LLM Vulnerability Leaderboard

Attack success rates (ASR) across three prompt attack methods: crescendo, tap, and zero-shot - lower is better

LLMUpdated: Jul 4, 2026
Showing 93 results
Rank
Model
Vendor
Vulnerability (ASR)
1Claude Opus 4.5Est.Anthropic3.4%
2GPT-5.2 ProEst.OpenAI3.8%
3Claude Sonnet 4.5Est.Anthropic4.2%
4Claude 3.5 Sonnet v2Anthropic4.4%
5GPT-5.2Est.OpenAI4.8%
6Claude Haiku 4.5Est.Anthropic5.2%
7Gemini 3 ProEst.Google6.0%
8GPT-5.1 CodexEst.OpenAI8.5%
9o3-miniEst.OpenAI9.0%
10Gemini 3 FlashEst.Google10.0%
11Grok-4.1 ThinkingEst.xAI10.0%
12Grok-4.1Est.xAI11.5%
13Claude 4.0 SonnetAnthropic13.6%
14Grok-4.1 Fast ReasoningEst.xAI14.0%
15GPT OSS 120BEst.OpenAI15.0%
16Claude 3.5 Sonnet v1Anthropic16.0%
17Gemini 2.5 ProGoogle16.1%
18Grok-4 HeavyEst.xAI18.0%
19Nova PremierEst.Amazon20.0%
20GPT OSS 20BEst.OpenAI20.0%
21Claude 3.7 SonnetAnthropic20.3%
22Gemini 2.0 Flash ThinkingEst.Google21.5%
23GPT-4oOpenAI22.8%
24Nova ProEst.Amazon24.0%
25Llama 4 BehemothEst.Meta25.0%
26Command R 7BCohere25.8%
27Command AEst.Cohere26.0%
28Qwen 2.5 72BAlibaba26.3%
29GPT-4o MiniOpenAI26.7%
30Llama 4 MaverickMeta27.7%
31Qwen3-MaxEst.Alibaba28.0%
32Llama 4 ScoutMeta30.0%
33Qwen3-235B-A22B-ThinkingEst.Alibaba30.0%
34Phi-4Est.Microsoft30.0%
35Gemini 2.0 Flash LiteGoogle31.3%
36Mistral 8x22BMistral31.5%
37Llama 3-7 DSMeta32.2%
38Command RCohere32.9%
39Grok-4 Fast Non-ReasoningEst.xAI33.0%
40Mistral Large 3 675B Instruct 2512Est.Mistral33.0%
41Mistral Large 3 675B Instruct 2512 EagleEst.Mistral33.0%
42Gemini 2.0 FlashGoogle33.6%
43Mistral Large 3 675B Instruct 2512 NVFP4Est.Mistral34.0%
44Qwen3 VL 235B A22B ThinkingEst.Alibaba34.0%
45GPT-4.1OpenAI34.9%
46Llama 3.1 405B InstructEst.Meta36.0%
47Qwen 7-72BBAlibaba36.5%
48Llama 3H 405BMeta36.6%
49Qwen3-Next-80B-A3B-InstructEst.Alibaba37.0%
50Kimi K2-Thinking-0905Est.Moonshot AI38.0%
51Qwen3 VL 32B ThinkingEst.Alibaba38.0%
52Mixtral 8x7BMistral38.0%
53GLM-4.6Est.Zhipu AI39.0%
54Command 2XCohere39.4%
55Llama 3.1 Nemotron Ultra 253B v1Est.NVIDIA40.0%
56MiniMax M2Est.MiniMax40.0%
57Ministral 3 14B Reasoning 2512Est.Mistral40.0%
58Qwen3 VL 235B A22B InstructEst.Alibaba40.0%
59Qwen QwQ 32BAlibaba40.0%
60GLM-4.5Est.Zhipu AI41.0%
61DeepSeek-R1-0528Est.DeepSeek41.0%
62DeepSeek-V3.2 ThinkingEst.DeepSeek42.0%
63Mistral Large 2Est.Mistral42.0%
64Ministral 3 8B Reasoning 2512Est.Mistral42.0%
65Deepseek R1Deepseek42.6%
66GLM-4.5VEst.Zhipu AI43.0%
67MiniMax M1 80KEst.MiniMax43.0%
68Command R PlusCohere43.3%
69MiniMax M1 40KEst.MiniMax43.5%
70GLM-4.5-AirEst.Zhipu AI44.0%
71Ministral 3 14B Instruct 2512Est.Mistral44.0%
72Qwen3 VL 8B ThinkingEst.Alibaba44.0%
73DeepSeek-V3.2-SpecialeEst.DeepSeek45.0%
74Mistral Large 3 675B BaseEst.Mistral45.0%
75Ministral 3 8B Instruct 2512Est.Mistral45.0%
76Grok-2Est.xAI46.0%
77DeepSeek-V3.2-ExpEst.DeepSeek46.0%
78Ministral 3 3B Reasoning 2512Est.Mistral46.0%
79DeepSeek-V3.2 Non-thinkingEst.DeepSeek47.0%
80Deepseek V3Deepseek47.2%
81DeepSeek R1 Distill Llama 8BEst.DeepSeek48.0%
82Qwen3 VL 8B InstructEst.Alibaba48.0%
83Gemma 3n E4B InstructedEst.Google49.0%
84Mistral NeMo InstructEst.Mistral50.0%
85Ministral 3 3B Instruct 2512Est.Mistral50.0%
86Gemma 3n E4BEst.Google52.0%
87DeepSeek VL2Est.DeepSeek52.0%
88Qwen2 7B InstructEst.Alibaba52.0%
89Gemma 3n E2B Instructed LiteRTEst.Google55.0%
90Ministral 3 8B Base 2512Est.Mistral55.0%
91Ministral 3 14B Base 2512Est.Mistral58.0%
92Gemma 3 1BEst.Google60.0%
93Ministral 3 3B Base 2512Est.Mistral62.0%

