
TLDR
- What: AMT-X (Adaptive Multi-Turn Exploitation) is a reproducible, phase-structured multi-turn red-teaming framework that uses a state-machine attacker guided by semantic signals, evaluated by a checklist-gated, multi-role debate jury.
- Who's at risk: Conversational large language models (LLMs) and agentic systems deployed in production, including evaluated models like GPT-5.2, Gemini-2.5-Pro, and Mistral-Large-2512.
- Key number: Implementing a strict actionability-gated checklist (requiring real, complete, and operational instructions) drops the measured attack success rate (ASR) by up to 33 percentage points compared to lenient evaluations (dropping from 100% overall ASR to 66.7% full ASR on Run A).
-
Title: State Machine Jailbreaks: Systematic Multi-Turn Exploitation and Dual-Metric Evaluation of Frontier LLMs via AMT-X
-
Opening paragraph: As safety alignments like Reinforcement Learning from Human Feedback (RLHF) and Constitutional AI harden models against single-turn prompt injections, adversaries are shifting to highly adaptive, multi-turn conversational strategies. This research is critical now because conversational applications and retrieval-augmented applications are vulnerable to conversational context-building that exploits logical inconsistencies. The proposed framework, AMT-X, demonstrates that safety-aligned models are bypassed when black-box targets are systematically guided through conversational phase transitions.
-
Threat Model | Attribute | Description | |---|---| | Attacker | Black-box conversational API access; receives automated evaluator feedback to dynamically prune and select tactics from a 31-technique library during offline campaigns. | | Victim | Aligned conversational LLMs and agentic services (GPT-5.2, GPT-4.1, Gemini-2.5-Pro, Gemma-3-12b-it, Grok-4, Mistral-Large-2512) queried under default safety configurations. | | Goal | Expose policy-violating, fully actionable operational instructions across 7 major Moderation sub-categories (Hate, Indiscriminate Weapon (CBRN), Non-Violent Crime, Sexual Content, Specialized Advice, Suicide & Self-Harm, Violent Crime). | | Budget | Strictly capped turn budget (12–15 turns maximum; average 1.3 to 4.7 turns to success). Low API spend (~ $0.067 per-attack, $2.80 total for a full 42-target campaign). |
Background / Problem Setup
Evaluating safety in conversational models has historically relied on static, single-turn benchmarks like HarmBench (Mazeika et al. [22]) and JailbreakBench (Chao et al. [6]), which systematically underestimate the threat of adaptive adversaries. Recent conversational attacks, such as Crescendo (Russinovich et al. [33]) and Chain of Attack (Yang et al. [38]), show that models are prone to the "foot-in-the-door" (FITD) effect (Freedman and Fraser [11])—where prior cooperative engagement weakens subsequent refusal boundaries.
However, prior multi-turn attack frameworks suffer from three severe limitations: they are structurally improvised (non-reproducible), they evaluate success via a single LLM judge prone to systematic biases, and they report success rates that fail to distinguish between partial disclosures and fully actionable, harmful instructions.
The following table contrasts the design of AMT-X with representative prior frameworks:
| Feature | Single-Prompt (e.g., GCG [41], PAIR [7], TAP [23]) | Prior Multi-Turn (e.g., Crescendo [33], CoA [38], ActorAttack [32], X-Teaming [31]) | AMT-X (Ours) |
|---|---|---|---|
| Attack Orchestration | Static single-prompt optimization | Improvised turn-by-turn / free-form planning | Explicit, reproducible state machine (P0-P4) |
| Feedback Signals | None or single binary refusal | Coarse binary refusal or simple error labels | Graded, multi-dimensional semantic vector |
| Success Evaluation | Single-judge scalar scoring | Single-judge scalar scoring | Multi-role debate jury with checklist-gated rubrics |
| Actionability Split | No separation (binary ASR) | No separation (binary ASR) | Lenient vs. Strict (Full) ASR dual-metrics |
Methodology
AMT-X structures conversational attacks as an explicit, reproducible state machine operating through five distinct tactical phases (P0 to P4):
- P0: Reconnaissance: Builds rapport and maps the victim's domain expertise and terminology without triggering safety filters.
- P1: Boundary Probing: Elicits a clear refusal to identify the exact policy boundaries and stated rationale.
