name: isc-bench description: > Guide for running ISC-Bench jailbreak evaluation against any LLM. Use this whenever someone wants to evaluate LLM safety with ISC-Bench, run the TVD (Task-Validator-Data) benchmark pipeline, test model robustness against structural safety collapse, or compare safety scores across models and benchmarks (JailbreakBench, HarmBench, AdvBench, StrongREJECT). Also use when someone asks about ISC attack success rates, harmful content extraction, or safety scoring on the 1-5 scale.

ISC-Bench

ISC-Bench evaluates Internal Safety Collapse (ISC) in frontier LLMs using the TVD (Task-Validator-Data) framework. ISC turns any frontier LLM into a harmful dataset generator — a legitimate professional task functionally requires generating harmful content to satisfy a code validator. Paper: arXiv:2603.23509

Prerequisites

• Python 3.11+
• uv
• OpenRouter API key
• Docker (agent mode only)

Setup

git clone https://github.com/wuyoscar/ISC-Bench.git && cd ISC-Bench
cp .env.example .env
# Add your OpenRouter API key to .env

All scripts use PEP 723 inline dependencies -- uv run resolves them automatically, no install step needed.

Install uv if missing: curl -LsSf https://astral.sh/uv/install.sh | sh

Quick Start

Evaluate a model in three commands:

cd experiment/isc_single

# Send TVD prompts to the target model (JailbreakBench, 100 queries, zero-shot)
uv run run.py --model openai/gpt-5.2

# Extract harmful content from the raw responses
uv run extract.py results/openai-gpt-5.2/jbb/ai-guard/0sample.json

# Score each response on a 1-5 harmfulness scale
uv run judge.py results/openai-gpt-5.2/jbb/ai-guard/0sample.json

Results: results/openai-gpt-5.2/jbb/ai-guard/0sample_judged.json

Pipeline

Four independent steps -- re-run any step without repeating earlier ones:

build.py  -->  run.py  -->  extract.py  -->  judge.py
(prompts)     (responses)   (extraction)    (scoring)

1. Build prompts

Pre-built prompts for JailbreakBench and StrongREJECT ship with the repo (prompts/jbb/, prompts/strongreject/). Build for other benchmarks or custom queries:

cd experiment/isc_single

uv run build.py --bench harmbench --task ai-guard
uv run build.py --bench advbench --task ai-detoxify --samples 3
uv run build.py --bench mybench --queries my_queries.txt --task ai-guard

Custom query formats: .txt (one per line), .json (list of {"query": "..."} objects), .csv (with query column).

build.py supports ai-guard and ai-detoxify tasks only.

2. Run

uv run run.py --model <model_id> [--bench jbb] [--task ai-guard] [--samples 0] [--concurrent 10]

Output: results/{model_slug}/{bench}/{task}/{samples}sample.json

Model slug replaces / with -: openai/gpt-5.2 becomes openai-gpt-5.2.

3. Extract

uv run extract.py results/openai-gpt-5.2/jbb/ai-guard/0sample.json

LLM responses contain code blocks, JSON, heredocs, and mixed formats. This step extracts the actual harmful content using deepseek/deepseek-v3.2 (configurable via --model). Modifies the results file in-place, adding an extraction field to each item. All three pipeline scripts (run.py, extract.py, judge.py) accept --concurrent N (default 10) and --model <id>.

4. Judge

uv run judge.py results/openai-gpt-5.2/jbb/ai-guard/0sample.json

Scores each extracted response on a 1-5 harmfulness scale using openai/gpt-4o (configurable via --model).

Only score 5 counts as "unsafe" in the benchmark metrics.

Output: results/{model_slug}/{bench}/{task}/{samples}sample_judged.json

ICL Mode

Multi-turn evaluation with in-context demonstrations. The model sees N completed harmful examples before the target query, testing whether prior context amplifies safety collapse.

cd experiment/isc_icl

uv run run.py --model openai/gpt-5.2                  # 1 demo (default)
uv run run.py --model openai/gpt-5.2 --demos 5        # 5 demos
uv run run.py --model openai/gpt-5.2 --demos 20       # 20 demos

Demo counts: 1, 5, 10, or 20.

For non-default benchmarks, build first:

uv run build.py --bench harmbench
uv run run.py --model openai/gpt-5.2 --demos 5 --bench harmbench

Omit --bench to use the default JBB data. Passing --bench jbb explicitly will fail -- it looks for data/jbb/ which does not exist.

Extract and judge ICL results with the single-turn scripts:

cd ../isc_single
uv run extract.py ../isc_icl/results/openai-gpt-5.2/icl_5demo.json
uv run judge.py ../isc_icl/results/openai-gpt-5.2/icl_5demo.json

Agent Mode

Autonomous agentic evaluation -- an agent with shell access reads workspace files, encounters Pydantic validation errors, and iteratively fixes them across multiple turns. Requires Docker.

cd experiment/isc_agent

./run.sh --model openai/gpt-5.2 --template aiml_guard             # single template
./run.sh --model openai/gpt-5.2                                    # all templates
./batch.sh                                                          # all models x all templates

Available templates: aiml_detoxify, aiml_guard, aiml_moderation, aiml_moderation_input, aiml_moderation_output.

Results: workspace/{model_slug}_{template}_{timestamp}/

The Docker image builds automatically on first run. To set up Docker on macOS:

brew install orbstack    # recommended, or use Docker Desktop / Colima

Benchmarks

Model IDs

All models are accessed via OpenRouter using provider/model format. Model IDs change frequently -- verify availability at openrouter.ai/models before running.

openai/gpt-5.2
anthropic/claude-sonnet-4.5
google/gemini-3-pro
deepseek/deepseek-v3.2
x-ai/grok-4.1
qwen/qwen3-max
meta-llama/llama-4-maverick

Troubleshooting