Automatic Metrics + Red Team Papers

Researcher Quick Triage

This hub is best used for protocol triage and replication planning from abstract-level evidence. Quality band: Medium .

• 5 papers are replication-ready (benchmark + metric + explicit evaluation mode).
• 0 papers support judge-vs-human agreement analysis.
• 0 papers report explicit quality controls (calibration/adjudication/IAA).

Primary action: Start with the top 2 papers in “Start Here”, then validate assumptions in the protocol matrix.

Why This Matters For Eval Research

• 100% of papers report explicit human-feedback signals, led by red-team protocols.
• automatic metrics appears in 100% of papers in this hub.
• AdvBench is a recurring benchmark anchor for cross-paper comparisons in this page.

Protocol Takeaways

• Quality-control reporting is sparse in this slice; prioritize papers with explicit calibration or adjudication steps.
• Rater context is mostly domain experts, and annotation is commonly trajectory-level annotation; use this to scope replication staffing.
• Stratify by benchmark (AdvBench vs DROP) before comparing methods.

Benchmark Interpretation

• AdvBench appears in 4.8% of hub papers (1/21); use this cohort for benchmark-matched comparisons.
• DROP appears in 4.8% of hub papers (1/21); use this cohort for benchmark-matched comparisons.

Metric Interpretation

• jailbreak success rate is reported in 33.3% of hub papers (7/21); compare with a secondary metric before ranking methods.
• success rate is reported in 28.6% of hub papers (6/21); compare with a secondary metric before ranking methods.

Start Here (Best First 6)

Ranked for protocol completeness (human signal, benchmark + metric anchors, quality controls, and judge/human overlap).

• TraceSafe: A Systematic Assessment of LLM Guardrails on Multi-Step Tool-Calling Trajectories

  Apr 8, 2026 · Citations: 0 · Score: 8.0

  HF: Red Team · Eval: Automatic Metrics · Benchmark: Tracesafe Bench · Metric: Accuracy

• SemEval-2026 Task 6: CLARITY -- Unmasking Political Question Evasions

  Mar 14, 2026 · Citations: 0 · Score: 8.0

  HF: Red Team · Eval: Automatic Metrics · Benchmark: Semeval · Metric: F1

• RedTeamCUA: Realistic Adversarial Testing of Computer-Use Agents in Hybrid Web-OS Environments

  May 28, 2025 · Citations: 0 · Score: 6.5

  HF: Red Team · Eval: Automatic Metrics · Benchmark: Rtc Bench · Metric: Jailbreak success rate

• A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness

  Sep 17, 2025 · Citations: 0 · Score: 6.5

  HF: Red Team · Eval: Automatic Metrics · Benchmark: AdvBench · Metric: Helpfulness

• Dyslexify: A Mechanistic Defense Against Typographic Attacks in CLIP

  Aug 28, 2025 · Citations: 0 · Score: 6.5

  HF: Red Team · Eval: Automatic Metrics · Benchmark: DROP · Metric: Accuracy

• Exposing Long-Tail Safety Failures in Large Language Models through Efficient Diverse Response Sampling

  Mar 15, 2026 · Citations: 0 · Score: 6.0

  HF: Red Team · Eval: Automatic Metrics · Benchmark: Not Reported · Metric: Cost

Protocol Matrix (Top 12)

Use this to quickly compare protocol ingredients instead of scanning long prose.

Protocol Diff (Top Papers)

Fast side-by-side comparison for the highest-ranked papers in this hub.

Top Papers

• TraceSafe: A Systematic Assessment of LLM Guardrails on Multi-Step Tool-Calling Trajectories

  Yen-Shan Chen, Sian-Yao Huang, Cheng-Lin Yang, Yun-Nung Chen · Apr 8, 2026 · Citations: 0

  Red Team Automatic Metrics Long Horizon

  As large language models (LLMs) evolve from static chatbots into autonomous agents, the primary vulnerability surface shifts from final outputs to intermediate execution traces.

• RedTeamCUA: Realistic Adversarial Testing of Computer-Use Agents in Hybrid Web-OS Environments

  Zeyi Liao, Jaylen Jones, Linxi Jiang, Yuting Ning, Eric Fosler-Lussier · May 28, 2025 · Citations: 0

  Red Team Automatic Metrics Web Browsing

  Using RedTeamCUA, we develop RTC-Bench, a comprehensive benchmark with 864 examples that investigate realistic, hybrid web-OS attack scenarios and fundamental security vulnerabilities.

