Skip to article frontmatterSkip to article content
Site not loading correctly?

This may be due to an incorrect BASE_URL configuration. See the MyST Documentation for reference.

Bibliography

All academic papers, research blogs, and technical reports referenced throughout the PyRIT documentation.

Citation Keys

Aakanksha et al., 2024Adversa AI, 2023Andriushchenko & Flammarion, 2024Anthropic, 2024Bethany et al., 2024Bryan et al., 2025Bullwinkel et al., 2024Bullwinkel et al., 2025Bullwinkel et al., 2026Chao et al., 2023Chao et al., 2024Chu et al., 2023Cui et al., 2024Apart Research, 2025Derczynski et al., 2024Ding et al., 2023Rehberger, 2024Rehberger, 2025Ghosh et al., 2025Haider et al., 2024Han et al., 2024Hines et al., 2024Ji et al., 2023Ji et al., 2024Jiang et al., 2025Jones et al., 2025Kingma & Ba, 2014Li et al., 2024Li et al., 2024Li et al., 2024Lin et al., 2023Munoz et al., 2024Lv et al., 2024Mazeika et al., 2023Mazeika et al., 2024McKee & Noever, 2024Mehrotra et al., 2023Microsoft Security Response Center, 2024Palaskar et al., 2025Pfohl et al., 2024promptfoo, 2025Robust Intelligence, 2024Roccia, 2024Röttger et al., 2023Russinovich et al., 2024Russinovich et al., 2025Scheuerman et al., 2025Shayegani et al., 2025Shen et al., 2023Sheshadri et al., 2024Alexandersson, 2023Tang et al., 2025Tedeschi et al., 2024Taylor, 2024Vidgen et al., 2023Vidgen et al., 2024Wang et al., 2023Wang et al., 2023Wei et al., 2023Xie et al., 2024Yu et al., 2023Yuan et al., 2023Zeng et al., 2024Zhang et al., 2024Zou et al., 2023

References
  1. Aakanksha, Ahmadian, A., Ermis, B., Goldfarb-Tarrant, S., Kreutzer, J., Fadaee, M., & Hooker, S. (2024). The Multilingual Alignment Prism: Aligning Global and Local Preferences to Reduce Harm. arXiv Preprint arXiv:2406.18682. https://arxiv.org/abs/2406.18682
  2. Adversa AI. (2023). Universal LLM Jailbreak: ChatGPT, GPT-4, Bard, Bing, Anthropic, and Beyond. https://adversa.ai/blog/universal-llm-jailbreak-chatgpt-gpt-4-bard-bing-anthropic-and-beyond/
  3. Andriushchenko, M., & Flammarion, N. (2024). Does Refusal Training in LLMs Generalize to the Past Tense? arXiv Preprint arXiv:2407.11969. https://arxiv.org/abs/2407.11969
  4. Anthropic. (2024). Many-Shot Jailbreaking. https://www.anthropic.com/research/many-shot-jailbreaking
  5. Bethany, E., Bethany, M., Flores, J. A. N., Jha, S. K., & Najafirad, P. (2024). MathPrompt: Mathematical Reasoning to Circumvent LLM Safety Mechanisms. arXiv Preprint arXiv:2409.11445. https://arxiv.org/abs/2409.11445
  6. Bryan, P., Severi, G., de Gruyter, J., Jones, D., Bullwinkel, B., Minnich, A., Chawla, S., Lopez, G., Pouliot, M., Fourney, A., Maxwell, W., Pratt, K., Qi, S., Chikanov, N., Lutz, R., Dheekonda, R. S. R., Jagdagdorj, B.-E., Kim, E., Song, J., … Kumar, R. S. S. (2025). Taxonomy of Failure Mode in Agentic AI Systems. https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Taxonomy-of-Failure-Mode-in-Agentic-AI-Systems-Whitepaper.pdf
  7. Bullwinkel, B., Minnich, A., Chawla, S., Lopez, G., Pouliot, M., Maxwell, W., de Gruyter, J., Pratt, K., Qi, S., Chikanov, N., Lutz, R., Dheekonda, R. S. R., Jagdagdorj, B.-E., Kim, E., Song, J., Hines, K., Jones, D., Severi, G., Lundeen, R., … Russinovich, M. (2024). Lessons From Red Teaming 100 Generative AI Products. https://arxiv.org/abs/2501.07238
  8. Bullwinkel, B., Russinovich, M., Salem, A., Zanella-Beguelin, S., Jones, D., Severi, G., Kim, E., Hines, K., Minnich, A., Zunger, Y., & Kumar, R. S. S. (2025). A Representation Engineering Perspective on the Effectiveness of Multi-Turn Jailbreaks. arXiv Preprint arXiv:2507.02956. https://arxiv.org/abs/2507.02956
  9. Bullwinkel, B., Severi, G., Hines, K., Minnich, A., Kumar, R. S. S., & Zunger, Y. (2026). The Trigger in the Haystack: Extracting and Reconstructing LLM Backdoor Triggers. arXiv Preprint arXiv:2602.03085. https://arxiv.org/abs/2602.03085
  10. Chao, P., Robey, A., Dobriban, E., Hassani, H., Pappas, G. J., & Wong, E. (2023). Jailbreaking Black Box Large Language Models in Twenty Queries. arXiv Preprint arXiv:2310.08419. https://arxiv.org/abs/2310.08419
  11. Chao, P., Debenedetti, E., Robey, A., Andriushchenko, M., Croce, F., Sehwag, V., Dobriban, E., Flammarion, N., Pappas, G. J., Tramer, F., Hassani, H., & Wong, E. (2024). JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models. arXiv Preprint arXiv:2404.01318. https://arxiv.org/abs/2404.01318
  12. Chu, J., Yang, Z., Li, M., Leng, Y., Lin, C., Shen, C., Backes, M., Shen, Y., & Zhang, Y. (2023). HarmfulQA: A Benchmark for Robustly Evaluating Jailbreaks in Alignment Testing. arXiv Preprint arXiv:2310.18469. https://arxiv.org/abs/2310.18469
  13. Cui, J., Chiang, W.-L., Stoica, I., & Hsieh, C.-J. (2024). OR-Bench: An Over-Refusal Benchmark for Large Language Models. arXiv Preprint arXiv:2405.20947. https://arxiv.org/abs/2405.20947
  14. Apart Research. (2025). DarkBench: A Comprehensive Benchmark for Dark Design Patterns in Large Language Models. https://darkbench.ai/
  15. Derczynski, L., Galinkin, E., Martin, J., Majumdar, S., & Inie, N. (2024). garak: A Framework for Security Probing Large Language Models. arXiv Preprint arXiv:2406.11036. https://arxiv.org/abs/2406.11036
PyRIT Documentation
Multi-Turn orchestrators