Strategy Configuration
The strategy node defines the attack implementation used for red-teaming the target system. Strategies are responsible for generating adversarial prompts based on the goals defined earlier, but they can also implement complex interaction patterns, payload encoding, or multi-turn probing logic.
ARES supports both:
Single-turn strategies: These generate one-shot adversarial prompts from goal intents:
DirectRequestsHumanJailbreak(via plugin)Encoding/Decoding(viaares-garakplugin)
Multi-turn strategies: These simulate conversational attacks or iterative probing.
PyRIT Crescendo(via plugin)
Basic Configuration
Here is an example of a single strategy configuration:
strategy:
direct_request:
type: ares.strategies.direct_requests.DirectRequests
input_path: 'assets/ares_goals.json' # path to processed goal intents
output_path: 'assets/direct_request_attacks.json' # path to save generated attack prompts
Supported out-of-the-box strategy types can be found in the strategy package. Each strategy module implements a specific attack method, such as direct prompt injection, jailbreak crafting, or token-level manipulation.
Multiple Strategies
ARES supports running multiple strategies in a single evaluation. This allows you to test different attack methods against the same target and compare outcomes.
Example:
strategy:
- direct_request
- ares_human_jailbreak # see more in ARES Plugins
This configuration will apply both strategies sequentially to the goal dataset.