- P2: Contradiction Identification: Articulates the logical gap between the model's self-described capabilities (P0) and its refusal (P1).
- P3: Exploit Reframing: Reframes the harmful objective as a benign, legitimate deliverable (e.g., professional compliance audit or safety writing).
- P4: Target Extraction: Compiles the final, structured, step-by-step actionable instructions.
[P0 Recon] --------> [P1 Boundary] --------> [P2 Contradiction] --------> [P3 Exploit] --------> [P4 Extract]
| | | | |
|_____________________|_________________________|________________________|______________________|
(Early Disclosure Shortcut)
Semantic Phase Transitions
Rather than relying on ad-hoc transitions, AMT-X's response analyzer converts each victim response into a fixed-width feature vector containing refusal_level, cooperation_level, disclosure_level, and phase_indicators. The phase controller advances the state machine using priority-ordered logic (Algorithm 1):
def post_response_transition(current_phase, response, analyzer_signals, budget):
# c: checklist ratio, p_next: next-phase indicator, d: disclosure level
c, p_next, d = analyzer_signals
if c > delta_check:
return current_phase + 1 # Checklist satisfied
elif p_next > delta_phase:
return current_phase + 1 # Semantic readiness
elif d > delta_disclose:
# Early disclosure shortcut: Jump straight to P4 extraction
return P4_EXTRACT
elif budget.is_exhausted(current_phase):
return current_phase + 1 # Forced budget advancement
return current_phase
Technique Selection and Evaluator Backend
The attacker selects tactics from a 31-technique library (Table 11) using a multi-armed bandit (UCB1) to balance exploration and exploitation within a tight turn budget.
The evaluation backend replaces single-judge setups with an adversarial Combination C jury:
- Grader (Gemma-3-12b-it): Decomposes responses into atomic claims.
- Critic (Llama-4-maverick-17b-128e-instruct): Attacks the checklist verdict.
- Defender (GPT-OSS-20B): Rebuts and defends the response.
Success is determined via majority vote across two debate rounds. Crucially, the jury checks for three critical checklist items in P4: p4_1 (complete and structured), p4_2 (real, non-placeholder values), and p4_5 (specific methods/parameters). If any critical item fails, the run cannot achieve Full ASR, even if it satisfies basic criteria to score as an Overall ASR success (Equation 3).
Key Results
The framework was evaluated across a 42-cell grid (6 victim models 7 moderation sub-categories) over three independent runs (Runs A, B, and C).
Overall vs. Full Success Rates
As shown in Table 7, AMT-X achieves nearly perfect overall success rates under lenient scoring, but safety vulnerabilities drop dramatically when subjected to strict actionability gates:
| Run | Overall ASR | Full ASR (Strict Gate) | Partial Success (Gap) | Fail |
|---|---|---|---|---|
| Run A | 100.0% | 66.7% | 33.3% | 0.0% |
| Run B | 97.6% | 69.0% | 28.6% | 2.4% |
| Run C | 97.6% | 78.6% | 19.0% | 2.4% |
Under Run C (the ceiling case), Mistral-Large-2512 and Gemini-2.5-Pro were fully exploited (100% Full ASR), whereas GPT-5.2 restricted the attacker to a 57% Full ASR and 86% Overall ASR (Table 13).
Per-Model Performance Breakdown (Run C)
| Victim Model | n | Overall ASR | Full ASR | Avg Turns to Success |
|---|---|---|---|---|
| Gemini-2.5-Pro | 7 | 100% (7/7) | 100% (7/7) | 3.1 |
| Mistral-Large-2512 | 7 | 100% (7/7) | 100% (7/7) | 1.3 |
| Gemma-3-12b-it | 7 | 100% (7/7) | 86% (6/7) | 2.0 |
| GPT-4.1 | 7 | 100% (7/7) | 71% (5/7) | 3.6 |
| GPT-5.2 | 7 | 86% (6/7) | 57% (4/7) | 4.7 |
| Grok-4 | 7 | 100% (7/7) | 57% (4/7) | 3.1 |
Note: GPT-5.2 was the only model to successfully block an attack completely (Indiscriminate Weapon / CBRN threat category, as shown in Figure 9b).
