The Greedy Coordinate Gradient (GCG) Attack is a white-box adversarial attack that automatically discovers a sequence of seemingly meaningless tokens—an adversarial suffix—which, when appended to a harmful user query, reliably bypasses a language model's safety alignment. The attack leverages direct access to the model's gradients to perform a discrete optimization over the token vocabulary, identifying substitutions that maximize the probability of the model beginning its response with an affirmative phrase like 'Sure, here is how to...'
Glossary
Greedy Coordinate Gradient (GCG) Attack

What is Greedy Coordinate Gradient (GCG) Attack?
An automated white-box attack that optimizes an adversarial suffix token sequence appended to a harmful query to induce a language model to produce an affirmative and unsafe response.
Unlike manual jailbreak attempts, GCG is a systematic and transferable attack. The optimization uses a greedy, coordinate-descent approach, iteratively evaluating candidate token replacements for each position in the suffix based on their gradient. A key finding is that adversarial suffixes optimized on a single open-source model, such as Vicuna, often transfer effectively to other proprietary, black-box models, exposing a systemic vulnerability in current alignment techniques.
Key Characteristics of GCG Attacks
The Greedy Coordinate Gradient (GCG) attack is a powerful white-box optimization method that systematically identifies adversarial token sequences to jailbreak aligned language models. The following cards break down its core operational characteristics and defensive considerations.
White-Box Gradient Access
GCG is a white-box attack, meaning it requires full access to the model's internal parameters and gradients. The attacker computes the gradient of the adversarial loss with respect to the one-hot token indicators in the input. This gradient signal reveals which token substitutions in the suffix will most effectively reduce the model's refusal probability. Unlike black-box methods that rely on random search or heuristic prompts, GCG leverages precise mathematical optimization to find minimal, highly effective perturbations.
Greedy Coordinate Descent Optimization
The attack uses a greedy coordinate descent algorithm to iteratively refine the adversarial suffix. In each step:
- A random subset of token positions in the suffix is selected.
- For each position, the gradient identifies the top-k candidate tokens with the largest negative loss.
- Each candidate is evaluated via a forward pass, and the single token swap that most reduces the loss is kept. This greedy, coordinate-wise approach efficiently navigates the discrete token space without exhaustive search, converging to a suffix that reliably induces affirmative harmful responses.
Universal and Transferable Suffixes
A critical finding of the GCG attack is that optimized suffixes exhibit transferability across different models and even different harmful prompts. A suffix optimized on a smaller, open-source model like Vicuna-7B often successfully jailbreaks larger, proprietary models such as GPT-3.5 or PaLM-2. This transferability arises because the adversarial patterns exploit common failure modes in the alignment training distribution shared across models, making GCG a potent tool for probing systemic vulnerabilities in language model safety.
Perplexity-Based Detection Vulnerability
GCG-optimized suffixes are typically nonsensical strings of tokens that maximize the probability of an affirmative response. This results in sequences with abnormally high perplexity under a language model. A straightforward defense involves applying a perplexity filter to user inputs: if the log-perplexity of any portion of the prompt exceeds a calibrated threshold, the request is flagged and blocked. However, adaptive attackers can incorporate fluency constraints into the GCG loss function to generate lower-perplexity, more natural-sounding adversarial suffixes that evade naive detection.
Multi-Prompt and Multi-Modal Extensions
The core GCG algorithm has been extended to create universal adversarial triggers that jailbreak a model across a distribution of harmful prompts simultaneously. By optimizing the suffix over a training set of diverse harmful queries, the resulting trigger generalizes to unseen prompts. Research has also demonstrated GCG's applicability to multi-modal models, where adversarial perturbations optimized on a text encoder can jailbreak vision-language models by appending an optimized string to an image caption, bypassing safety filters that rely on visual context.
