Overview
OET is a useful engineering toolkit for red-teaming; experiments cover many datasets and models but are limited to QA tasks and one attack objective, so apply results as indicative rather than definitive.
Citations0
Evidence Strength0.70
Confidence0.70
Risk Signals9
Trust Signals
Findings with numeric evidence: 3/3
Findings with evidence refs: 3/3
Results with explicit delta: 3/3
Reproducibility
Status: Partial assets available
Open source: Partial
At A Glance
Cost impact: 60%
Production readiness: 50%
Novelty: 50%
Why It Matters For Business
Adaptive, optimization-driven prompt injections can bypass some defenses and expose sensitive outputs, so firms must test deployed LLMs (especially open-source ones) with rigorous red-teaming before production.
Who Should Care
Summary TLDR
OET is an open, modular toolkit for building and running optimization-driven prompt-injection attacks and measuring defenses. It converts QA data, trains adversarial strings (white-box or black-box), injects them at test time, and reports Attack Success Rate (ASR). Experiments on 8 QA datasets show open-source models (e.g., Qwen2-7B-Instruct) have very high ASR (≥0.93–0.99), closed-source models (GPT-4o-mini, Claude-3.5) show much lower ASR (≈0.01–0.29), and recent defenses (StruQ, SecAlign) give inconsistent protection across domains. Code is public on GitHub.
Problem Statement
Existing prompt-injection benchmarks are static and cannot produce adaptive, optimization-based attacks that reveal worst-case failures. Practitioners need a flexible testbed that trains adversarial prompt strings, runs transferable attacks across models and domains, and reports consistent metrics for red-teaming and defense comparison.
Main Contribution
OET: a modular, extensible toolkit that trains and deploys optimization-based adversarial strings for prompt injection evaluation.
Curated multi-domain QA collection (law, finance, science, math, medical, code/email/table) standardized for attack/defense testing.
Key Findings
Open-source models are substantially easier to coerce than the closed-source models tested.
Published defense methods reduce ASR unevenly and can make some domains worse.
Results
| Metric | Value | Baseline | Delta | Split / Dataset | Evidence | Evidence Ref |
|---|---|---|---|---|---|---|
| Attack Success Rate (ASR) — open vs closed | Qwen2-7B-Instruct ASR 0.93–0.99; LLama3.1-8B 0.68–0.95; GPT-4o-mini 0.01–0.03 | closed-source models | open-source >> closed-source | Table 1 (multiple QA datasets) | Table 1 shows per-dataset ASR by model | Table 1 |
| Defense effect (ASR) across domains | StruQ: ASR 0.0 on many datasets but +0.43 on TriviaQA; SecAlign: ASR increases +0.46 (AQuA), +0.59 (PubMedQA) | Base undefended LLaMA | defenses reduce ASR in some domains and raise it in others | Table 2 | Table 2 provides per-dataset ASR for defenses vs baseline | Table 2 |
What To Try In 7 Days
Run OET against your deployed model on a small representative QA set and measure ASR.
Test multiple attack families (GCG, UAT, LLM-as-optimizer) to find weakest spots.
Compare ASR before and after any input-sanitization or finetuning defense to spot regressions.
Reproducibility
Code URLs
Risks & Boundaries
Limitations
Evaluation focuses on a single attack objective ('Print sql injection') which may not generalize to other goals.
Training used very small per-domain training sets (mostly 5 examples), which limits realism of some adaptive attacks.
When Not To Use
As a claim of real-world safety guarantees — OET finds weaknesses but does not certify defenses.
For non-QA tasks without adapting the conversion and attack pipeline.
Failure Modes
Attack transferability may drop outside the tested QA domains or with different prompt formats.
A defense tuned to the toolkit’s attack families might overfit and still fail on unseen optimization methods.