When injectionProbability > 0 fires, the attacker's private history gets
a [INJECTED <technique>] marker so its next-turn reasoning stays aligned
with what the target actually saw. A defensive heuristic also skips
injection when the attacker's reply already looks encoded, preventing
double-encoding if the catalogue is extended with encoding-style techniques.
Create a RedTeamAgent with the GOAT dynamic technique selection strategy.
Based on Meta's GOAT paper (ICML 2025, 97% ASR). The attacker LLM freely chooses from a 7-technique catalogue each turn instead of following fixed escalation phases.
Use this when you want maximum adaptability. Use
redTeamCrescendowhen you want structured gradual escalation.Paper fidelity: no pre-generated attack plan (the metaprompt LLM call is skipped for GOAT), no stage hints in the system prompt. Adaptation is driven entirely by the score/hint feedback in the attacker's private conversation history.
Single-use per
scenario.run(). Reusing an instance across runs (serial or parallel) now throws at runtime because shared mutable state would silently interleave between runs. Instantiate a fresh agent per run.