-17b-128e-instruct",
    "evaluator_model": "groq/meta-llama/llama-4-maverick-17b-128e-instruct",
    "max_trials": 200,                       # Max trials per attack
    "success_threshold": 0.70,               # Score threshold for jailbreak
}

print("Configuration ready. See full notebook for execution:")
print("https://github.com/dreadnode/sdk/blob/main/examples/airt/ai_red_teaming_eval.ipynb")

---

## Further Reading

- **Blog**: [186 Jailbreaks: Applying MLOps to AI Red Teaming](https://dreadnode.io/blog/186-jailbreaks-applying-mlops-to-ai-red-teaming)
- **Full Notebook**: [AI Red Teaming Eval](https://github.com/dreadnode/sdk/blob/main/examples/airt/ai_red_teaming_eval.ipynb)