tool 2026

AJAR: Adaptive Jailbreak Architecture for Red-teaming

Yipu Dou , Wang Yang

Southeast University

0 citations · 22 references · arXiv
α

Published on arXiv

2601.10971

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Demonstrates architectural feasibility of modular agentic jailbreak orchestration via MCP and reveals that tool-use formatting requirements can simultaneously open new injection vectors and disrupt persona-based attacks

AJAR (Protocol-driven Cognitive Orchestration)

Novel technique introduced

As Large Language Models (LLMs) evolve from static chatbots into autonomous agents capable of tool execution, the landscape of AI safety is shifting from content moderation to action security. However, existing red-teaming frameworks remain bifurcated: they either focus on rigid, script-based text attacks or lack the architectural modularity to simulate complex, multi-turn agentic exploitations. In this paper, we introduce AJAR (Adaptive Jailbreak Architecture for Red-teaming), a proof-of-concept framework designed to bridge this gap through Protocol-driven Cognitive Orchestration. Built upon the robust runtime of Petri, AJAR leverages the Model Context Protocol (MCP) to decouple adversarial logic from the execution loop, encapsulating state-of-the-art algorithms like X-Teaming as standardized, plug-and-play services. We validate the architectural feasibility of AJAR through a controlled qualitative case study, demonstrating its ability to perform stateful backtracking within a tool-use environment. Furthermore, our preliminary exploration of the "Agentic Gap" reveals a complex safety dynamic: while tool usage introduces new injection vectors via code execution, the cognitive load of parameter formatting can inadvertently disrupt persona-based attacks. AJAR is open-sourced to facilitate the standardized, environment-aware evaluation of this emerging attack surface. The code and data are available at https://github.com/douyipu/ajar.

Key Contributions

  • First red-teaming framework using MCP to abstract adversarial strategies (e.g., X-Teaming) as standardized plug-and-play services decoupled from the execution loop
  • Cognitive Orchestration architecture enabling stateful backtracking across multi-turn agentic interactions, built atop the Petri/Inspect AI runtime
  • Identification of the 'Agentic Gap' hypothesis: tool-use environments open new indirect injection vectors via code execution while paradoxically disrupting persona-based attacks through formatting constraints

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_time
Applications
llm red-teamingagentic ai safety evaluationtool-using llm agents
Read PDF arXiv DOI Code

Similar Papers

tool

ClawTrap: A MITM-Based Red-Teaming Framework for Real-World OpenClaw Security Evaluation

2026 0 cit.
100%
tool

AgentSight: System-Level Observability for AI Agents Using eBPF

2025 0 cit.
100%
tool

DREAM: Dynamic Red-teaming across Environments for AI Models

2025 0 cit.
100%
tool

MUZZLE: Adaptive Agentic Red-Teaming of Web Agents Against Indirect Prompt Injection Attacks

2026 0 cit.
92%
tool

"Your AI, My Shell": Demystifying Prompt Injection Attacks on Agentic AI Coding Editors

2025 1 cit.
92%
tool

LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems

2026 0 cit.
92%
benchmark

WebTrap Park: An Automated Platform for Systematic Security Evaluation of Web Agents

2026 0 cit.
85%
defense

Beyond Input Guardrails: Reconstructing Cross-Agent Semantic Flows for Execution-Aware Attack Detection

2026 0 cit.
85%