HarmBench is a standardized evaluation framework designed to rigorously compare automated red teaming algorithms and jailbreak attacks against large language models. It provides a fixed, diverse set of 400 harmful behaviors across semantic categories like cybercrime and misinformation, paired with a standardized set of 33 held-out, functional defense mechanisms to ensure reproducible, apples-to-apples comparisons.
Glossary
HarmBench

What is HarmBench?
HarmBench is a standardized, open-source evaluation framework for benchmarking automated red teaming methods and jailbreak attacks against a diverse set of harmful behaviors and defense mechanisms.
The framework evaluates attacks using a multimodal metric combining a proprietary classifier-based refusal judge with LLM-as-a-judge scoring to measure compliance. By open-sourcing the prompts, target models, and evaluation pipeline, HarmBench establishes a reproducible scientific benchmark that moves the field beyond anecdotal jailbreak demonstrations toward systematic, quantitative safety evaluation.
Key Features of HarmBench
A standardized, open-source framework for benchmarking automated red teaming methods and jailbreak attacks against a diverse set of harmful behaviors and defense mechanisms.
Standardized Behavioral Taxonomy
HarmBench introduces a standardized taxonomy of 400+ harmful behaviors spanning cybercrime, misinformation, and chemical/biological threats. Each behavior is paired with a canonical test prompt and an automated judge classifier. This eliminates the inconsistent, ad-hoc evaluation that plagued prior research, enabling apples-to-apples comparisons across attack methods.
- 400+ behaviors across semantic categories
- Automated judge using Llama 2 or GPT-4 classifiers
- Open-source reference implementations for all attacks
Dual Evaluation Modes
The framework supports two distinct evaluation paradigms: Attack Success Rate (ASR) against a fixed set of harmful behaviors, and Defense Robustness measuring how well guardrails resist adaptive adversaries. This dual-mode design allows researchers to benchmark both offensive red teaming algorithms and defensive mechanisms like perplexity filters or SmoothLLM within a single, consistent environment.
- ASR mode: Evaluates attack efficacy
- Defense mode: Tests guardrail resilience
- Adaptive adversary simulation built-in
Comprehensive Attack Suite
HarmBench ships with 18 pre-implemented attack methods covering the full spectrum of jailbreak techniques. This includes gradient-based white-box attacks like GCG (Greedy Coordinate Gradient), few-shot prompting methods, and automated red teaming algorithms. Each attack is configurable and produces reproducible results, serving as a baseline for new research.
- GCG Attack with optimized adversarial suffixes
- Few-shot and zero-shot prompting baselines
- Stochastic and genetic algorithm variants
Defense Benchmarking Suite
The framework evaluates 7 defense mechanisms under a unified protocol, measuring their ability to resist adaptive attacks. Tested defenses include perplexity filtering, SmoothLLM (input perturbation and aggregation), Erase-and-Check (certified robustness), and response refusal classifiers. Each defense is scored on its ASR reduction and benign utility preservation.
- Perplexity-based input filtering
- SmoothLLM randomized smoothing defense
- Erase-and-Check certified robustness guarantees
Classifier-Based Automated Judging
HarmBench replaces unreliable string-matching with a fine-tuned Llama 2 13B classifier that determines whether a model output constitutes a harmful completion. This judge model is trained on the framework's behavioral taxonomy and achieves high agreement with human annotators. The classifier evaluates semantic harmfulness, not just keyword presence, catching sophisticated jailbreaks that evade simple filters.
- Fine-tuned Llama 2 13B judge model
- High human agreement on harmfulness labels
- Detects semantic violations, not just keywords
Frequently Asked Questions
Clear answers to the most common questions about HarmBench, the standardized evaluation framework for automated red teaming and jailbreak attacks against large language models.
HarmBench is a standardized, open-source evaluation framework designed to benchmark automated red teaming methods and jailbreak attacks against large language models. It provides a curated dataset of 400 harmful behaviors across diverse semantic categories—including cybercrime, misinformation, and chemical weapons—paired with a standardized evaluation pipeline. The framework works by having an attack method generate a test case for each behavior, which is then fed to a target LLM. A classifier model judges whether the LLM's response successfully complies with the harmful request, producing a standardized Attack Success Rate (ASR) metric. This eliminates the inconsistency of ad-hoc evaluations and enables direct, apples-to-apples comparison between different jailbreak techniques.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
HarmBench exists within a broader landscape of adversarial evaluation, safety alignment, and defense mechanisms. These interconnected concepts form the foundation for understanding automated red teaming and jailbreak mitigation.
Automated Red Teaming
The use of specialized language models or algorithms to autonomously generate diverse, novel adversarial test cases at scale. Unlike manual red teaming, automated approaches can explore the vast combinatorial space of possible attacks, discovering edge cases that human testers would miss. HarmBench standardizes this process by providing a common evaluation framework, enabling direct comparison between methods like GCG, PAIR, and TAP. Key metrics include attack success rate, query efficiency, and diversity of generated prompts.
Constitutional AI
A training methodology developed by Anthropic that uses a written set of principles—a constitution—to critique and revise model responses. Rather than relying solely on human feedback, the model self-improves by checking its outputs against explicit rules about harmlessness and helpfulness. This approach creates a harmlessness classifier without extensive human labeling. HarmBench evaluates models trained with Constitutional AI alongside those using traditional RLHF, providing comparative data on robustness against jailbreak attacks.
Perplexity Filter
A defense mechanism that analyzes the statistical likelihood of an input sequence. Jailbreak prompts—particularly adversarial suffixes generated by gradient-based attacks—often contain gibberish or highly improbable token sequences. A perplexity filter flags inputs exceeding a threshold as anomalous and blocks them before model processing. HarmBench measures the effectiveness of perplexity-based defenses against various attack types, revealing that sophisticated attacks can be designed to evade these statistical detectors.
SmoothLLM
A defense algorithm that perturbs multiple copies of an input prompt and aggregates the model's responses. By introducing random character-level perturbations—such as insertions, swaps, or patches—SmoothLLM detects adversarial suffixes through anomalous output variance. If the perturbed copies produce inconsistent or refused responses while the original triggers harmful output, the input is flagged as adversarial. HarmBench includes SmoothLLM in its defense evaluation suite, demonstrating its effectiveness against GCG-style attacks.
Representation Engineering
A safety technique that identifies and manipulates internal model activations corresponding to harmful concepts. Rather than relying on input or output filters, representation engineering reads and writes to the model's hidden states during inference. Activation steering—adding a computed safety vector to hidden states—can guide generation away from harmful outputs in real-time without retraining. HarmBench evaluates these methods alongside traditional guardrails, providing data on their robustness against adaptive attacks.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us