Do-Not-Answer Adversarial (jailbreak variant of Do-Not-Answer)

An adversarial extension of the Do-Not-Answer benchmark that wraps each of the 939 harmful prompts (spanning five risk areas) in one of three jailbreak transforms – prefix injection, refusal suppression, or their combination – drawn from Wei et al. 2023. The model’s response is scored against the original instruction using a seven-action behavioural taxonomy. The primary metric is follow_rate per risk area, with the delta versus the clean baseline indicating safeguard degradation under attack.

Overview

⚠️ External evaluation. Code lives in an upstream repository. inspect_evals lists it for discoverability; review the upstream repo and pinned commit before running.

Source: mkzung/inspect-evals-do-not-answer@b386689

An adversarial extension of the Do-Not-Answer benchmark that wraps each of the 939 harmful prompts (spanning five risk areas) in one of three jailbreak transforms – prefix injection, refusal suppression, or their combination – drawn from Wei et al. 2023. The model’s response is scored against the original instruction using a seven-action behavioural taxonomy. The primary metric is follow_rate per risk area, with the delta versus the clean baseline indicating safeguard degradation under attack.

Usage

Installation

This is an externally-maintained evaluation. Clone the upstream repository at the pinned commit and install its dependencies:

git clone https://github.com/mkzung/inspect-evals-do-not-answer
cd inspect-evals-do-not-answer
git checkout b386689ab2d469ea1ff9eb423ac048549f7542c5
uv sync

Running evaluations

CLI

uv run inspect eval src/do_not_answer/adversarial.py@do_not_answer_adversarial --model openai/gpt-5-nano

Python

from inspect_ai import eval
from do_not_answer.adversarial import do_not_answer_adversarial

eval(do_not_answer_adversarial(), model="openai/gpt-5-nano")

View logs

uv run inspect view

More information

For the dataset, scorer, task parameters, and validation, see the upstream repo: mkzung/inspect-evals-do-not-answer.

Options

You can control a variety of options from the command line. For example:

uv run inspect eval src/do_not_answer/adversarial.py@do_not_answer_adversarial --limit 10
uv run inspect eval src/do_not_answer/adversarial.py@do_not_answer_adversarial --max-connections 10
uv run inspect eval src/do_not_answer/adversarial.py@do_not_answer_adversarial --temperature 0.5

See uv run inspect eval --help for all available options.

More command-line options: Inspect docs ↗