tool 2026

FlashRT: Towards Computationally and Memory Efficient Red-Teaming for Prompt Injection and Knowledge Corruption

Yanting Wang , Chenlong Yin , Ying Chen , Jinyuan Jia

The Pennsylvania State University

0 citations
α

Published on arXiv

2604.28157

Prompt Injection

OWASP LLM Top 10 — LLM01

Red-Team Agents

LLMs for Security — LS06

Benchmarks & Evaluation

LLMs for Security — LS10

Key Finding

Reduces runtime from one hour to less than ten minutes and GPU memory from 264.1 GB to 65.7 GB for 32K token context attacks

FlashRT

Novel technique introduced

Long-context large language models (LLMs)-for example, Gemini-3.1-Pro and Qwen-3.5-are widely used to empower many real-world applications, such as retrieval-augmented generation, autonomous agents, and AI assistants. However, security remains a major concern for their widespread deployment, with threats such as prompt injection and knowledge corruption. To quantify the security risks faced by LLMs under these threats, the research community has developed heuristic-based and optimization-based red-teaming methods. Optimization-based methods generally produce stronger attacks than heuristic attacks and thus provide a more rigorous assessment of LLM security risks. However, they are often resource-intensive, requiring significant computation and GPU memory, especially for long context scenarios. The resource-intensive nature poses a major obstacle for the community (especially academic researchers) to systematically evaluate the security risks of long-context LLMs and assess the effectiveness of defense strategies at scale. In this work, we propose FlashRT, the first framework to improve the efficiency (in terms of both computation and memory) for optimization-based prompt injection and knowledge corruption attacks under long-context LLMs. Through extensive evaluations, we find that FlashRT consistently delivers a 2x-7x speedup (e.g., reducing runtime from one hour to less than ten minutes) and a 2x-4x reduction in GPU memory consumption (e.g., reducing from 264.1 GB to 65.7 GB GPU memory for a 32K token context) compared to state-of-the-art baseline nanoGCG. FlashRT can be broadly applied to black-box optimization methods, such as TAP and AutoDAN. We hope FlashRT can serve as a red-teaming tool to enable systematic evaluation of long-context LLM security. The code is available at: https://github.com/Wang-Yanting/FlashRT

Key Contributions

  • First framework to improve efficiency of optimization-based prompt injection and knowledge corruption attacks for long-context LLMs
  • Achieves 2-7x speedup and 2-4x reduction in GPU memory consumption compared to nanoGCG
  • Broadly applicable to black-box optimization methods like TAP and AutoDAN

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
white_boxinference_time
Applications
retrieval-augmented generationautonomous agentsai assistants
Read PDF arXiv Code

Similar Papers

tool

Detecting Jailbreak Attempts in Clinical Training LLMs Through Automated Linguistic Feature Extraction

2026 0 cit.
90%
tool

Perturbation Probing: A Two-Pass-per-Prompt Diagnostic for FFN Behavioral Circuits in Aligned LLMs

2026 0 cit.
90%
tool

Taxonomy-Adaptive Moderation Model with Robust Guardrails for Large Language Models

2025 0 cit.
90%
defense

The Laminar Flow Hypothesis: Detecting Jailbreaks via Semantic Turbulence in Large Language Models

2025 0 cit.
82%
defense

Do Internal Layers of LLMs Reveal Patterns for Jailbreak Detection?

2025 1 cit.
82%
defense

Rule Encoding and Compliance in Large Language Models: An Information-Theoretic Analysis

2025 2 cit.
82%
tool

NeuroBreak: Unveil Internal Jailbreak Mechanisms in Large Language Models

2025 0 cit.
82%
attack

Silencing the Guardrails: Inference-Time Jailbreaking via Dynamic Contextual Representation Ablation

2026 0 cit.
82%