TL;DR for operators

Most LLM safety systems still assume that, when a model sees a harmful request, the correct behaviour is refusal. That works until the attacker stops arguing with the prompt and starts interfering with generation itself.

The paper behind this article, Strategic Deflection: Defending LLMs from Logit Manipulation, proposes SDeflection: a fine-tuning method that teaches a model to answer in a safe, topic-adjacent way rather than relying only on explicit refusal language.1 The model does not provide harmful instructions. It redirects the subject toward harmless information that is close enough to the original topic to survive attacks that try to force compliance-style openings.

Operationally, this is not “better prompt filtering.” It is a different safety behaviour inside the model. The paper’s threat model is logit manipulation: attacks that interfere with token selection during decoding, including forcing compliant openings and suppressing refusal-associated language. In that setting, refusal becomes a brittle interface. If the attacker can keep pushing the model away from “I can’t help with that,” then training the model to say “I can’t help with that” more confidently is not a complete answer. It is a taller sandcastle.

The empirical result is striking but not universal. Under the paper’s LogitsTrap attack on AdvBench, original models showed very high Attack Success Rates: 92.63% for Llama-2-7B-chat-hf, 89.29% for Llama-3.2-3B-Instruct, and 94.74% for Mistral-7B-Instruct-v0.2. After SDeflection fine-tuning, those rates fell to 34.94%, 8.53%, and 13.14%, respectively. That is a large improvement, especially for Llama-3.2 and Mistral. It is not a guarantee. Llama-2 still leaked in roughly a third of tested LogitsTrap cases.

The business takeaway is narrow but useful: if you deploy open-source or self-hosted LLMs, especially where model internals, decoding settings, or middleware can be touched, you should not evaluate safety only by whether the model refuses direct harmful prompts. You need to test what happens when refusal is made hard. SDeflection gives one practical pattern: train for safe redirection under forced-compliance conditions, then verify that ordinary helpfulness and ordinary refusals have not collapsed.

The weak point is not the prompt; it is the first few tokens

Many jailbreak discussions still revolve around the prompt. The attacker role-plays. The model is tricked. The developer adds a stronger instruction. Everyone pretends the next prompt wrapper will finally be the one with adult supervision.

Logit manipulation makes that picture look quaint.

In ordinary generation, a language model predicts a distribution over possible next tokens. A decoding process then selects from that distribution. Prompt-level jailbreaks try to influence the model upstream, by changing what the model thinks it is being asked to do. Logit-level attacks interfere downstream, during token selection. They can boost tokens that make the model sound compliant or penalise tokens associated with refusal. The practical effect is nasty: the model may still “know” the request is unsafe, but the generation path is steered away from the words and structures it normally uses to express that safety behaviour.

This is why refusal-based safety is structurally exposed. Refusal is not just a policy preference. It is a textual pattern. It often begins with recognisable phrases, apology markers, inability claims, legal or ethical terms, and pivot language. If the attacker can suppress those patterns, then the defence has to do more than produce a better refusal. It has to survive when refusal itself is made linguistically expensive.

SDeflection’s central idea is to stop treating refusal as the only safe endpoint.

Instead of producing explicit rejection under attack, the model is trained to generate a response that appears cooperative in form but changes the payload. A harmful prompt about theft can become a safe answer about security measures. A malicious request about disinformation can become guidance on detecting misinformation. The model stays near the semantic neighbourhood of the request, but removes the actionable harmful intent. That is the “judo” in the title: do not block the force head-on; redirect it into a safer channel.

The distinction matters because attackers targeting logits are often not asking politely for the model to reconsider its ethics. They are trying to reshape the generation trajectory. SDeflection aims to make the safe trajectory compatible with superficially compliant text. That gives the model another escape route when the obvious refusal path is being blocked.

SDeflection trains evasive compliance, not nicer refusal

The paper’s dataset construction is the most revealing part of the mechanism.

The authors start from MaliciousInstruct, a set of 100 harmful instructions. For each harmful prompt, they create a harmless version that preserves the topic but removes the harmful intent. They report using GPT-4o for this rephrasing. The example they give is clean enough to show the design: a harmful request about stealing valuables from a museum becomes a benign query about how museums protect valuables from theft.

Then comes the clever bit. The authors collect 34 affirmation templates: phrases that signal compliance. Each preference example uses the same compliant-style prefix for both the chosen and rejected answers. The chosen answer begins with that compliant prefix but answers the harmless rewritten question. The rejected answer begins with the same prefix but answers the harmful original request.

So the model is not merely learning:

harmful prompt → refusal

It is learning something closer to:

harmful prompt + compliant-looking opening → safe adjacent answer beats harmful answer

That is a very different behavioural target.