• SemEval-2026 Task 6: CLARITY -- Unmasking Political Question Evasions

  Konstantinos Thomas, Giorgos Filandrianos, Maria Lymperaiou, Chrysoula Zerva, Giorgos Stamou · Mar 14, 2026 · Citations: 0

  Red Team Automatic Metrics

  The benchmark is constructed from U.S.

• WebWeaver: Breaking Topology Confidentiality in LLM Multi-Agent Systems with Stealthy Context-Based Inference

  Zixun Xiong, Gaoyi Wu, Lingfeng Yao, Miao Pan, Xiaojiang Du · Mar 11, 2026 · Citations: 0

  Red Team Automatic Metrics Multi Agent

  Communication topology is a critical factor in the utility and safety of LLM-based multi-agent systems (LLM-MAS), making it a high-value intellectual property (IP) whose confidentiality remains insufficiently studied.

• MUSE: A Run-Centric Platform for Multimodal Unified Safety Evaluation of Large Language Models

  Zhongxi Wang, Yueqian Lin, Jingyang Zhang, Hai Helen Li, Yiran Chen · Mar 3, 2026 · Citations: 0

  Red Team Automatic Metrics Web Browsing

  Safety evaluation and red-teaming of large language models remain predominantly text-centric, and existing frameworks lack the infrastructure to systematically test whether alignment generalizes to audio, image, and video inputs.

• What Matters For Safety Alignment?

  Xing Li, Hui-Ling Zhen, Lihao Yin, Xianzhi Yu, Zhenhua Dong · Jan 7, 2026 · Citations: 0

  Red Team Automatic Metrics Tool Use

  This paper presents a comprehensive empirical study on the safety alignment capabilities.

• A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness

  Xuan Luo, Yue Wang, Zefeng He, Geng Tu, Jing Li · Sep 17, 2025 · Citations: 0

  Red Team Automatic Metrics

  This study reveals a critical safety blind spot in modern LLMs: learning-style queries, which closely resemble ordinary educational questions, can reliably elicit harmful responses.

• Dyslexify: A Mechanistic Defense Against Typographic Attacks in CLIP

  Lorenz Hufe, Constantin Venhoff, Erblina Purelku, Maximilian Dreyer, Sebastian Lapuschkin · Aug 28, 2025 · Citations: 0

  Red Team Automatic Metrics

  These models serve as suitable drop-in replacements for a broad range of safety-critical applications, where the risks of text-based manipulation outweigh the utility of text recognition.

• Beyond Single-Turn: A Survey on Multi-Turn Interactions with Large Language Models

  Yubo Li, Xiaobin Shen, Xinyu Yao, Xueying Ding, Yidi Miao · Apr 7, 2025 · Citations: 0

  Red Team Automatic Metrics

  We organize existing benchmarks and datasets into coherent categories reflecting the evolving landscape of multi-turn dialogue evaluation, and review a broad spectrum of enhancement methodologies, including model-centric strategies…

• Exposing Long-Tail Safety Failures in Large Language Models through Efficient Diverse Response Sampling

  Suvadeep Hajra, Palash Nandi, Tanmoy Chakraborty · Mar 15, 2026 · Citations: 0

  Red Team Automatic Metrics

  While most red-teaming work emphasizes adversarial prompt search (input-space optimization), we show that safety failures can also be systematically exposed through diverse response generation (output-space exploration) for a fixed…

• IH-Challenge: A Training Dataset to Improve Instruction Hierarchy on Frontier LLMs

  Chuan Guo, Juan Felipe Ceron Uribe, Sicheng Zhu, Christopher A. Choquette-Choo, Steph Lin · Mar 11, 2026 · Citations: 0

  Red Team Automatic Metrics

  IH is key to defending against jailbreaks, system prompt extractions, and agentic prompt injections.

