Single-Turn Jailbreaks Are Getting Caught. Real Attackers Have Conversations.

Augustus v0.0.9 ships a multi-turn attack engine with four strategies — Crescendo, GOAT, Hydra, and Mischievous User — each adapting in real time based on what the target reveals, deflects, or refuses.

If your LLM deployment passes single-turn probes, multi-turn is where the gaps are.

Four Strategies, One Engine

The multi-turn engine uses three LLMs working together: an attacker that generates questions, the target under test, and a judge that scores progress and detects refusals. Each strategy takes a fundamentally different approach to breaking through safety filters.

Crescendo — Gradual Escalation

Based on Russinovich et al., 2024, Crescendo uses the foot-in-the-door technique: start with genuinely benign, educational questions and incrementally increase specificity over many turns. Historical context → technical mechanisms → specific details → direct requests framed as natural follow-ups. Effective against models that track conversation tone — the gradual shift avoids triggering safety filters.

GOAT — Aggressive Technique Switching

Based on Pavlova et al., 2024, GOAT (Generative Offensive Agent Tester) uses Chain-of-Attack-Thought reasoning with 7 adversarial techniques across 3 categories: Output Manipulation (refusal suppression, response priming), Safe Response Distractors (dual response, topic splitting, opposite intent), and Fictional Scenarios (persona modification, hypothetical). Achieves high success rates in 3-5 turns.

Hydra — Turn-Level Backtracking

The standout. When the model refuses, Hydra doesn't just rephrase — it rewinds the conversation history entirely and tries a completely different approach. The target never sees the failed attempt. This keeps the conversation history clean and prevents defensive escalation. Techniques include decomposition, context leveraging, authority simulation, emotional framing, and progressive normalization.

Mischievous User — Casual Persona Probing

Inspired by Tau-bench, this strategy simulates an innocent, curious person who subtly probes boundaries through natural conversation. Uses rapport-building, naive curiosity, deliberate misunderstanding, social proof, and gradual drift. Effective against models trained to resist obvious adversarial patterns — the casual persona bypasses attack-detection heuristics.

Strategy Selection Guide

Quick Decision

• Start with Crescendo — it's the most general-purpose strategy

• Try GOAT if Crescendo is too slow (GOAT typically succeeds in 3-5 turns)

• Use Hydra if the target refuses frequently (backtracking keeps conversation clean)

• Use Mischievous User for targets with strong adversarial-pattern detection

Get Started

go install github.com/praetorian-inc/augustus/cmd/augustus@latestaugustus scan rest.Rest \  --probe crescendo.Crescendo \  --config-file crescendo.yaml \  --html report.html -v

Augustus is open source at github.com/praetorian-inc/augustus. Guard Platform customers already have multi-turn testing available — reach out to your Praetorian engagement team to add LLM security to your coverage.