The Defense Your AI Safety Stack Was Never Tested Against
Your security team evaluated the LLM deployment. They ran red-team prompts. The defense flagged them. The report came back clean, and the system went into production serving clinicians, analysts, or customer-facing workflows. What the evaluation almost certainly did not test was what happens when an attacker uses two techniques simultaneously, one operating at the token level and one operating at the semantic level, in a single combined input. That scenario was not in the evaluation suite. It was not in most evaluation suites. And according to new research from Purdue University, it is precisely the scenario where the defenses break.
Researchers at Purdue published a paper in June 2025 examining what happens when two established jailbreak methods, one gradient-based and one prompt-based, are fused into a single hybrid attack pipeline. Tested against Gradient Cuff and JBShield, two of the most advanced published defenses for LLM jailbreaking, the hybrid approach broke through on fine-tuned models where both defenses had previously blocked every single-mode attack entirely. On Llama-3, the hybrid attack reached an Attack Success Rate of 91.6% under a rigorous evaluator, up from 58.4% for the standalone prompt-level baseline. Against JBShield on Vicuna-7B, the standalone prompt attack achieved a 0.04% bypass rate. The hybrid achieved 37%. The defenses did not degrade. They collapsed. But only on fine-tuned models, and this distinction matters enormously for how organisations interpret these results.
Why Two Attack Vectors Break What One Cannot
To understand what the Purdue team built, you need to understand what each individual technique cannot do on its own.
GCG (Greedy Coordinate Gradient) is a gradient-based attack that appends an optimized token sequence to a prompt, pushing the model toward producing a target harmful output. It is precise and highly effective on the models it was designed for. The problem is that it requires gradient access, meaning it only works on open-source models, and the token sequences it generates look unnatural. Entropy-based detectors and representation-based defenses like JBShield can identify the adversarial pattern in the model's internal activations and block it before output.
PAIR (Prompt Automatic Iterative Refinement) operates differently. An attacker LLM iteratively rewrites a harmful prompt using feedback from the target model, with a judge function evaluating whether each version succeeded. It is semantically coherent and harder to detect by pattern. But it drifts. The iterative refinement process tends to wander from the original goal, and gradient-based defenses like Gradient Cuff, which monitor the refusal loss gradient norm, catch it reliably.
The insight the Purdue team is building on is structural: each defense is calibrated for one attack modality, and the two attack families fail in different directions. Combine them and you present both defenses with an input they were not calibrated to handle.
| Attack Type | Blocked By | Bypassed By |
|---|---|---|
| GCG alone (token-level) | JBShield (representation) | Gradient Cuff struggles |
| PAIR alone (prompt-level) | Gradient Cuff (gradient-norm) | JBShield partially |
| GCG + PAIR (hybrid) | Neither, on Vicuna-7B | Both defenses at 37-58% ASR |
The table only holds for Vicuna-7B. On LLaMA-2 and LLaMA-3, both defenses held completely, yielding 0% ASR across all attack types including both hybrids. That is not a footnote. It is the most operationally important finding in the paper.
The Fine-Tuning Vulnerability Most Organisations Have Already Created
Vicuna-7B is a fine-tuned version of LLaMA. It was fine-tuned for helpfulness. That fine-tuning is almost certainly why the defenses broke against it.
The authors note alignment with a finding established in prior literature: fine-tuned models are generally more vulnerable to adversarial attacks. The mechanism is intuitive. Fine-tuning for helpfulness trains the model to be more responsive to user intent signals, including token-level and semantic signals that adversarial inputs exploit. The base LLaMA-2 and LLaMA-3 models, which retained stronger alignment from pretraining, held against every attack. Vicuna, optimized to be useful, became the entry point.
The enterprise risk here is direct: almost every LLM deployed in production has been fine-tuned. Base models are not what organisations run in clinical documentation tools, financial analysis workflows, or customer-facing products. The finding that defense bypass was only demonstrated on fine-tuned models is not a reassurance. It is a description of the exact model category in production.
The authors are appropriately careful about this. They do not claim the hybrid attacks are universally effective. They explicitly state that both defenses successfully blocked all attacks on LLaMA-2 and LLaMA-3, yielding 0% ASR. But fine-tuned models are where the gap opens, and fine-tuned models are what is deployed.
How the GCG + PAIR Hybrid Actually Operates
The mechanics are worth understanding because the architecture reveals why the combination is harder to detect than either component alone.
GCG+PAIR runs in parallel streams. Here is the sequence:
- The attacker LLM initializes with the attack objective and an empty conversation history.
- At each iteration, GCG recomputes an adversarial token suffix by minimizing a loss function over the conversation history so far.
- The attacker LLM samples a fresh semantically coherent prompt conditioned on that same history.
- The adversarial suffix is concatenated to the semantic prompt to form the combined input.
- The target model responds. A judge function evaluates whether the response crosses the safety threshold.
- If the judge returns a success signal, the attack ends. If not, the prompt-response pair is added to history and the next iteration begins.
