There are 25 attacks in the adversarial-ml category. Each shows its technique id, mode, standards mapping, description, and the exact command to run it (swap the provider and target as needed).
Gradient-Based Adversarial Attack
critical
gradient-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Exploits gradient information to craft adversarial inputs that steer model outputs toward attacker-controlled targetsRun it:
ai-blackteam run -p anthropic -a gradient-attack -t "your target prompt"
Output Classifier Bypass
critical
output-classifier-bypass · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Instructs the model to format harmful outputs in ways that evade post-generation output safety classifiers and filtersRun it:
ai-blackteam run -p anthropic -a output-classifier-bypass -t "your target prompt"
Reward Hacking Attack
critical
reward-hacking · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Exploits misalignment between proxy reward functions and true objectives to elicit harmful outputs that score highly on RLHF reward modelsRun it:
ai-blackteam run -p anthropic -a reward-hacking -t "your target prompt"
Safety Classifier Evasion
critical
safety-classifier-evasion · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Specifically targets and evades safety classifiers deployed as guardrails using adversarial examples crafted against those classifiersRun it:
ai-blackteam run -p anthropic -a safety-classifier-evasion -t "your target prompt"
Transferable Adversarial Attack
critical
transferable-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Attacks crafted on surrogate models that transfer to target black-box models due to shared decision boundariesRun it:
ai-blackteam run -p anthropic -a transferable-attack -t "your target prompt"
Universal Adversarial Suffix
critical
universal-adversarial-suffix · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Universal transferable suffixes optimized across multiple models to bypass safety alignment on any targetRun it:
ai-blackteam run -p anthropic -a universal-adversarial-suffix -t "your target prompt"
Adversarial Perturbation Attack
high
perturbation-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies small, imperceptible perturbations to inputs to cause model misclassification or policy bypassRun it:
ai-blackteam run -p anthropic -a perturbation-attack -t "your target prompt"
Attention-Based Adversarial Attack
high
attention-based-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Crafts inputs that manipulate attention patterns to suppress safety-relevant context and amplify harmful task signalsRun it:
ai-blackteam run -p anthropic -a attention-based-attack -t "your target prompt"
Beam Search Adversarial Attack
high
beam-search-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Uses beam search to explore token sequences that maximize attack success probability while maintaining fluencyRun it:
ai-blackteam run -p anthropic -a beam-search-attack -t "your target prompt"
Black-Box Optimization Attack
high
black-box-optimization · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Query-based optimization attack that crafts adversarial prompts without gradient access using only model outputsRun it:
ai-blackteam run -p anthropic -a black-box-optimization -t "your target prompt"
Character-Level Adversarial Attack
high
character-level-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Introduces character-level perturbations such as insertions, deletions, and swaps to evade token-based filtersRun it:
ai-blackteam run -p anthropic -a character-level-attack -t "your target prompt"
Constrained Optimization Attack
high
constrained-optimization-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Solves a constrained optimization problem to find adversarial prompts satisfying fluency and evasion constraints simultaneouslyRun it:
ai-blackteam run -p anthropic -a constrained-optimization-attack -t "your target prompt"
Embedding Space Adversarial Attack
high
embedding-space-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Operates directly in embedding space to find minimal perturbations that move inputs across safety decision boundariesRun it:
ai-blackteam run -p anthropic -a embedding-space-attack -t "your target prompt"
Ensemble Adversarial Attack
high
ensemble-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Combines multiple attack strategies simultaneously to improve robustness against diverse safety mechanismsRun it:
ai-blackteam run -p anthropic -a ensemble-attack -t "your target prompt"
Genetic Algorithm Adversarial Attack
high
genetic-algorithm-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Evolves adversarial prompts through selection, crossover, and mutation to bypass safety filters over generationsRun it:
ai-blackteam run -p anthropic -a genetic-algorithm-attack -t "your target prompt"
Iterative Refinement Attack
high
iterative-refinement-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Iteratively refines adversarial prompts based on model feedback to progressively improve jailbreak success rateRun it:
ai-blackteam run -p anthropic -a iterative-refinement-attack -t "your target prompt"
Latent Space Adversarial Attack
high
latent-space-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Manipulates the model’s latent representations to steer generation toward harmful outputs via activation steeringRun it:
ai-blackteam run -p anthropic -a latent-space-attack -t "your target prompt"
Model-Specific Adversarial Attack
high
model-specific-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Exploits architecture-specific quirks, training artifacts, and known model weaknesses for targeted bypassRun it:
ai-blackteam run -p anthropic -a model-specific-attack -t "your target prompt"
Paraphrase Adversarial Attack
high
paraphrase-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Systematically paraphrases harmful requests to evade surface-level safety filters while retaining the harmful objectiveRun it:
ai-blackteam run -p anthropic -a paraphrase-attack -t "your target prompt"
Reinforcement Learning Adversarial Attack
high
reinforcement-learning-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003RL-trained attacker agent that learns prompt strategies maximizing jailbreak reward against safety-trained modelsRun it:
ai-blackteam run -p anthropic -a reinforcement-learning-attack -t "your target prompt"
Semantic-Preserving Adversarial Attack
high
semantic-preserving-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Transforms prompts to preserve semantic meaning while evading keyword and pattern-based safety classifiersRun it:
ai-blackteam run -p anthropic -a semantic-preserving-attack -t "your target prompt"
Sentence-Level Adversarial Attack
high
sentence-level-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Inserts or modifies entire sentences to shift model behavior while keeping overall prompt structure benign-lookingRun it:
ai-blackteam run -p anthropic -a sentence-level-attack -t "your target prompt"
Token-Level Perturbation Attack
high
token-level-perturbation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Substitutes tokens at the embedding level to create semantically equivalent but filter-evading adversarial inputsRun it:
ai-blackteam run -p anthropic -a token-level-perturbation -t "your target prompt"
Word Importance Adversarial Attack
high
word-importance-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Identifies and perturbs high-importance words in safety filters to minimize classifier confidence on harmful inputsRun it:
ai-blackteam run -p anthropic -a word-importance-attack -t "your target prompt"
Synonym Substitution Attack
medium
synonym-substitution-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Replaces flagged keywords with synonyms or semantically equivalent terms to bypass lexical safety filtersRun it:
ai-blackteam run -p anthropic -a synonym-substitution-attack -t "your target prompt"