Inferensys

Glossary

Attack Success Rate (ASR)

Attack Success Rate (ASR) is the key performance indicator measuring the percentage of adversarial attempts that successfully bypass safety filters or cause a model to generate the attacker's intended harmful output.
ML engineer working on model compression and quantization, laptop showing performance benchmarks, technical workspace.
ADVERSARIAL METRICS

What is Attack Success Rate (ASR)?

Attack Success Rate (ASR) is the primary quantitative metric in AI security that measures the percentage of adversarial attempts that successfully bypass safety filters or compel a model to generate the attacker's intended harmful output.

Attack Success Rate (ASR) is calculated by dividing the number of successful adversarial attempts by the total number of attack queries executed against a target model. A successful attack is defined as one where the model's guardrail architectures fail and it produces policy-violating content, leaks system prompts, or executes a malicious tool call. ASR serves as the definitive benchmark for evaluating the efficacy of automated red teaming campaigns and the robustness of safety alignment.

In continuous automated red teaming (CART) pipelines, ASR is tracked over time to detect adversarial drift and model regressions. A rising ASR indicates that jailbreak automation techniques like Greedy Coordinate Gradient (GCG) or Tree of Attacks with Pruning (TAP) are finding new weaknesses. Security teams use ASR alongside model resilience scoring to quantify risk and prioritize the deployment of adversarial robustness training and updated input filters.

METRICS

Key Characteristics of Attack Success Rate

Attack Success Rate (ASR) is the primary quantitative benchmark for evaluating the efficacy of adversarial attacks and the robustness of AI safety mechanisms. The following characteristics define how ASR is calculated, interpreted, and optimized in automated red teaming workflows.

01

Core Calculation Formula

ASR is calculated as the ratio of successful adversarial attempts to total attempts. A successful attack is strictly defined as a model output that matches the attacker's harmful intent, bypassing safety filters.

  • Formula: ASR = (Number of Harmful Outputs / Total Attack Queries) × 100%
  • Granularity: Can be measured per attack technique (e.g., GCG ASR vs. TAP ASR) or aggregated across a full red teaming suite.
  • Thresholds: An ASR > 50% indicates a critical vulnerability; ASR < 1% is the target for production-grade guardrails.
< 1%
Production Target
> 50%
Critical Vulnerability
02

Harmful Output Classification

ASR depends on a robust taxonomy of harmful content. Automated classifiers evaluate model responses against predefined safety policies to determine if an attack succeeded.

  • Policy Categories: Hate speech, violence, self-harm, illegal advice, PII leakage, and sexual content.
  • Classifier Types: Fine-tuned BERT-based models, LLM-as-a-judge evaluators, and keyword heuristics.
  • False Positives: Overly sensitive classifiers inflate ASR; rigorous human alignment of the evaluator is critical for metric validity.
03

Multi-Turn vs. Single-Turn ASR

ASR must be contextualized by the attack's interaction model. Multi-turn attacks like Crescendo often achieve higher ASR than single-turn prompts.

  • Single-Turn ASR: Measures immediate jailbreak success from one prompt.
  • Multi-Turn ASR: Tracks success over a conversation, where benign-seeming dialogue gradually erodes safety guardrails.
  • Metric Distinction: A model may have 0% single-turn ASR but 40% multi-turn ASR, revealing a hidden vulnerability surface.
04

Adversarial Budget and Query Efficiency

ASR is inversely correlated with the adversarial budget—the number of queries or compute resources an attacker expends. Efficient attacks achieve high ASR with minimal queries.

  • Query-Limited ASR: Measures success within a fixed budget (e.g., 100 queries).
  • Unlimited Budget ASR: Theoretical maximum success rate with infinite retries.
  • Optimization Goal: Automated red teaming tools like GCG optimize for high ASR with low query counts, simulating realistic attacker constraints.
05

Transferability and Generalization

A critical ASR dimension is transferability—whether an adversarial prompt or suffix generated against one model succeeds against a different, black-box target.

  • Transfer ASR: The success rate when applying attacks optimized on a surrogate model (e.g., Llama) to a target model (e.g., GPT-4).
  • Universal Triggers: Inputs with high transfer ASR across diverse architectures indicate systemic vulnerabilities in alignment training.
  • Defense Implication: Low transfer ASR suggests model-specific weaknesses; high transfer ASR signals a fundamental safety flaw.
06

Continuous Monitoring and Regression

ASR is not static. Continuous Automated Red Teaming (CART) tracks ASR over time to detect safety regressions caused by model updates or data drift.

  • Regression Alerts: A spike in ASR after a fine-tuning run indicates the update inadvertently weakened safety alignment.
  • Drift Correlation: ASR increases may correlate with shifts in production input distributions, requiring recalibration of guardrails.
  • Dashboarding: Security teams monitor ASR trends alongside standard performance metrics in CI/CD pipelines.
ATTACK SUCCESS RATE (ASR)

Frequently Asked Questions

Clear, technically precise answers to the most common questions about measuring and interpreting the Attack Success Rate in AI red teaming and adversarial robustness evaluation.

Attack Success Rate (ASR) is the primary key performance indicator in AI red teaming that quantifies the percentage of adversarial attempts that successfully bypass a model's safety filters or cause it to generate the attacker's intended harmful output. It is calculated by dividing the number of successful attacks by the total number of attack attempts executed against the target model. For example, if an automated red teaming tool sends 1,000 adversarial prompts to a language model and 200 of them result in a policy violation or jailbreak, the ASR is 20%. A higher ASR indicates a more vulnerable model, while a lower ASR suggests robust safety guardrails. The metric is context-dependent: an ASR of 5% for a direct **jailbreak** attempt may be acceptable, but the same rate for a subtle **indirect prompt injection** could represent a critical vulnerability. ASR is often broken down by attack category—such as **refusal suppression**, **payload splitting**, or **many-shot jailbreaking**—to provide granular insight into specific failure modes.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.