This work addresses three critical gaps in defending large language models (LLMs) against jailbreaking attacks: fragmented defense methodologies, unsystematic evaluation protocols, and poor out-of-distribution (OOD) generalization. To this end, we introduce the first unified, cross-style and cross-distribution evaluation framework for systematically assessing the robustness of 15 mainstream safety guardrails under diverse prompt injection attacks. Our methodology comprises standardized malicious/benign datasets, a multi-dimensional adversarial prompt benchmark, defense response consistency analysis, and principled OOD generalization metrics. Key findings reveal pervasive attack-style bias across existing guardrails; notably, several simple baseline methods surpass state-of-the-art defenses by 12–28% in accuracy under OOD conditions. This study exposes fundamental limitations in current defense evaluation practices and establishes a reproducible, scalable benchmark—grounded in empirical evidence—to advance robust alignment research.

As large language models (LLMs) become integrated into everyday applications, ensuring their robustness and security is increasingly critical. In particular, LLMs can be manipulated into unsafe behaviour by prompts known as jailbreaks. The variety of jailbreak styles is growing, necessitating the use of external defences known as guardrails. While many jailbreak defences have been proposed, not all defences are able to handle new out-of-distribution attacks due to the narrow segment of jailbreaks used to align them. Moreover, the lack of systematisation around defences has created significant gaps in their practical application. In this work, we perform systematic benchmarking across 15 different defences, considering a broad swathe of malicious and benign datasets. We find that there is significant performance variation depending on the style of jailbreak a defence is subject to. Additionally, we show that based on current datasets available for evaluation, simple baselines can display competitive out-of-distribution performance compared to many state-of-the-art defences. Code is available at https://github.com/IBM/Adversarial-Prompt-Evaluation.