HFEPX Hub

Red Team Papers

Updated from current HFEPX corpus (Feb 27, 2026). 21 papers are grouped in this hub page. Common evaluation modes: Automatic Metrics, Simulation Env. Most common rater population: Domain Experts. Common annotation unit: Multi Dim Rubric. Frequently cited benchmark: AdvBench. Common metric signal: jailbreak success rate. Use this page to compare protocol setup, judge behavior, and labeling design decisions before running new eval experiments. Newest paper in this set is from Feb 24, 2026.

Papers: 21 Last published: Feb 24, 2026 Global RSS Tag RSS

Red Team

Research Narrative

Grounded narrative Model: deterministic-grounded Source: preview

Updated from current HFEPX corpus (Feb 27, 2026). This page tracks 21 papers for Red Team Papers. Dominant protocol signals include automatic metrics, simulation environments, with frequent benchmark focus on AdvBench, Jailbreakbench and metric focus on jailbreak success rate, success rate. Use the grounded sections below to prioritize reproducible protocol choices, benchmark-matched comparisons, and judge-vs-human evaluation checks.

Why This Matters For Eval Research

100% of papers report explicit human-feedback signals, led by red-team protocols.

Evidence: Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment , A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications , SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing , Assessing Risks of Large Language Models in Mental Health Support: A Framework for Automated Clinical AI Red Teaming
automatic metrics appears in 90.5% of papers in this hub.

Evidence: Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment , A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications , SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing , MANATEE: Inference-Time Lightweight Diffusion Based Safety Defense for LLMs
AdvBench is a recurring benchmark anchor for cross-paper comparisons in this page.

Evidence: A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness , Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment , A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications , SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing

Protocol Takeaways

Quality-control reporting is sparse in this slice; prioritize papers with explicit calibration or adjudication steps.

Evidence: Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment , A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications , SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing , Assessing Risks of Large Language Models in Mental Health Support: A Framework for Automated Clinical AI Red Teaming
Rater context is mostly domain experts, and annotation is commonly multi-dimensional rubrics; use this to scope replication staffing.

Evidence: SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing , Assessing Risks of Large Language Models in Mental Health Support: A Framework for Automated Clinical AI Red Teaming , Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment , A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications
Stratify by benchmark (AdvBench vs Jailbreakbench) before comparing methods.

Evidence: Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment , A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications , SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing , Assessing Risks of Large Language Models in Mental Health Support: A Framework for Automated Clinical AI Red Teaming

Benchmark Interpretation

AdvBench appears in 4.8% of hub papers (1/21); use this cohort for benchmark-matched comparisons.
Jailbreakbench appears in 4.8% of hub papers (1/21); use this cohort for benchmark-matched comparisons.

Metric Interpretation

jailbreak success rate is reported in 23.8% of hub papers (5/21); compare with a secondary metric before ranking methods.
success rate is reported in 19% of hub papers (4/21); compare with a secondary metric before ranking methods.

Researcher Checklist

Maintain strength on Papers with explicit human feedback. Coverage is strong (100% vs 45% target).
Close gap on Papers reporting quality controls. Coverage is a replication risk (0% vs 30% target).
Close gap on Papers naming benchmarks/datasets. Coverage is a replication risk (19% vs 35% target).
Maintain strength on Papers naming evaluation metrics. Coverage is strong (42.9% vs 35% target).
Close gap on Papers with known rater population. Coverage is a replication risk (9.5% vs 35% target).
Close gap on Papers with known annotation unit. Coverage is a replication risk (4.8% vs 35% target).

Papers with explicit human feedback

Coverage is strong (100% vs 45% target).

Papers reporting quality controls

Coverage is a replication risk (0% vs 30% target).

Papers naming benchmarks/datasets

Coverage is a replication risk (19% vs 35% target).

Papers naming evaluation metrics

Coverage is strong (42.9% vs 35% target).

Papers with known rater population

Coverage is a replication risk (9.5% vs 35% target).

Papers with known annotation unit

Coverage is a replication risk (4.8% vs 35% target).

Known Limitations

Only 0% of papers report quality controls; prioritize calibration/adjudication evidence.
Rater population is under-specified (9.5% coverage).
Narrative synthesis is grounded in metadata and abstracts only; full-paper implementation details are not parsed.

Research Utility Links

Benchmark Slice: AdvBench - Prioritizes benchmark-specific protocol comparisons.
Metric Slice: jailbreak success rate - Finds papers where reported metrics are directly comparable.
Recent High-Signal Papers - Keeps the hub connected to the latest HFEPX corpus updates.

automatic_metrics vs simulation_env

both=0, left_only=19, right_only=2

0 papers use both Automatic Metrics and Simulation Env.

Benchmark Brief

AdvBench

Coverage: 1 papers (4.8%)

1 papers (4.8%) mention AdvBench.

Examples: A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness

Benchmark Brief

Jailbreakbench

Coverage: 1 papers (4.8%)

1 papers (4.8%) mention Jailbreakbench.