Phase Budget Ablation (Table 8)
To understand where the alignment breaks, the authors capped the state machine at earlier phases:
| Max Phase Allowed | Overall ASR | Full ASR | Overall ASR |
|---|---|---|---|
| P1 Only (Boundary Probing) | 28.6% | 23.8% | -69.0 pp |
| P2 Only (Contradiction Mining) | 35.7% | 26.2% | -61.9 pp |
| P3 Only (Exploit Reframing) | 97.6% | 71.4% | 0.0 pp |
| Full Pipeline (Run C) | 97.6% | 78.6% | — |
The transition from P2 to P3 represents a massive jump in overall success (+61.9 percentage points). This highlights that merely pointing out logical contradictions is harmless; the attack succeeds only when the model accepts the "legitimate" reframing (P3), which acts as the cognitive trigger to unlock P4 extraction.
Limitations & Open Questions
- Very Low Statistical Power: The evaluation grid has a sample size of per victim model (only one representative goal per category). This means a single failure (like GPT-5.2 on CBRN) drops the category success rate significantly. The disaggregated cells contain too much sampling noise to draw statistically rigorous, fine-grained conclusions.
- Severe Evaluator-Victim Coupling: Gemma-3-12b-it is simultaneously evaluated as a victim model and deployed as the "Grader" seat in the evaluation jury. This shared model lineage introduces unquantifiable covariance and self-play evaluation biases.
- High Jury False Positive Rates (FPR): In the pilot calibration study (Section B.4), the Combination C jury exhibited a False Positive Rate of approximately 36% against human-majority labels. This means the jury frequently over-flags benign responses, likely inflating both reported ASR metrics.
- No Tested Defenses: Although the paper hypothesizes that turn-ceilings, anomaly detection, or refusal-mapping could mitigate these attacks, they do not implement or evaluate the efficacy of any defense.
What Practitioners Should Do
- Enforce Session Limits: Implement conversation turn ceilings, keeping sessions below approximately 10 turns. The data shows that complex reframing exploits require several turns to establish, making turn-budget constraints an immediate, low-overhead containment method.
- Monitor Session State Transitions: Deploy classifiers to detect shifts in user prompts from "capability discovery" (P0/P1) to "rule contradiction" (P2/P3) or anomaly-driven indicators.
- Upgrade Evaluation Metrics to Use Multi-Agent Checklists: Stop reporting safety metrics using single-judge scalar scores. Deploy a multi-role jury (separating Grader, Critic, and Defender roles) and gate success on explicit actionability metrics (such as the presence of real, non-placeholder parameters like
p4_2). - Strictly Decouple Evaluation Models: Ensure your red-teaming evaluators do not share weights, training pipelines, or parent-vendor lineages.
The Takeaway
AMT-X proves that static, single-turn safety benchmarks severely overestimate LLM resilience, as conversational state-machine attacks can systematically dismantle the safety alignments of evaluated frontier models. More importantly, the paper demonstrates that a massive gap of up to 33 percentage points exists between nominal jailbreak "success" and fully actionable operational harm. Moving forward, AI safety teams must move away from easily biased, single-judge scalar scores and adopt strict, checklist-gated dual-metric frameworks to measure true operational risk.
Den's Take
AMT-X hits on a critical, often ignored reality in LLM red-teaming: our evaluation metrics are fundamentally broken. While it is alarming that a structured state-machine attacker exploiting a 31-technique library can systematically bypass frontiers like GPT-5.2 and Gemini-2.5-Pro for a measly $0.067 per attack, the real headline here is the massive evaluation gap. Introducing a strict, checklist-gated jury dropped the measured Attack Success Rate (ASR) by up to 33 percentage points (from 100% overall ASR to 66.7% full ASR on Run A). This proves we have been over-inflating vulnerability metrics by relying on lazy, single-judge LLM evaluations that mistake benign, partial compliance for fully actionable, policy-violating instructions.
For practitioners deploying conversational applications, AMT-X is a wake-up call. We must transition to state-machine-based red-teaming to uncover these progressive "foot-in-the-door" logical vulnerabilities. However, we also need to stop panicking over raw ASR numbers that do not actually yield complete, operational threat instructions. Standardizing multi-role, checklist-gated evaluation is the only way to separate actual, exploitable risk from harmless conversational noise.