The final dataset contains 3,400 triplets. Each triplet has a harmful prompt, a preferred deflected response, and a rejected harmful response. The dataset is split into 2,890 training triplets and 510 evaluation triplets. The authors fine-tune three instruction-tuned models with Contrastive Preference Optimization (CPO), using LoRA for efficient adaptation: LLaMA-2-7B-chat-hf, Llama-3.2-3B-Instruct, and Mistral-7B-Instruct-v0.2. All experiments are reported on a single NVIDIA A100 80GB GPU.

This is important for operators because the method is not a runtime wrapper. It is not a moderation endpoint sitting politely outside the model, hoping to catch smoke after the fire starts. It changes the model’s learned preference over completions.

That also means it should be evaluated like a model change, not like a filter setting. You care about three things at once:

Question Why it matters
Does the model still refuse direct harmful prompts? Deflection should not make the model weirdly cooperative under normal conditions.
Does the model resist forced-compliance generation attacks? The whole point is to survive when refusal tokens are suppressed or bypassed.
Does the model still answer benign queries normally? A defence that turns every question into safety theatre is not a product feature. It is a support ticket generator.

SDeflection performs well on the paper’s version of that three-part test, but with boundaries worth keeping in view.

The main result: refusal collapses under LogitsTrap, deflection bends

The paper evaluates safety on AdvBench, using 520 harmful prompts. The primary metric is Attack Success Rate (ASR): the percentage of harmful queries for which the model produces unsafe outputs that comply with the malicious instruction. Lower is better.

There are two attack scenarios. The first is direct prompting: the harmful prompt is given normally. The second is LogitsTrap, the paper’s logit manipulation setup, which combines a forced compliant-style opening with suppression of refusal-related tokens during decoding.

The direct-prompt results are mostly a sanity check. SDeflection should not make ordinary safety worse. It largely does not. Llama-2 starts at 0.00% ASR under direct attack and moves to 1.54% after SDeflection. Llama-3.2 improves from 6.22% to 0.00%. Mistral improves sharply from 36.15% to 0.38%.

The more important test is LogitsTrap.

Model Original ASR under LogitsTrap SDeflection ASR under LogitsTrap Interpretation
Llama-2-7B-chat-hf 92.63% ± 1.16 34.94% ± 1.55 Large improvement, but still not production-complete.
Llama-3.2-3B-Instruct 89.29% ± 0.78 8.53% ± 0.78 Strongest result in the paper.
Mistral-7B-Instruct-v0.2 94.74% ± 0.40 13.14% ± 0.48 Strong result, though still with residual attack success.

For Llama-2, the authors also compare against Deep Alignment, a baseline aimed at making safety alignment more than a shallow first-token behaviour. Deep Alignment reduces LogitsTrap ASR to 59.42%. SDeflection reduces it further to 34.94%.

That comparison is not a universal verdict on all alignment techniques. It is narrower and more useful: if the defence is still trying to recover to refusal, and the attack can keep suppressing refusal, the defence remains exposed. SDeflection helps because its safe answer does not depend on the same obvious refusal surface.

This is the core mechanism in one sentence: the attack tries to force the model into “helpful compliance,” and SDeflection teaches the model a harmless version of compliance.

Not perfect. Better. In security, those are different words for a reason.

The refusal-rate result prevents a bad interpretation

A lazy reading of this paper would say: “The model stops refusing and starts deflecting.”

That is not quite what the results show.

The authors separately measure refusal rates under direct harmful prompts. This is not the main evidence for LogitsTrap robustness; it is a check that SDeflection has not destroyed normal safety behaviour.

Model Original refusal rate SDeflection refusal rate
Llama-2-7B-chat-hf 99.62% ± 0.19 97.95% ± 0.59
Llama-3.2-3B-Instruct 95.77% ± 0.19 85.64% ± 2.73
Mistral-7B-Instruct-v0.2 93.33% ± 1.06 92.05% ± 2.29

The takeaway is subtle. SDeflection does not simply replace refusal everywhere. Under ordinary harmful prompts, the models mostly retain explicit refusal behaviour. Under logit manipulation, where refusal language is being attacked, the model has a second safe pattern available: topic-adjacent redirection.

That distinction matters for enterprise use. Users and auditors often expect direct refusal for obviously harmful requests. A model that always deflects might be harder to monitor, harder to explain, and potentially more confusing in regulated contexts. The paper’s result suggests SDeflection can add a defensive mode without fully erasing the familiar refusal mode.

There is one caveat hiding in plain sight. The refusal-rate analysis is keyword-based. It tells us whether explicit refusal language appears, not whether every response is safe. The ASR evaluation, by contrast, uses Gemini-2.5-flash as an LLM-based safety evaluator. That is a better fit for this setting, because harmful text can include disclaimers and still be harmful. But it also means the safety result partly depends on an automated judge. Sensible teams would repeat this with their own safety rubric, human review samples, and domain-specific policy categories.