Examples: Refusal Steering: Fine-grained Control over LLM Refusal Behaviour for Sensitive Topics

Benchmark Brief

Retrieval

Coverage: 1 papers (4.8%)

1 papers (4.8%) mention Retrieval.

Examples: Beyond Single-Turn: A Survey on Multi-Turn Interactions with Large Language Models

Metric Brief

jailbreak success rate

Coverage: 5 papers (23.8%)

5 papers (23.8%) mention jailbreak success rate.

Examples: MANATEE: Inference-Time Lightweight Diffusion Based Safety Defense for LLMs , What Matters For Safety Alignment? , Reasoning Up the Instruction Ladder for Controllable Language Models

Metric Brief

success rate

Coverage: 4 papers (19%)

4 papers (19%) mention success rate.

Examples: MANATEE: Inference-Time Lightweight Diffusion Based Safety Defense for LLMs , What Matters For Safety Alignment? , Reasoning Up the Instruction Ladder for Controllable Language Models

Metric Brief

helpfulness

Coverage: 2 papers (9.5%)

2 papers (9.5%) mention helpfulness.

Examples: A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness , Steering Dialogue Dynamics for Robustness against Multi-turn Jailbreaking Attacks

Most Cited In This Hub

Fast path to methods with the strongest citation traction in this scope.

Papers: Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment , A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications , SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing

Most Recent

Fast path to latest protocol changes and newly published evaluation setups.

Best Protocol Detail

Papers with explicit rater/unit metadata and quality-control signals for reproducibility.

Top Papers

Alignment-Weighted DPO: A principled reasoning approach to improve safety alignment
Mengxuan Hu, Vivek V. Datla, Anoop Kumar, Zihan Guan, Sheng Li · Feb 24, 2026 · Citations: 0

Pairwise PreferenceRed Team Automatic Metrics

Recent advances in alignment techniques such as Supervised Fine-Tuning (SFT), Reinforcement Learning from Human Feedback (RLHF), and Direct Preference Optimization (DPO) have improved the safety of large language models (LLMs).
A Systematic Review of Algorithmic Red Teaming Methodologies for Assurance and Security of AI Applications
Shruti Srivastava, Kiranmayee Janardhan, Shaurya Jauhari · Feb 24, 2026 · Citations: 0

Red Team Automatic Metrics

These limitations have driven the evolution toward auto-mated red teaming, which leverages artificial intelligence and automation to deliver efficient and adaptive security evaluations.
SibylSense: Adaptive Rubric Learning via Memory Tuning and Adversarial Probing
Yifei Xu, Guilherme Potje, Shivam Shandilya, Tiancheng Yuan, Leonardo de Oliveira Nunes · Feb 24, 2026 · Citations: 0

Rubric RatingRed Team Automatic Metrics

Designing aligned and robust rewards for open-ended generation remains a key barrier to RL post-training.
Assessing Risks of Large Language Models in Mental Health Support: A Framework for Automated Clinical AI Red Teaming
Ian Steenstra, Paola Pedrelli, Weiyan Shi, Stacy Marsella, Timothy W. Bickmore · Feb 23, 2026 · Citations: 0

Red Team Simulation Env

Large Language Models (LLMs) are increasingly utilized for mental health support; however, current safety benchmarks often fail to detect the complex, longitudinal risks inherent in therapeutic dialogue.
MANATEE: Inference-Time Lightweight Diffusion Based Safety Defense for LLMs
Chun Yan Ryan Kan, Tommy Tran, Vedant Yadav, Ava Cai, Kevin Zhu · Feb 21, 2026 · Citations: 0

Red Team Automatic Metrics

Defending LLMs against adversarial jailbreak attacks remains an open challenge.
FENCE: A Financial and Multimodal Jailbreak Detection Dataset
Mirae Kim, Seonghun Jeong, Youngjun Kwak · Feb 20, 2026 · Citations: 0

Red Team Automatic Metrics

A baseline detector trained on FENCE achieves 99 percent in-distribution accuracy and maintains strong performance on external benchmarks, underscoring the dataset's robustness for training reliable detection models.
IndicJR: A Judge-Free Benchmark of Jailbreak Robustness in South Asian Languages
Priyaranjan Pattnayak, Sanchari Chowdhuri · Feb 18, 2026 · Citations: 0

Red Team Automatic Metrics

Safety alignment of large language models (LLMs) is mostly evaluated in English and contract-bound, leaving multilingual vulnerabilities understudied.
Helpful to a Fault: Measuring Illicit Assistance in Multi-Turn, Multilingual LLM Agents
Nivya Talokar, Ayush K Tarun, Murari Mandal, Maksym Andriushchenko, Antoine Bosselut · Feb 18, 2026 · Citations: 0

Red Team Automatic Metrics

LLM-based agents execute real-world workflows via tools and memory.
Intent Laundering: AI Safety Datasets Are Not What They Seem
Shahriar Golchin, Marc Wetter · Feb 17, 2026 · Citations: 0

