Tree of Attacks with Pruning (TAP) is an automated, black-box method for discovering jailbreak prompts. It employs a dedicated attacker LLM to iteratively generate candidate prompts, which are organized in a tree-search structure. The process involves evaluating each prompt against the target model and pruning unpromising branches, focusing computational effort on the most effective attack vectors.
Glossary
Tree of Attacks with Pruning (TAP)

What is Tree of Attacks with Pruning (TAP)?
Tree of Attacks with Pruning (TAP) is an automated black-box jailbreaking method that uses a tree-search structure with an attacker LLM to iteratively refine and prune prompt candidates until a successful jailbreak is achieved.
Unlike linear or random search methods, TAP leverages an LLM's reasoning to refine prompts over multiple iterations. The attacker LLM acts as both generator and evaluator, using the target model's responses to guide the search. This off-topic pruning mechanism discards prompts that trigger safety refusals, allowing TAP to efficiently navigate the prompt space and identify successful jailbreaks with fewer queries than brute-force approaches.
Key Features of TAP
Tree of Attacks with Pruning (TAP) automates black-box jailbreaking by combining an attacker LLM with a tree-search algorithm to iteratively refine prompts until safety guardrails are bypassed.
Tree-Search Architecture
TAP structures the attack as a branching decision tree where each node represents a prompt candidate. The attacker LLM generates multiple child prompts from a parent node, and a pruning mechanism eliminates low-potential branches. This focuses computational resources on the most promising attack vectors, enabling efficient exploration of the prompt space without brute-force enumeration.
Black-Box Operation
TAP requires no access to model weights, gradients, or internal architecture. It operates solely on input-output pairs, making it applicable to any deployed LLM accessible via API. This mirrors real-world adversarial conditions where attackers have only query access, providing a realistic assessment of production model vulnerabilities.
Iterative Refinement Loop
The attacker LLM evaluates each response from the target model and generates refined prompts designed to progressively erode refusal behavior. Key steps include:
- Response assessment: Classifying whether the target is moving toward compliance
- Prompt mutation: Rewording, role-playing, or encoding the malicious request
- Branch expansion: Creating multiple variations from successful partial breakthroughs This loop continues until a full jailbreak is achieved or the search budget is exhausted.
Pruning Strategy
TAP employs an off-topic pruning mechanism that discards branches where the target model's response diverges from the attack objective. By using a separate evaluator LLM to score response relevance, TAP avoids wasting iterations on prompts that trigger generic refusals or unrelated outputs. This dramatically reduces the search space compared to unpruned tree-search methods.
Attacker LLM Independence
The attacker LLM used to generate and refine prompts is separate from the target model being tested. This decoupling allows security teams to use a powerful, uncensored open-source model as the attacker while testing proprietary or API-gated targets. The attacker model needs strong instruction-following and creative text generation capabilities but no knowledge of the target's internals.
Attack Success Rate (ASR) Benchmarking
TAP provides a standardized framework for measuring Attack Success Rate across different target models. By running the same tree-search configuration against multiple LLMs, security teams can:
- Compare relative robustness between model versions
- Identify specific harm categories where guardrails fail
- Track regression in safety alignment over time ASR is calculated as the percentage of attack trees that produce a policy-violating output within the allocated search budget.
Frequently Asked Questions
Explore the core mechanics of the Tree of Attacks with Pruning, an automated black-box jailbreaking method that uses tree-search and an attacker LLM to iteratively refine prompts.
The Tree of Attacks with Pruning (TAP) is an automated black-box jailbreaking method that uses a tree-search structure paired with an attacker LLM to iteratively refine and prune prompt candidates until a jailbreak is achieved. Unlike linear attack sequences, TAP maintains a branching tree of potential attack paths. The attacker LLM generates multiple candidate prompt refinements at each node, evaluates their potential, and prunes unpromising branches to focus computational resources on the most likely jailbreak vectors. This process continues until a prompt bypasses the target model's safety guardrails, making TAP significantly more efficient than brute-force or random search methods.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and techniques related to automated black-box jailbreaking and adversarial prompt optimization.
Adversarial Prompting
The practice of crafting inputs designed to override system instructions or safety training. Techniques include:
- Role-playing to assume personas without ethical constraints
- Encoding payloads in base64 or other formats to evade filters
- Prefix injection that forces the model to begin responses with affirmative tokens TAP automates this process by using an attacker LLM to generate and refine these prompts iteratively.
Attack Success Rate (ASR)
The primary key performance indicator for red teaming automation. ASR measures the percentage of adversarial attempts that successfully bypass safety filters or cause a model to generate the attacker's intended harmful output. TAP evaluates ASR at each node in its search tree, using this metric to decide which branches to prune and which to branch further, optimizing for maximum jailbreak efficiency.
Black-Box Query Attack
An attack methodology that probes vulnerabilities using only input-output pairs without access to internal architecture, gradients, or parameters. TAP is a canonical black-box method—it treats the target model as an opaque function, relying entirely on the attacker LLM's ability to generate and assess prompts based on response analysis. This makes it applicable to proprietary APIs like GPT-4 or Claude.
Refusal Suppression
An attack technique that adds specific tokens or instructions to inhibit the model's trained tendency to decline harmful queries. Common patterns include:
- Demanding responses start with 'Sure, here is...'
- Adding tokens like 'Absolutely!'
- Framing requests as hypothetical academic exercises TAP's pruning mechanism discards branches where refusal suppression fails, focusing computational resources on promising attack paths.
Many-Shot Jailbreaking
An attack exploiting long context windows by prepending hundreds of fabricated harmful dialogue examples. This overrides safety training through in-context learning, demonstrating to the model that compliance with harmful requests is normal. While TAP uses iterative refinement, many-shot jailbreaking relies on sheer volume of examples. Both techniques can be combined for enhanced effectiveness against frontier models.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us