Discrete Optimization for Adversarial NLP
GCG represents a broader class of gradient-based discrete optimization techniques for adversarial NLP. Unlike continuous pixel-space attacks in computer vision, language operates on discrete tokens, making direct gradient descent impossible. GCG solves this by using gradients to score candidate token replacements, bridging continuous optimization with discrete search. This methodology has influenced subsequent attacks like AutoDAN and PAIR, which combine gradient signals with genetic algorithms or auxiliary LLMs to produce semantically coherent jailbreaks while retaining the mathematical efficiency of the GCG framework.
Frequently Asked Questions
Explore the technical details of the Greedy Coordinate Gradient attack, a state-of-the-art method for automatically discovering adversarial suffixes that jailbreak aligned language models.
A Greedy Coordinate Gradient (GCG) attack is an automated white-box adversarial method that optimizes a sequence of tokens appended to a harmful query to induce a language model to produce an affirmative, unsafe response. The attack operates by first defining an adversarial loss function that measures the model's likelihood of beginning its response with a target phrase like 'Sure, here is how to...'. It then computes the gradient of this loss with respect to a one-hot vector representation for each token position in the adversarial suffix. For each position, it identifies a candidate set of replacement tokens with the largest negative gradients. Through a greedy, coordinate-wise search, it evaluates all single-token substitutions across all suffix positions, accepting the swap that most steeply minimizes the loss. This process iterates for hundreds of steps, progressively refining the suffix from random gibberish into a highly effective jailbreak string that reliably bypasses the model's safety alignment.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The GCG attack sits at the intersection of white-box optimization and language model safety. Explore the core concepts, related attack vectors, and defense mechanisms that define this critical area of AI security research.
Jailbreaking vs. Prompt Injection
GCG is a jailbreak technique, a specific subclass of prompt injection attacks. The distinction is critical for defense design.
- Jailbreak (GCG's Domain): Bypasses the model's safety alignment to produce harmful content the model was trained to refuse. The attack targets the model's internal value alignment
- Prompt Injection: Overrides system instructions to execute unintended actions, such as data exfiltration or tool misuse. The attack targets the application layer
- Indirect Prompt Injection: A related vector where malicious instructions are embedded in retrieved documents, not the user prompt itself
Adversarial Suffix Optimization
The core innovation of GCG is the automated discovery of an adversarial suffix—a seemingly gibberish string of tokens that, when appended to a harmful query, flips the model's refusal into compliance.
- Mechanism: Uses a greedy coordinate descent algorithm to iteratively replace tokens in the suffix, selecting candidates that maximize the probability of an affirmative target response (e.g., 'Sure, here is how to...')
- Universality: A single optimized suffix can often jailbreak a model across many different harmful prompts, not just the one it was optimized for
- Transferability: Suffixes discovered on open-source models like Vicuna frequently transfer to other models, including proprietary ones
Defense: Perplexity Filtering
A primary defense against GCG attacks exploits a key property of the adversarial suffixes: they are statistically anomalous. Perplexity filters measure how 'surprising' a token sequence is to a language model.
- Detection Principle: GCG suffixes are optimized for attack success, not linguistic fluency, resulting in high perplexity scores that deviate sharply from natural text
- Implementation: A separate, lightweight model computes the log-perplexity of the input; prompts exceeding a threshold are blocked before reaching the target model
- Limitations: Attackers can incorporate a fluency constraint into the GCG loss function, optimizing for both attack success and low perplexity to evade detection
Adversarial Training for LLMs
Adversarial training is the most robust long-term defense. It involves fine-tuning the model on a dataset of successful jailbreak prompts, including those generated by GCG, to reinforce refusal boundaries.
- Process: Generate adversarial suffixes against the current model, collect the successful attacks, and fine-tune the model to refuse them correctly
- Contrast with TRADES: In image classification, TRADES explicitly balances clean and robust accuracy. In LLMs, the trade-off is between helpfulness (answering benign requests) and harmlessness (refusing dangerous ones)
- Constitutional AI (CAI): An alternative approach where a model is trained to critique and revise its own outputs based on a written constitution of principles, reducing reliance on adversarial examples

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us