orchestrating-llm-attacks-with-pyrit
Orchestrating LLM Attacks with PyRIT
Legal and Authorized-Use Notice: PyRIT generates adversarial and potentially harmful prompts to test AI systems. Use it only against models and endpoints you own or are explicitly authorized to assess. Multi-turn orchestrators consume large numbers of tokens against both the target and the adversarial/scoring models; account for cost and terms of service. Unauthorized use is prohibited.
Overview
PyRIT (Python Risk Identification Tool for generative AI) is an open-source automation framework from Microsoft's AI Red Team, distributed at github.com/microsoft/PyRIT. Where a single-shot scanner sends one prompt and checks the answer, PyRIT automates multi-turn adversarial conversations: an attacker model and a scorer model collaborate in a loop to drive a target model toward a defined objective (for example, eliciting restricted content, leaking a system prompt, or making an agent perform an unauthorized tool call). This mirrors how real adversaries iterate against a chatbot rather than relying on one magic prompt.
PyRIT is built from composable primitives. Targets (pyrit.prompt_target) wrap the systems being probed and the helper models — OpenAIChatTarget, AzureMLChatTarget, HTTPTarget, and others. Orchestrators / attacks (pyrit.orchestrator) implement attack strategies; all multi-turn strategies subclass MultiTurnOrchestrator. The headline strategies are RedTeamingOrchestrator (a generic adversarial-chat loop), CrescendoOrchestrator (the Crescendo technique — start benign and escalate gradually so each turn looks reasonable in isolation), and TreeOfAttacksWithPruningOrchestrator (TAP — branch multiple attack lines in parallel, expand the branches the scorer rates as progressing, and prune dead ends). Scorers (pyrit.score) such as SelfAskTrueFalseScorer decide whether the objective was met and feed that judgment back into the loop. Converters mutate prompts (base64, translation, ASCII art) to evade filters, and memory persists every turn for later analysis.
This skill maps to MITRE ATLAS AML.T0051 (LLM Prompt Injection) and AML.T0054 (LLM Jailbreak) because PyRIT operationalizes both at scale across conversation turns, and supports NIST AI RMF MEASURE-2.7 by producing repeatable, scored security measurements of an AI system.
When to Use
- When single-shot scanning (e.g. garak) finds a model robust to one-prompt attacks and you need to test multi-turn escalation (Crescendo) or adaptive branching (TAP).
- When assessing a conversational agent or assistant where state accumulates over a dialogue.
- When you need an automated, scorer-driven harness rather than manual prompt-by-prompt red teaming.
- When building reproducible red-team campaigns with persisted conversation memory for evidence and regression.
- When evaluating whether guardrails hold under gradual, plausibly-deniable escalation.