Red Team Automatic Metrics

We systematically evaluate the quality of widely used AI safety datasets from two perspectives: in isolation and in practice.
Exposing the Systematic Vulnerability of Open-Weight Models to Prefill Attacks
Lukas Struppek, Adam Gleave, Kellin Pelrine · Feb 16, 2026 · Citations: 0

Red Team Automatic Metrics

As the capabilities of large language models continue to advance, so does their potential for misuse.
Jailbreaking Leaves a Trace: Understanding and Detecting Jailbreak Attacks from Internal Representations of Large Language Models
Sri Durga Sai Sowmya Kadali, Evangelos E. Papalexakis · Feb 12, 2026 · Citations: 0

Red Team Automatic Metrics

Jailbreaking large language models (LLMs) has emerged as a critical security challenge with the widespread deployment of conversational AI systems.
What Matters For Safety Alignment?
Xing Li, Hui-Ling Zhen, Lihao Yin, Xianzhi Yu, Zhenhua Dong · Jan 7, 2026 · Citations: 0

Red Team Automatic Metrics Tool Use

This paper presents a comprehensive empirical study on the safety alignment capabilities.
Refusal Steering: Fine-grained Control over LLM Refusal Behaviour for Sensitive Topics
Iker García-Ferrero, David Montero, Roman Orus · Dec 18, 2025 · Citations: 0

Red Team Automatic Metrics

We replace fragile pattern-based refusal detection with an LLM-as-a-judge that assigns refusal confidence scores and we propose a ridge-regularized variant to compute steering vectors that better isolate the refusal--compliance direction.
Reasoning Up the Instruction Ladder for Controllable Language Models
Zishuo Zheng, Vidhisha Balachandran, Chan Young Park, Faeze Brahman, Sachin Kumar · Oct 30, 2025 · Citations: 0

Red Team Automatic Metrics

Our finetuned models achieve consistent improvements on instruction following and instruction hierarchy benchmarks, achieving roughly a 20% improvement on the IHEval conflict setup.
A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness
Xuan Luo, Yue Wang, Zefeng He, Geng Tu, Jing Li · Sep 17, 2025 · Citations: 0

Red Team Automatic Metrics

This study reveals a critical safety blind spot in modern LLMs: learning-style queries, which closely resemble ordinary educational questions, can reliably elicit harmful responses.
Role-Aware Language Models for Secure and Contextualized Access Control in Organizations
Saeed Almheiri, Yerulan Kongrat, Adrian Santosh, Ruslan Tasmukhanov, Josemaria Loza Vera · Jul 31, 2025 · Citations: 0

Red Team Automatic Metrics

Existing safety methods typically assume uniform access and focus on preventing harmful or toxic outputs, without addressing role-specific access constraints.
When Style Breaks Safety: Defending LLMs Against Superficial Style Alignment
Yuxin Xiao, Sana Tonekaboni, Walter Gerych, Vinith Suriyakumar, Marzyeh Ghassemi · Jun 9, 2025 · Citations: 0

Red Team Automatic Metrics

In this work, we seek to understand whether style patterns compromise LLM safety, how superficial style alignment increases model vulnerability, and how best to mitigate these risks during alignment.
RedTeamCUA: Realistic Adversarial Testing of Computer-Use Agents in Hybrid Web-OS Environments
Zeyi Liao, Jaylen Jones, Linxi Jiang, Yuting Ning, Eric Fosler-Lussier · May 28, 2025 · Citations: 0

Red Team Simulation Env Web Browsing

Computer-use agents (CUAs) promise to automate complex tasks across operating systems (OS) and the web, but remain vulnerable to indirect prompt injection.
Refusal Direction is Universal Across Safety-Aligned Languages
Xinpeng Wang, Mingyang Wang, Yihong Liu, Hinrich Schütze, Barbara Plank · May 22, 2025 · Citations: 0

Red Team Automatic Metrics

Refusal mechanisms in large language models (LLMs) are essential for ensuring safety.
Beyond Single-Turn: A Survey on Multi-Turn Interactions with Large Language Models
Yubo Li, Xiaobin Shen, Xinyu Yao, Xueying Ding, Yidi Miao · Apr 7, 2025 · Citations: 0

Red Team Automatic Metrics

We organize existing benchmarks and datasets into coherent categories reflecting the evolving landscape of multi-turn dialogue evaluation, and review a broad spectrum of enhancement methodologies, including model-centric strategies (in-cont
Steering Dialogue Dynamics for Robustness against Multi-turn Jailbreaking Attacks
Hanjiang Hu, Alexander Robey, Changliu Liu · Feb 28, 2025 · Citations: 0

Red Team Automatic Metrics

To address this challenge, we propose a safety steering framework grounded in safe control theory, ensuring invariant safety in multi-turn dialogues.

Red Team Papers

Research Narrative

Why This Matters For Eval Research

Protocol Takeaways

Benchmark Interpretation

Metric Interpretation

Researcher Checklist

Suggested Reading Order

Known Limitations

Research Utility Links

Top Papers

Related Hubs