- Five streams run simultaneously, each maintaining its own conversation history.
The key modification from vanilla PAIR is that tokens are inserted incrementally rather than regenerating full prompts. This keeps the semantic coherence that makes PAIR hard to detect while the gradient-optimized suffix does the work of forcing alignment with the target harmful output. The two components correct each other's weaknesses in real time.
GCG+WordGame operates differently. WordGame replaces sensitive words in a malicious prompt with masked tokens and provides linguistic hints, letter counts, syllables, synonyms, rhymes, so the model reconstructs the masked word internally while appearing to engage with an innocent word game. The hybrid prepends a GCG adversarial suffix to the WordGame prompt after a large reasoning model (Deepseek-r1:70B) generates the masking and hints. One important finding: this hybrid showed no meaningful improvement over standalone WordGame on undefended models. The reason is that the game format and the GCG target string fixation work against each other. When the model starts reasoning about the word game in its output preamble, it conflicts with the adversarial suffix's goal alignment. The hybrid's advantage only emerged against defenses.
What the Evaluation Gap Between Judges Reveals
The paper tests two judge models, Llama Guard and Mistral-sorry-bench, and the gap between them is its own finding.
Under Llama Guard, GCG+PAIR on Vicuna-7B achieved 78% ASR. Under Mistral-sorry-bench, the same attack on the same model reached 87.4%. The ordering is consistent: Mistral catches more of what Llama Guard misses. The authors explicitly note that Mistral was adversarially trained on a wide variety of jailbreak attempts, which is what makes it the more realistic evaluator.
The implication for organisations running automated red-teaming programs is significant. If your evaluation pipeline uses a lenient judge, you will systematically undercount successful jailbreaks. You will ship safety reports showing lower ASRs than an adversarially aware detector would produce. The gap is not marginal. On Llama-3 under no defenses, PAIR's ASR was 23% under Llama Guard and 58.4% under Mistral. The same attack, the same model, a 35-percentage-point difference in measured success depending on which judge evaluated it.
Organisations whose red-team tooling uses first-generation judge models are not measuring the real attack surface. They are measuring what the judge is willing to call a success.
Where the Defense Architecture Is Structurally Exposed
The Purdue findings surface a problem that predates this paper but that this paper now quantifies: defenses designed to detect one attack modality do not compose into a defense that handles combined modalities.
Gradient Cuff monitors refusal loss gradient norms. It was designed to detect the signature of gradient-optimized inputs. It does that well. JBShield analyzes hidden activations for adversarial representation patterns. It does that well. Neither was designed around the scenario where a semantically coherent prompt also carries an adversarial token payload, because that scenario was not in the threat model when they were built.
The 37% bypass rate against JBShield and 58% against Gradient Cuff on Vicuna-7B are not indictments of those systems specifically. They are evidence of a structural assumption baked into the entire current generation of LLM defenses: that attacks arrive in one mode at a time. When that assumption breaks, the defenses do not gracefully degrade. They fail across the range the hybrid exploits.
The authors disclosed findings to OpenAI in December 2024 and to Meta in June 2025 prior to publication. Both are listed as awaiting response at time of publication. That disclosure timeline suggests the research community is aware that single-mechanism defenses are approaching their limit against adaptive adversaries. The industry response has not yet materialized in published form.
What An Enterprise Security Team Should Do With This Today
The Purdue paper does not provide a defense. It documents a gap. The appropriate organizational response is not to wait for vendors to patch the defenses. It is to adjust how current safety evaluations are run.
Three things warrant immediate review:
- Red-team evaluation scope. If your current red-teaming program tests token-level attacks and prompt-level attacks as separate categories, it has not tested the combined scenario. The combined scenario is what this paper shows breaks through. Add hybrid attack vectors to evaluation suites, particularly against any fine-tuned model in production.
- Judge model calibration. If automated jailbreak evaluation uses Llama Guard or an equivalent first-generation judge, the measured ASR in your safety reports is likely materially lower than what an adversarially trained judge would produce. Audit the gap. Mistral-sorry-bench is publicly available. Running both judges on the same test set takes hours and reveals the delta.
- Fine-tuning provenance. The defense bypass in this paper was limited to a fine-tuned model. Before extending that finding to your environment, understand specifically what fine-tuning was applied to each production model and whether that fine-tuning increased helpfulness compliance in ways that might reduce adversarial robustness. This is not currently a standard part of model deployment documentation, but it should be.
The authors are planning future work on closed-source and commercial model testing (GPT-4, Claude-3, Gemini), broader defense coverage including SmoothLLM and perplexity filtering, and ensemble defense approaches. The research agenda they are describing is essentially a race between adaptive attack design and adaptive defense design. The organizations on the wrong side of that race will be the ones whose safety evaluations were written for the threat model of two years ago.
The defense did not fail because it was poorly designed. It failed because it was designed for a different adversary than the one that showed up.
Agents Applied covers AI research with direct operational implications for senior technology leaders. Each edition extracts what matters, names what is overstated, and leaves the rest on the bench.