Existing red-teaming methods for vision-language models (VLMs) suffer from limited attack diversity, high manual effort, and poor scalability, hindering comprehensive multimodal safety evaluation. Method: We propose Adaptive Red-Teaming Agents (ARMs), featuring (1) a reasoning-enhanced, multi-step strategy orchestration mechanism with hierarchical memory and ε-greedy exploration to autonomously evolve 11 novel multimodal attacks; (2) a plugin-based framework integrating 17 red-teaming algorithms, interoperable across VLMs via the Model Context Protocol (MCP); and (3) ARMs-Bench—the first large-scale multimodal safety benchmark with 32K instances. Results: ARMs achieves an average 52.1% higher attack success rate than baselines at both strategy and instance levels, exceeding 90% on Claude-4-Sonnet. Data generated by ARMs significantly improves safety fine-tuning performance without degrading general capabilities.

As vision-language models (VLMs) gain prominence, their multimodal interfaces also introduce new safety vulnerabilities, making the safety evaluation challenging and critical. Existing red-teaming efforts are either restricted to a narrow set of adversarial patterns or depend heavily on manual engineering, lacking scalable exploration of emerging real-world VLM vulnerabilities. To bridge this gap, we propose ARMs, an adaptive red-teaming agent that systematically conducts comprehensive risk assessments for VLMs. Given a target harmful behavior or risk definition, ARMs automatically optimizes diverse red-teaming strategies with reasoning-enhanced multi-step orchestration, to effectively elicit harmful outputs from target VLMs. We propose 11 novel multimodal attack strategies, covering diverse adversarial patterns of VLMs (e.g., reasoning hijacking, contextual cloaking), and integrate 17 red-teaming algorithms into ARMs via model context protocol (MCP). To balance the diversity and effectiveness of the attack, we design a layered memory with an epsilon-greedy attack exploration algorithm. Extensive experiments on instance- and policy-based benchmarks show that ARMs achieves SOTA attack success rates, exceeding baselines by an average of 52.1% and surpassing 90% on Claude-4-Sonnet. We show that the diversity of red-teaming instances generated by ARMs is significantly higher, revealing emerging vulnerabilities in VLMs. Leveraging ARMs, we construct ARMs-Bench, a large-scale multimodal safety dataset comprising over 30K red-teaming instances spanning 51 diverse risk categories, grounded in both real-world multimodal threats and regulatory risks. Safety fine-tuning with ARMs-Bench substantially improves the robustness of VLMs while preserving their general utility, providing actionable guidance to improve multimodal safety alignment against emerging threats.