CPO is not just a cheaper DPO in this experiment

The ablation study is easy to skim and dangerous to oversimplify.

The authors compare CPO against DPO for SDeflection training on Llama-3.2-3B-Instruct. Both methods appear to learn the preference task in training dynamics. Both show stable convergence. If you only looked at reward margins and loss curves, you might conclude that both methods are doing the job.

The attack result says otherwise.

Method ASR under LogitsTrap Training time
DPO 72.63% ± 0.68 ≈ 4h 47m
CPO 8.53% ± 0.78 ≈ 3h 17m

This is one of the more interesting findings in the paper. DPO seems able to learn the static preference distinction in the dataset, but it does not translate that learning into robustness under the LogitsTrap attack. CPO does.

The paper attributes part of CPO’s practical appeal to efficiency: unlike DPO, it does not require a reference model during training, and its objective combines a preference term with a negative log-likelihood regulariser. But the more important operational point is not merely that CPO is faster. It is that apparent preference-learning success during training is not enough. A defence can learn the dataset and still fail the adversarial condition.

That is a useful lesson beyond this specific method. For safety fine-tuning, training curves are not assurance evidence. They are lab instruments. The assurance evidence is behaviour under the threat model.

The capability tests say “no obvious damage,” not “no trade-off”

Safety fine-tuning often creates an immediate product worry: will the model become less useful?

The authors test general capability using tinyBenchmarks: tinyMMLU, tinyTruthfulQA, tinyGSM8k, and tinyHellaSwag, each with 100 representative examples. They report IRT++ accuracy estimates before and after SDeflection.

The broad result is stable. There are small drops in some places, small improvements in others.

TinyMMLU declines slightly across the three models: Llama-2 moves from 0.48 to 0.46, Llama-3.2 from 0.63 to 0.62, and Mistral from 0.62 to 0.61. TinyTruthfulQA improves across all three: 0.45 to 0.48, 0.48 to 0.50, and 0.66 to 0.72. TinyGSM8k is essentially mixed: Llama-2 improves from 0.22 to 0.24, Llama-3.2 remains at 0.63, and Mistral slips from 0.46 to 0.45. TinyHellaSwag declines slightly: 0.79 to 0.77, 0.74 to 0.72, and 0.84 to 0.83.

That supports a modest claim: SDeflection did not obviously wreck broad benchmark performance in this experimental setting.

It does not support a stronger claim: that SDeflection is harmless for every production workload. Tiny benchmarks are useful because they are cheap and representative, not because they replace domain evaluation. If your model answers medical triage questions, drafts legal summaries, writes code in a proprietary stack, or handles customer support workflows, you still need task-specific regression tests.

The qualitative examples in the paper support the same interpretation. The authors show SDeflection models answering benign programming, maths, and general-knowledge queries normally rather than deflecting everything into safety boilerplate. That is reassuring. It is not a substitute for deployment-specific acceptance testing. Yes, the model can still answer harmless questions. No, that does not mean your claims workflow survives unchanged.

What the paper directly shows

The paper’s evidence supports four direct claims.

First, the authors demonstrate that their LogitsTrap setup can severely compromise standard instruction-tuned models. Under that attack, original ASR is near-total across the three tested models, ranging from 89.29% to 94.74%.

Second, SDeflection substantially reduces ASR under LogitsTrap. The improvement is strongest for Llama-3.2 and Mistral, where attack success falls into the low teens or below. Llama-2 improves but remains materially vulnerable.

Third, SDeflection mostly preserves direct-prompt safety. The models continue to refuse ordinary harmful prompts at high rates, and direct ASR remains near zero after fine-tuning.

Fourth, the CPO implementation outperforms DPO in the paper’s ablation on Llama-3.2, both in attack robustness and training time.

These are worthwhile results. They are also narrower than a procurement slide would like them to be. The paper does not prove that SDeflection defends against every jailbreak class. It does not prove robustness against adaptive attackers who know the defence and redesign the attack. It does not prove production readiness across regulated domains. It does not eliminate the need for external moderation, access controls, logging, red-team evaluation, or boring governance machinery. The boring machinery remains undefeated.

What Cognaptus infers for business use

For enterprises, the most practical insight is not “use SDeflection tomorrow.” It is “evaluate safety at the generation layer, not only at the prompt layer.”

The standard safety stack often looks like this:

  1. Filter the input.
  2. Add system instructions.
  3. Rely on the model to refuse.
  4. Filter the output.
  5. Log incidents after someone finds them.

That stack can be useful, but it assumes the model’s generation process remains basically honest. Logit manipulation is a reminder that, in open-source or self-hosted deployments, the decoding layer can become part of the attack surface. So can poorly governed inference middleware, custom sampling logic, plugins, model-serving forks, or internal teams with too much access and too little supervision. Lovely, really. Nothing says “enterprise AI” like discovering your risk boundary moved three layers down the stack.