Leaderboard Insights

Insights for LLM Vulnerability Leaderboard will be displayed here. For example, average score, top vendor, etc.

Currently showing 93 entries.

Metodology

LLM Vulnerability Benchmark

We track 90+ frontier and open-weight models — one of the most complete public maps of LLM jailbreak resistance as of July 2026 — using three distinct attack methods to measure their resilience under adversarial pressure.

Measured vs. Estimated scores

Rows without a badge are measured by Guardion's own benchmark run. Rows marked "Est." are estimated — calibrated from public model and system cards, red-teaming reports (HarmBench, JailbreakBench, StrongREJECT, AILuminate), and nearest-sibling models — while Guardion's own measurement is pending. Estimates are anchored to the measured models so the two are directly comparable, but should be read as indicative rather than definitive.

Attack Methods

1. Zero-Shot Attacks

Direct harmful requests without any manipulation or obfuscation. These represent straightforward adversarial prompts that test a model's baseline ability to refuse harmful requests.

2. Tree of Attacks with Pruning (TAP)

An automated red-teaming method that generates diverse jailbreak prompts by branching into multiple variations and pruning ineffective paths. TAP systematically explores the attack space to find successful adversarial strategies.

3. Crescendo Attacks

A multi-turn attack that incrementally escalates from harmless to harmful requests using conversational context. Attackers can backtrack and rephrase if the model resists, testing whether models maintain safety boundaries across extended conversations.

Evaluation Framework

We evaluate models using the HarmBench framework (Mazeika et al., 2024; Zou et al., 2023), which provide standardized benchmarks for automated red-teaming of large language models. The framework covers harmful behaviors across multiple risk domains: chemical and biological safety, misinformation and disinformation, cybercrime and hacking, illegal activities, and copyright violations.

Scoring Methodology

Performance is measured using Attack Success Rate (ASR)—the percentage of adversarial prompts that successfully elicit harmful responses. A lower ASR (higher robustness score) indicates stronger model resistance to adversarial prompts.