Open, Closed and Broken: Prompt Fuzzing Finds LLMs Still Fragile Across Open and Closed Models

Unit 42 demonstrates a genetic-algorithm-based prompt-fuzzing method that automatically generates meaning-preserving rephrasings of disallowed prompts to measure and exploit guardrail fragility in large language models. The research tests multiple closed-source and open-source models (including a standalone content filter), reports keyword-dependent evasion rates ranging from low to very high (e.g., up to 90/100 for a closed model on “torpedo” and 97–99/100 false negatives for the content filter), and recommends layered controls, scope enforcement, output validation, continuous adversarial testing, and standard security controls to mitigate risk.