• Can Safety Emerge from Weak Supervision? A Systematic Analysis of Small Language Models

  Punyajoy Saha, Sudipta Halder, Debjyoti Mondal, Subhadarshi Panda · Mar 7, 2026 · Citations: 0

  Pairwise PreferenceRed Team Automatic Metrics

  Safety alignment is critical for deploying large language models (LLMs) in real-world applications, yet most existing approaches rely on large human-annotated datasets and static red-teaming benchmarks that are costly, difficult to scale,…

• Obscure but Effective: Classical Chinese Jailbreak Prompt Optimization via Bio-Inspired Search

  Xun Huang, Simeng Qin, Xiaoshuang Jia, Ranjie Duan, Huanqian Yan · Feb 26, 2026 · Citations: 0

  Red Team Automatic Metrics

  Owing to its conciseness and obscurity, classical Chinese can partially bypass existing safety constraints, exposing notable vulnerabilities in LLMs.

• MANATEE: Inference-Time Lightweight Diffusion Based Safety Defense for LLMs

  Chun Yan Ryan Kan, Tommy Tran, Vedant Yadav, Ava Cai, Kevin Zhu · Feb 21, 2026 · Citations: 0

  Red Team Automatic Metrics

  We propose MANATEE, an inference-time defense that uses density estimation over a benign representation manifold.

• FENCE: A Financial and Multimodal Jailbreak Detection Dataset

  Mirae Kim, Seonghun Jeong, Youngjun Kwak · Feb 20, 2026 · Citations: 0

  Red Team Automatic Metrics

  A baseline detector trained on FENCE achieves 99 percent in-distribution accuracy and maintains strong performance on external benchmarks, underscoring the dataset's robustness for training reliable detection models.

• Reasoning Up the Instruction Ladder for Controllable Language Models

  Zishuo Zheng, Vidhisha Balachandran, Chan Young Park, Faeze Brahman, Sachin Kumar · Oct 30, 2025 · Citations: 0

  Red Team Automatic Metrics

  Our finetuned models achieve consistent improvements on instruction following and instruction hierarchy benchmarks, achieving roughly a 20% improvement on the IHEval conflict setup.

• RECAP: Reproducing Copyrighted Data from LLMs Training with an Agentic Pipeline

  André V. Duarte, Xuying li, Bin Zeng, Arlindo L. Oliveira, Lei Li · Oct 29, 2025 · Citations: 0

  Red Team Automatic Metrics

  As such, we propose RECAP, an agentic pipeline designed to elicit and verify memorized training data from LLM outputs.

• DiffuGuard: How Intrinsic Safety is Lost and Found in Diffusion Large Language Models

  Zherui Li, Zheng Nie, Zhenhong Zhou, Yue Liu, Yitong Zhang · Sep 29, 2025 · Citations: 0

  Red Team Automatic Metrics

  Experimental results reveal a harmful bias inherent in the standard greedy remasking strategy and identify a critical phenomenon we term Denoising-path Dependence, where the safety of early-stage tokens decisively influences the final…

• Optimus: A Robust Defense Framework for Mitigating Toxicity while Fine-Tuning Conversational AI

  Aravind Cheruvu, Shravya Kanchi, Sifat Muhammad Abdullah, Nicholas Kong, Daphne Yao · Jul 8, 2025 · Citations: 0

  Pairwise PreferenceRed Team Automatic Metrics

  Optimus integrates a training-free toxicity classification scheme that repurposes the safety alignment of commodity LLMs, and employs a dual-strategy alignment process combining synthetic "healing data" with Direct Preference Optimization…

• When Style Breaks Safety: Defending LLMs Against Superficial Style Alignment

  Yuxin Xiao, Sana Tonekaboni, Walter Gerych, Vinith Suriyakumar, Marzyeh Ghassemi · Jun 9, 2025 · Citations: 0

  Red Team Automatic Metrics

  In this work, we seek to understand whether style patterns compromise LLM safety, how superficial style alignment increases model vulnerability, and how best to mitigate these risks during alignment.

• A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications

  Shruti Srivastava, Kiranmayee Janardhan, Shaurya Jauhari · Feb 24, 2026 · Citations: 0

  Red Team Automatic Metrics

  These limitations have driven the evolution toward auto-mated red teaming, which leverages artificial intelligence and automation to deliver efficient and adaptive security evaluations.

Related Hubs

• Red Team Papers Hub
• Automatic Metrics + General + Red Team Papers Hub
• Red Team Or Rlaif Or Synthetic Feedback Papers Hub
• Critique Edit Or Red Team Papers Hub
• Demonstrations Or Red Team Papers Hub
• Red Team Or Rubric Rating Papers Hub