Skip to main content
Capital One's AI Red Team Doubled Their Attack Success RateIncident
4 min readFor Security Engineers

Capital One's AI Red Team Doubled Their Attack Success Rate

What Happened

Capital One's AI Foundations group developed a reinforcement learning system to identify effective jailbreak techniques against large language models. They tested it using the WildJailbreak dataset (50,500 harmful queries, 13,311 jailbreak tactics) on three open-weight models. This system, called Adaptive Instruction Composition, more than doubled the attack success rate compared to WildTeaming, the previous method that randomly sampled attack combinations.

This wasn't a breach. It was a controlled research outcome highlighting how most organizations inefficiently test their AI systems, missing vulnerabilities a learning attacker would find.

Timeline

The Capital One team documented their approach in stages:

Initial state: The WildTeaming framework used random sampling to combine harmful queries with jailbreak tactics. Success rates varied but averaged around 20-30% against hardened systems.

Enhancement phase: The team added a learning layer using SBERT (sentence encoder) to generate input embeddings. A reinforcement learning model trained on these embeddings to predict successful query-tactic combinations.

Testing phase: A single 10,000-trial simulation required 70 to 120 GPU hours per target model. The system learned from each attempt, adjusting its strategy based on successful outcomes.

Results: The attack success rate more than doubled across three open-weight target models compared to the baseline WildTeaming.

Which Controls Failed or Were Missing

The vulnerability lies not in Capital One's systems, but in the standard AI red teaming approach most teams use:

No adaptive testing strategy: Traditional red teaming treats each test as independent, lacking a mechanism to learn which attack patterns work against specific model architectures.

Resource inefficiency: Running 10,000 random combinations wastes compute and engineering time. Without a learning component, ineffective combinations are tested repeatedly.

Static threat modeling: Most AI security testing assumes attackers use the same random approach as defenders. Real attackers iterate, refining techniques and focusing resources on promising attack vectors.

No exploitation vs. exploration balance: Security teams either explore new attack types broadly or exploit known vulnerabilities deeply. Few frameworks allow tuning this balance based on ongoing learning.

What Standards Require

AI-specific security standards are still emerging, but existing frameworks cover the principles Capital One's approach addresses:

ISO 27001 requires adaptive risk assessment processes. Testing AI systems with static methods violates this principle. Your threat model should evolve as you learn which attacks succeed.

NIST Cybersecurity Framework emphasizes continuous improvement. The framework's adaptive approach to risk management aligns with reinforcement learning in security testing: learn from each test, adjust your strategy, and focus resources where they matter.

NIST 800-53 Control CA-8 (Penetration Testing) requires using a process that includes lessons learned from prior testing. Random sampling doesn't learn; a reinforcement learning model does.

SOC 2 Common Criteria CC7.1 requires identifying and responding to risks. If your AI red teaming can't learn which attack patterns work against your models, you're not identifying risks effectively.

None of these standards explicitly require reinforcement learning for AI testing. They require adaptive, learning-based security practices. Capital One's approach illustrates what that looks like for LLM security.

Lessons and Action Items for Your Team

Stop treating AI security tests as independent events. Every jailbreak attempt provides insights into your model's vulnerabilities. Capture that learning. If you're running 1,000 red team tests without using results from the first 500 to inform the next 500, you're wasting resources.

Build or buy adaptive testing tools. You don't need to implement reinforcement learning from scratch. Start by tracking which attack categories succeed against your models and weight your next test batch toward similar patterns. The WildJailbreak dataset is public. Use it to baseline your current success rate, then measure improvement as you add learning layers.

Allocate GPU budget for learning, not just testing. Capital One's simulation consumed 70-120 GPU hours per 10,000 trials. Doubling your success rate means finding twice as many vulnerabilities with the same test count or finding the same vulnerabilities with half the tests. Calculate the ROI: Is 100 GPU hours cheaper than the engineering time you're spending on ineffective random testing?

Tune exploration vs. exploitation based on your risk profile. If you're deploying a customer-facing chatbot, exploit known jailbreak patterns aggressively. If you're researching new model architectures, explore broadly. Capital One's framework lets you adjust this balance. Your current testing approach probably doesn't.

Document what works against your specific models. Generic jailbreak databases help, but attack success varies by model architecture, training data, and guardrails. Build an internal knowledge base: which tactics break through your models? Which combinations? This becomes your training data for adaptive testing.

The broader lesson: AI security testing needs to evolve as fast as AI capabilities do. Random sampling worked when we had 100 attack patterns to test. It doesn't scale to 13,000. Learning-based approaches aren't optional anymore. They're how you keep pace with attackers who are already learning from every attempt.

AI security testing

Topics:Incident

You Might Also Like