Most teams deploying LLMs in production stack their safety like a layer cake: the model's built-in alignment on the inside, an external content filter standing guard on the outside. The assumption is that even if the model slips, the filter catches it. Palo Alto Networks' Unit 42 just tested that assumption with an evolutionary fuzzer. The filter didn't just miss a few things — it let through 97 to 99 percent of malicious prompts that had been lightly reworded.
The Fuzzer That Rewrites Without Changing Meaning
Unit 42 built a genetic-algorithm-inspired fuzzing tool that takes a disallowed prompt and systematically mutates the wording while keeping the meaning intact. Prepend a phrase. Swap a synonym. Add a line break. Repeat for 100 iterations, score each variant on whether it gets through. Natural selection for jailbreaks.
They tested four model categories: one closed-source commercial model, two open-source pretrained models, and one standalone content filter. Each faced 100 fuzzed variants across four test categories.
| Model type | Category A | Category B | Category C | Category D |
|---|---|---|---|---|
| Closed-source | 5% | 16% | 8% | 90% |
| Open-source #1 | 1% | 2% | 4% | 2% |
| Open-source #2 | 20% | 63% | 24% | 75% |
| Content filter | 98% | 99% | 97% | 98% |
That bottom row should stop you mid-scroll. The content filter — whose entire job is catching bad prompts — was the most breakable component in the stack. Not by a margin. By an order of magnitude compared to the best-performing model.
Meanwhile, Open-source #1 quietly held at 1-4% evasion across every category. Better than the closed-source model, which had a baffling 90% evasion rate in Category D while blocking Category A 95% of the time. Same model, same safety training, same policy. We'll come back to that.
The Pattern-Matching Trap
A full LLM processes complete conversation context. It understands relationships between sentences, catches implicit intent, and has been through extensive RLHF on nuanced safety scenarios. A content filter typically evaluates the prompt in isolation with a smaller, more specialized model. It's scanning for features, not understanding requests.
When the fuzzer rewrites a harmful prompt into academic language — same meaning, different surface — the LLM often still catches the intent. The filter sees academic phrasing and waves it through.
Keyword Roulette
That 90% vs. 5% split on the closed-source model deserves its own moment. The model's guardrails were wildly inconsistent across semantically similar test categories. It learned to be cautious about certain specific terms during RLHF while leaving near-synonyms unguarded — like a bouncer trained to check IDs for anyone who says "beer" but not "ale."
Evolutionary fuzzing feeds on exactly this kind of inconsistency. Generate hundreds of paraphrases, find the one blind spot, exploit it. The fuzzer found gaps in minutes.
Same Model, Different Hat
HiddenLayer's research on OpenAI's guardrails framework exposed a related architectural flaw. When the same model type serves as both generator and safety judge, the weaknesses transfer directly. Their team manipulated the judge's confidence scoring — not by arguing the request was safe, but by injecting tokens that shifted the reported confidence below the detection threshold. Harmful content sailed through while the safety system reported zero issues.
Unit 42's own AdvJudge-Zero tool demonstrated something even more striking. By identifying "stealth control tokens" — innocent-looking formatting characters like list markers, newlines, and markdown headers — researchers achieved a 99% bypass rate against AI judges. These tokens look natural to any perplexity-based detection system because they are natural. They're just positioned to shift the judge's internal attention toward approval states.
What Actually Works
The good news buried in Unit 42's data: adversarial training using the fuzzer's own outputs dropped bypass rates from 99% to near zero. The tool breaks the judge, then the breakage trains a better judge. Red-teaming that feeds back into training isn't just useful — it's the single most effective intervention they found.
Beyond that, three structural patterns held up across their testing:
Separate trust boundaries. When untrusted input gets evaluated in the same context where it's processed, the judge inherits the manipulation. Structured prompting that physically separates user content from evaluation instructions forces different treatment. This is the prompt engineering version of input sanitization.
Validate outputs, not just inputs. Filtering the prompt is one layer. Checking whether the actual response violates your policy — using rule-based checks, not another LLM — catches what input filters miss. The second LLM judge has the same vulnerabilities as the first.
Design for filter failure. If your entire safety story is "we have a content filter," you don't have a safety story. Treat filters like input validation in web apps: necessary but never sufficient on their own. Defense in depth isn't a buzzword when the outermost layer catches 1% of attacks.
The counterintuitive takeaway from this research is that the models themselves have gotten surprisingly robust. That open-source model holding at 1-4% evasion wasn't an outlier — it was evidence that alignment training works when done well. The weakest link in most production stacks isn't the thing doing the reasoning. It's the thing you bolted on afterward to watch it reason.