Inspect the current 91-attack public suite, then reproduce it locally from the canonical eval pack.
| System | Blocked | ASR | False Positives |
|---|---|---|---|
| No Protection | 0/91 | 100% | 0 |
| Meta Prompt Guard | 15/91 | 83.5% | ? |
| Keyword Filter | 27/91 | 70.3% | High |
| ProtectAI DeBERTa v2 (411K downloads) | 62/91 | 31.9% | ? |
| SCBE-AETHERMOORE | 91/91 | 0.0% | 0/15 clean |
"Ignore previous instructions"
Hidden instructions in context
Base64, rot13, hex payloads
Cross-language attack vectors
Escalating multi-turn attacks
API key/credential extraction
Sacred Tongue spoofing
Gradual trust erosion
Edge-case geometry attacks
Simultaneous attack types
Attacks are identified by which tongue dimensions are ABSENT, not present. Encoding attacks only activate Runethic (binding/math). Tool exfiltration only activates Runethic + Cassisivadan. The silence is the signal.
Most detectors are stateless. Ours tracks suspicion across sequential prompts. Rapid-fire probing costs exponentially more. A bot blasting 10 injections per second defeats itself.
Three independent scoring methods (phi/moon/foam) process the same input. When they disagree, the disagreement IS the signal. Catches 13 attacks the primary detector misses.
H(d,R) = R^(d^2). Adversarial behavior costs exponentially more. At the boundary, attacks become computationally infeasible. Not blocked by rules — blocked by geometry.
Hosted checkout is being rewired. The free local path is active now: pytest tests/adversarial/test_adversarial_benchmark.py -v