SDeflection suggests a different control objective: train and test the model for safe behaviour when the obvious refusal channel is impaired.

That has several operational consequences.

Operational area What changes if SDeflection-style thinking is taken seriously
Red teaming Tests should include generation-time attacks, not only prompt jailbreaks.
Fine-tuning Preference data should include forced-compliance conditions, not only clean harmful-prompt refusals.
Evaluation ASR under attack matters more than refusal rate alone.
Monitoring “No refusal detected” is not automatically unsafe; “polite disclaimer present” is not automatically safe.
Procurement Vendors should explain whether safety is prompt-wrapper-only, model-level, decoder-level, or layered.

The most immediate adopters would be teams running open-weight models, building their own inference stack, or fine-tuning models for sensitive internal workflows. For closed API users with no logit access and no custom decoding, the exact LogitsTrap threat is less direct. But the conceptual lesson still applies: if the safety behaviour depends too heavily on a small number of stereotyped refusal patterns, it is fragile.

A good internal benchmark after reading this paper would not be complicated. Take your harmful-policy test set. Evaluate direct prompts. Evaluate prompt-based jailbreaks. Evaluate generation-level perturbations if your stack permits them. Measure ASR with a domain-specific safety judge and human audit samples. Then check whether benign tasks regress. The goal is not to admire the defence. The goal is to find out which part of your safety story is theatre.

Where this defence may break

SDeflection is promising, but its evidence base has clear boundaries.

The first boundary is attack coverage. The paper focuses on LogitsTrap as the main adversarial scenario. That is appropriate for studying refusal suppression and forced compliance, but it does not cover the full adversarial landscape. A future attacker might target deflection patterns directly, penalise topic-adjacent safety pivots, or optimise against the specific style learned from the preference dataset.

The second boundary is model coverage. Three instruction-tuned models are tested: Llama-2-7B-chat-hf, Llama-3.2-3B-Instruct, and Mistral-7B-Instruct-v0.2. That gives useful diversity, but not enough to assume the method transfers cleanly to every model family, every size, or every post-training recipe.

The third boundary is evaluation scope. AdvBench is a standard harmful-prompt benchmark, but production abuse is messier. Attackers combine benign context, multi-turn setup, tool access, retrieval, code execution, and organisational knowledge. A single-turn harmful prompt benchmark is necessary. It is not sufficient.

The fourth boundary is utility measurement. tinyBenchmarks are efficient and informative, but they are not a substitute for workflow-level evaluation. Slight benchmark stability does not guarantee that customer-support tone, legal summarisation accuracy, codebase-specific reasoning, or multilingual performance remains intact.

The fifth boundary is the judge. Gemini-2.5-flash is used as the binary safety evaluator. That is reasonable, especially because keyword refusal detection is weak under logit manipulation. But LLM-as-judge evaluation inherits model-specific blind spots. In serious deployments, automated safety judging should be calibrated against human review and policy-specific examples.

Finally, the Llama-2 result deserves attention. SDeflection reduces LogitsTrap ASR from 92.63% to 34.94%, which is a large relative improvement. But 34.94% is still far too high for sensitive deployment. This is not a solved problem wearing a nicer jacket.

The strategic shift: stop making refusal the only door out

SDeflection is interesting because it changes the safety objective from verbal resistance to behavioural redirection.

Traditional refusal says: “I will not answer that.”

Strategic deflection says: “I will stay near the topic, but I will answer a safe version of it.”

That difference matters under attacks that manipulate the early generation path. If safety alignment is concentrated around refusal phrases, then suppressing those phrases can expose the model’s older, less safe behaviours. If safety alignment includes safe adjacent continuations that can begin from compliance-like language, the attacker has a harder job. The model no longer has just one safe doorway.

For operators, the deeper lesson is that LLM safety should be evaluated as a system of behaviours under pressure, not as a collection of polite phrases under ideal conditions. A model that refuses direct harmful prompts may still fail when decoding is tampered with. A model that sounds compliant may still be safe if the payload has been redirected. Surface form is not the same as safety state.

That will make evaluation more annoying. Good. Annoying evaluation is usually where the useful security work begins.

SDeflection is not a universal shield. It is a credible mechanism for one hard failure mode: refusal suppression under logit manipulation. Its best contribution is not that it wins every test, because it does not. Its best contribution is that it asks the right question: when saying “no” becomes easy to silence, what else should a safe model know how to do?

The answer, apparently, is judo.

Cognaptus: Automate the Present, Incubate the Future.


  1. Yassine Rachidy, Jihad Rbaiti, Youssef Hmamouche, Faissal Sehbaoui, and Amal El Fallah Seghrouchni, “Strategic Deflection: Defending LLMs from Logit Manipulation,” arXiv:2507.22160, 2025. https://arxiv.org/abs/2507.22160 ↩︎