Attack success rates (ASR) across three prompt attack methods: crescendo, tap, and zero-shot - lower is better
Insights for LLM Vulnerability Leaderboard will be displayed here. For example, average score, top vendor, etc.
Currently showing 93 entries.
We track 90+ frontier and open-weight models — one of the most complete public maps of LLM jailbreak resistance as of July 2026 — using three distinct attack methods to measure their resilience under adversarial pressure.
Rows without a badge are measured by Guardion's own benchmark run. Rows marked "Est." are estimated — calibrated from public model and system cards, red-teaming reports (HarmBench, JailbreakBench, StrongREJECT, AILuminate), and nearest-sibling models — while Guardion's own measurement is pending. Estimates are anchored to the measured models so the two are directly comparable, but should be read as indicative rather than definitive.
1. Zero-Shot Attacks
Direct harmful requests without any manipulation or obfuscation. These represent straightforward adversarial prompts that test a model's baseline ability to refuse harmful requests.
2. Tree of Attacks with Pruning (TAP)
An automated red-teaming method that generates diverse jailbreak prompts by branching into multiple variations and pruning ineffective paths. TAP systematically explores the attack space to find successful adversarial strategies.
3. Crescendo Attacks
A multi-turn attack that incrementally escalates from harmless to harmful requests using conversational context. Attackers can backtrack and rephrase if the model resists, testing whether models maintain safety boundaries across extended conversations.
We evaluate models using the HarmBench framework (Mazeika et al., 2024; Zou et al., 2023), which provide standardized benchmarks for automated red-teaming of large language models. The framework covers harmful behaviors across multiple risk domains: chemical and biological safety, misinformation and disinformation, cybercrime and hacking, illegal activities, and copyright violations.
Performance is measured using Attack Success Rate (ASR)—the percentage of adversarial prompts that successfully elicit harmful responses. A lower ASR (higher robustness score) indicates stronger model resistance to adversarial prompts.