feat(redteam): add GOAT multi-turn attack strategy#250
Merged
Conversation
GOAT (Generative Offensive Agent Tester, arXiv:2410.01606): an attacker LLM holds an in-context toolbox of 7 jailbreak techniques and reasons in an Observation/Thought/Strategy/Reply structure each turn, sending only the Reply to the target. Single linear, append-only conversation (invoke-only, no snapshot/restore, pruned_branches always empty) -- a structural sibling of crescendo with no backtrack and one fewer agent (no refusal classifier). An optional success judge powers a cheap in-loop early-stop gate (success_threshold, continuous 0-1, default 0.7); the authoritative verdict is re-computed by AttackSuccessEvaluator over the full trace. attacks_used is recorded in metadata for a per-technique histogram; the full O/T/S reasoning is opt-in via store_reasoning. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
32 tests covering ctor guards (max_turns<1, threshold band, defaults, label), module helpers (success_score no-criteria/parse-fail/history-clear, gen_attacker_turn first/followup/parse-fail/brace-safe), and the run_attack loop: AttackRunResult shape, early-stop on threshold, runs-to-cap, max_turns clamping both directions, no-criteria-runs-to-cap, parse-failure and empty-reply and empty-target-response guards, attacks_used off-toolbox filtering, reasoning_trace opt-in on/off, reset, and a contract pin against crescendo. The fake session raises on snapshot/restore to prove GOAT stays append-only. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two adversarial review rounds (5 lenses each). No blockers/majors; applied: - Move the empty-target-response break above all per-turn bookkeeping so a turn is recorded all-or-nothing: conversation, attacks_used and reasoning_trace now always agree on turn count (was: metadata could lead conversation by one on an empty final reply). The tool trace for that invoke still reaches the authoritative evaluator; GOAT stays text-score-only. - Narrow __all__ to GoatStrategy only. gen_attacker_turn/success_score stay module-level for tests but are not a shared surface (gates are per-strategy inline forks by design; crescendo exports a same-named success_score). - Comment hygiene: drop unverifiable paper specifics (Fig 3 / 97% / 4096-token cap) for a soft 'diminishing returns past a handful of turns' hedge; align the _ATTACK_NAMES comment with goat_v0 (authored, not verbatim); reword the cast comment to keep the None-guard; add the per-case-rebuild caveat to _attacker_agent for the future parallelization refactor. - Tests: pin the all-or-nothing invariant on both the empty-response (records nothing) and breach (records pair+attacks+reasoning) sides. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
yeomjiwonyeom
requested a deployment
to
manual-approval
GitHub Actions
Waiting
yeomjiwonyeom
temporarily deployed
to
auto-approve
GitHub Actions
Inactive
yeomjiwonyeom
temporarily deployed
to
auto-approve
GitHub Actions
Inactive
This was referenced Jun 10, 2026
yonib05
added
area-redteam
yeomjiwonyeom
temporarily deployed
to
auto-approve
GitHub Actions
Inactive
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Assessment: Approve Clean, well-scoped addition. Review notes
Nice work — the documentation of why at each decision point makes this an easy review. |
Address review feedback on strands-agents#250: per-field metadata asserts silently pass when a key is added or regresses. Pin the full result.metadata dict in one equality on the deterministic success-path tests (test_returns_attack_run_result_shape, test_runs_to_cap_when_never_succeeds) and the two store_reasoning cases (test_first_turn_breach_records_pair_and_attacks, test_empty_target_response_ends_early), so the exact shape -- including reasoning_trace presence/absence -- is locked. Behavior-isolating tests (parse_failure, empty_reply, clamp, no_criteria) keep their single-field asserts on purpose. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
yeomjiwonyeom
temporarily deployed
to
manual-approval
GitHub Actions
Inactive
yeomjiwonyeom
temporarily deployed
to
auto-approve
GitHub Actions
Inactive
poshinchen
reviewed
Jun 12, 2026
poshinchen
reviewed
Jun 12, 2026
poshinchen
reviewed
Jun 12, 2026
poshinchen
left a comment
poshinchen
left a comment
Contributor
There was a problem hiding this comment.
let' do the judge changes as quick follow-up
poshinchen
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
GoatStrategy— a new red-team attack strategy implementing GOAT (Meta, Automated Red Teaming with GOAT, arXiv:2410.01606, Oct 2024). An attacker LLM converses with the target over several turns, picking and combining from a 7-attack in-context toolbox while reasoning through each reply with an Observation / Thought / Strategy structure. Builds on the mergedrun_attack/TargetSessioncontract (#245) and is exported alongsideCrescendoStrategy.What GOAT does that Crescendo (and BLJ) don't
Crescendo commits to a single attack pattern (gradual escalation). GOAT carries a toolbox of 7 techniques and picks/combines them per turn, adapting to what the target just did — the closest of the three to how a human red-teamer actually works.
