Existing LLM red-teaming methods suffer from low cost-efficiency, suboptimal attack success rates, limited adversarial diversity, and poor scalability. To address these limitations, this paper proposes MAD-MAX: a Modular, Adaptive, and Diverse malicious attack hybrid framework. Its core innovations include (1) efficient candidate filtering via attack-strategy clustering and semantic similarity pruning; (2) cross-cluster hybrid generation and iterative fusion to dynamically compose multi-strategy prompts, enhancing jailbreak capability; and (3) plug-and-play extensibility for integrating novel attack strategies. Evaluated on GPT-4o and Gemini-Pro, MAD-MAX achieves a 97% jailbreak success rate—significantly surpassing the 66% of baseline TAP—while requiring only 10.9 average queries per successful jailbreak (versus TAP’s 23.3), thereby substantially reducing query overhead. The framework thus simultaneously delivers state-of-the-art effectiveness and efficiency in LLM safety evaluation.

With LLM usage rapidly increasing, their vulnerability to jailbreaks that create harmful outputs are a major security risk. As new jailbreaking strategies emerge and models are changed by fine-tuning, continuous testing for security vulnerabilities is necessary. Existing Red Teaming methods fall short in cost efficiency, attack success rate, attack diversity, or extensibility as new attack types emerge. We address these challenges with Modular And Diverse Malicious Attack MiXtures (MAD-MAX) for Automated LLM Red Teaming. MAD-MAX uses automatic assignment of attack strategies into relevant attack clusters, chooses the most relevant clusters for a malicious goal, and then combines strategies from the selected clusters to achieve diverse novel attacks with high attack success rates. MAD-MAX further merges promising attacks together at each iteration of Red Teaming to boost performance and introduces a similarity filter to prune out similar attacks for increased cost efficiency. The MAD-MAX approach is designed to be easily extensible with newly discovered attack strategies and outperforms the prominent Red Teaming method Tree of Attacks with Pruning (TAP) significantly in terms of Attack Success Rate (ASR) and queries needed to achieve jailbreaks. MAD-MAX jailbreaks 97% of malicious goals in our benchmarks on GPT-4o and Gemini-Pro compared to TAP with 66%. MAD-MAX does so with only 10.9 average queries to the target LLM compared to TAP with 23.3. WARNING: This paper contains contents which are offensive in nature.