Strategy Configuration
The strategy node defines the attack implementation used for red-teaming the target system. Strategies are responsible for generating adversarial prompts based on the goals defined earlier, but they can also implement complex interaction patterns, payload encoding, or multi-turn probing logic.
Single-Turn vs Multi-Turn Strategies
ARES supports both single-turn and multi-turn attack strategies:
Single-Turn Strategies
Single-turn strategies generate one-shot adversarial prompts from goal intents. Each attack consists of a single prompt-response interaction:
DirectRequests- Direct harmful requestsHumanJailbreak- Manual jailbreak techniques (viaares-human-jailbreakplugin)Encoding/Decoding- Obfuscated prompts (viaares-garakplugin)GCG- Gradient-based adversarial suffixes (viaares-gcgplugin)AutoDAN- Genetic algorithm-based attacks (viaares-autodanplugin)
Multi-Turn Strategies
Multi-turn strategies simulate conversational attacks through iterative dialogue. These strategies maintain conversation context across multiple turns and gradually escalate toward the attack objective:
Crescendo- Gradual escalation attack (viaares-pyritplugin)Echo Chamber- Context poisoning through multi-turn dialogue (viaares-echo-chamberplugin)TAP- Tree of Attacks with Pruning (viaares-tapplugin)Multi-Agent Coalition- Coordinated multi-agent attacks (viaares-dynamic-llmplugin)MultiTurn- Base class for custom multi-turn strategies (ares.strategies.multi_turn_strategy.MultiTurn)
Note
Multi-turn strategies require the target connector to support session management. Set keep_session: true in your connector configuration to enable conversation memory across turns.
Basic Configuration
Single-Turn Strategy Example:
strategy:
direct_request:
type: ares.strategies.direct_requests.DirectRequests
input_path: 'assets/ares_goals.json'
output_path: 'assets/direct_request_attacks.json'
Multi-Turn Strategy Example:
strategy:
crescendo:
type: ares_pyrit.strategies.crescendo.Crescendo
input_path: 'assets/attack_goals.json'
output_path: 'results/crescendo_attacks.json'
max_turns: 10
judge:
type: ares.connectors.watsonx_connector.WatsonxConnector
# ... judge configuration
helper:
type: ares.connectors.watsonx_connector.WatsonxConnector
# ... helper configuration
target:
huggingface:
keep_session: true # Required for multi-turn strategies
Note
MultiTurn (ares.strategies.multi_turn_strategy.MultiTurn) is a base class that provides conversation tracking and memory management. Concrete implementations like Crescendo or Echo Chamber extend this base class and implement the _run_turn() method to define specific attack logic for each turn.
Supported out-of-the-box strategy types can be found in the strategy package. Each strategy module implements a specific attack method, such as direct prompt injection, jailbreak crafting, or token-level manipulation.
Multiple Strategies
ARES supports running multiple strategies in a single evaluation. This allows you to test different attack methods against the same target and compare outcomes.
Example:
strategy:
- direct_request
- ares_human_jailbreak # see more in ARES Plugins
This configuration will apply both strategies sequentially to the goal dataset.