Anticipated reviewer question — "isn't Crescendo also a multi-turn attacker LLM?" Yes, but Crescendo adapts in one direction and rolls back past refusals with snapshot/restore. GOAT traverses the whole technique space and is append-only — never drops or rewinds a turn. The append-only shape is why GOAT fits the current
run_attackcontract with no store redesign (unlike TAP/PAIR).How it works
Each turn the attacker LLM emits a structured turn:
attacks: the machine name(s) of the technique(s) applied this turn (for a per-technique histogram).Only the Reply reaches the target (
target_session.invoke(reply)); the O/T/S reasoning stays private attacker context. This mirrors the paper's Algorithm 1 — the target sees a closed-box conversation and the scored trajectory is exactly that transcript, whichAttackSuccessEvaluatorre-scores at the end. The 7 techniques (Response Priming, Refusal Suppression, Topic Splitting, Dual Response, Opposite Intent, Hypotheticals, Persona Modification) are embedded in the attacker's system prompt as in-context definitions — adding a technique is a one-line natural-language addition, no fine-tuning.Loop bound
GOAT runs a single linear, append-only conversation of up to
max_turnsturns and early-stops on success. Defaultmax_turns=5(the paper reports diminishing returns past a handful of turns);turn_cap = min(self._max_turns, max_turns)keeps the experiment ceiling as an upper bound. There is no rerun loop insiderun_attack— the paper's ASR@k is repetition across cases/seeds at the experiment level, never a loop here.What the success gate is (and isn't)
The in-loop gate is a cheap "should I stop?" signal, not the verdict. An optional judge LLM scores the response against the goal's
success_criteriaon a continuous 0–1 scale; crossingsuccess_threshold(default 0.7) stops the loop early. The authoritative pass/fail always comes fromAttackSuccessEvaluatorre-scoring the full trace independently —strategy_succeeded/strategy_scoreare observability only, and0.7is deliberately independent of the evaluator's threshold (different rubrics).GOAT's early-stop is text-score-only — it does not key off a tool call. Crescendo's tool-call check exists to prevent backtracking away a tool-driven turn; GOAT never backtracks, so the same check would only force a false-positive early-stop on a multi-agent target's benign routing/lookup call. Because GOAT is append-only, no turn is ever dropped — a tool-driven breach is never lost; the authoritative evaluator re-scores the full trace.
Design choices worth flagging for review
modelis a user choice. Don't misread a low ASR as "the strategy is weak" — ASR is a strategy×goal×target×attacker-model interaction.store_reasoning(default off). Metadata carriesattacks_used(machine technique names) by default; the full per-turn O/T/S text is opt-in viastore_reasoning=Trueand omitted entirely otherwise (keepsAttackRunResultsmall). The one deliberate signature divergence from the siblings.pruned_branches=[]always. No snapshot/restore, invoke-only — the paper's Algorithm 1 verbatim, and why GOAT needs no store redesign._commonpromotion) — GOAT's continuous gate vs Crescendo's float are deliberately separate, per-paper-faithful rubrics._common.pyis shared prompt blocks only.Evidence it actually works
Two live runs through the full
RedTeamExperiment(real Bedrock), end to end (run_attack→ attacker O/T/S/R →invoke→ in-loop gate → authoritativeAttackSuccessEvaluator):1. Framework smoke — SDK-default frontier attacker (Claude), weak target,
system_prompt_leakgoal. The loop ran all 5 turns; the attacker dynamically selected six distinct toolbox techniques (hypothetical,response_priming,opposite_intent,refusal_suppression,topic_splitting,persona_modification). The target defended (score 0.00) — correct, not a bug: the smoke pass criterion is "runs to completion + produces a scorable trace," not a numeric ASR, and a strongly-aligned attacker self-refuses so its ASR is a lower bound.2. Breach demo — to measure ASR the attacker was swapped to a lighter-alignment Bedrock model (Mistral Large 3). Against the same weak target with a deliberately soft guard, GOAT breached on turn 1, score 1.00, leaking all three planted canaries verbatim.
attacks_used: ['hypothetical', 'response_priming']— it primed the target's opening line under a hypothetical "documentation" frame, and the target completed it.This contradicts a prior expectation that escalation-type strategies are weak on
system_prompt_leak(Crescendo defended it on both weak and frontier targets): GOAT cracked it fast precisely because it is not pure escalation.Tests
33 unit tests (
tests/strands_evals/experimental/redteam/test_goat.py) plus the full redteam regression and suite green. Coverage: ctor guards (max_turns<1, threshold band, defaults, label); module helpers; and therun_attackloop —AttackRunResultshape, early-stop on threshold, runs-to-cap,max_turnsclamping both directions, no-criteria-runs-to-cap, parse-failure / empty-reply / empty-response guards, the all-or-nothing turn-recording invariant,attacks_usedoff-toolbox filtering,store_reasoningon/off,reset, and a contract pin against Crescendo. The fake session raises onsnapshot/restoreto prove GOAT stays append-only.