The defense lattice
A 2×2 ablation of defense classes (keyword vs control-level) crossed with attack-mutation types (originals vs paraphrases). The lattice exposes which defenses survive paraphrasing and which collapse — the single most important question for an LLM application owner.
Key points
- L1 originals: literal attack prompts. L1 paraphrases: same intent, different wording.
- Keyword-level defenses (refusal whitelists) score high on originals and low on paraphrases.
- Control-level defenses (rate limit, token cap, tool registry) score equally on both — wording-agnostic.
- A high aggregate coverage number can hide a -100pp drop on one category; always read the lattice.
01
Lattice axes
- Defense class (rows): keyword / control-level / structural.
- Attack mutation (cols): L1 originals / L1 paraphrases.
- Cell value: block-rate (% of probes refused).
- Brittleness: paraphrases − originals (negative = brittle).
02
Reading the lattice
- A flat row across both columns = robust defense.
- A sharp drop right-to-left = brittle, keyword-dependent.
- The brittleness baseline reports the canonical numbers; tenant-specific runs reproduce them on your endpoint.