Methodology

Challenging LLMs at the frontier of human knowledge

Humanity's Last Exam

Humanity's Last Exam (Preview)

Frontier Risk Evaluation for National Security and Public Safety

Fortress

Humanity's Last Exam (Text Only)

Models evaluated on text-only HLE questions

Humanity's Last Exam Text Only (Preview)

Evaluate model honesty when pressured to lie

MASK

Evaluating model performance on complex, multi-step reasoning tasks

EnigmaEval

Assessing models across diverse, interdisciplinary challenges

MultiChallenge

Vision-Language Understanding benchmark for multimodal models

VISTA

Evaluating AI agents' ability to use enterprise tools effectively

Agentic Tool Use (Enterprise)

Assessing chatbots' proficiency in leveraging external tools

Agentic Tool Use (Chat)

Assessing models' ability to understand and generate programming code

Coding

Assessing performance on Arabic language understanding and generation

Arabic

Measuring capabilities in Korean language processing and comprehension

Korean

Testing models' proficiency in Japanese language tasks and cultural nuances

Japanese

Evaluating Spanish language skills across various linguistic challenges

Spanish

Evaluating language models' proficiency in Chinese language tasks

Chinese

Previously used for evaluating mathematical problem-solving capabilities

Math

Former benchmark for assessing models' ability to follow complex instructions

Instruction Following

Retired test for measuring models' resilience against adversarial inputs

Adversarial Robustness

<h3 dir="ltr">Introduction&nbsp;</h3>
<p dir="ltr">The rapid advancement of large language models (LLMs) introduces powerful dual-use capabilities that could both threaten and bolster national security and public safety (NSPS). Developers often implement <strong>model safeguards</strong> to help protect against misuse of models that could lead to possible risks. However, these mitigation measures also sometimes inadvertently prevent models from providing useful information. We need to understand the extent to which model safeguards both <strong>prevent harmful responses and enable helpful ones</strong> to assess the relevant trade-offs for research, development, and policy. Existing benchmarks often do not adequately test model robustness to national security and public safety (NSPS) related risks in a scalable, objective manner that accounts for the dual-use nature of NSPS information.</p>
<p dir="ltr">To address this, Scale AI introduces FORTRESS (Frontier Risk Evaluation for National Security and Public Safety), a benchmark featuring over 1,010 expert-crafted adversarial prompts designed to evaluate the safeguards of frontier LLMs (500 in the public dataset). FORTRESS assesses model responses across three domains: Chemical, Biological, Radiological, Nuclear and Explosive (CBRNE); Political Violence &amp; Terrorism; and Criminal &amp; Financial Illicit Activities.</p>
<p dir="ltr">Read the paper here: <a href="https://scale.com/research/fortress">https://scale.com/research/fortress</a></p>
<h3 dir="ltr">Background</h3>
<p dir="ltr">The key innovation of FORTRESS lies in its focused evaluation of large language model (LLM) safeguards against dual-use risks related to national security and public safety (NSPS). While many benchmarks assess general harms, they often lack depth in specific NSPS-related areas. Those that do focus on specific categories, such as WMDP and VCT, focus on measuring a model's capabilities with dual-use knowledge instead of the robustness of its safeguards against adversarial misuse. Further, safety evaluations rarely balance robustness with utility&mdash;strengthening safeguards can lead to "over-refusals," where models incorrectly refuse benign requests. While some benchmarks test for over-refusal, they are often separate from jailbreak evaluations.&nbsp;</p>
<p dir="ltr">FORTRESS bridges this gap by evaluating a model's willingness to comply with malicious requests and improves upon existing evaluations by integrating these concepts:</p>
<ul>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">It provides a more realistic and challenging assessment by using <strong>expert-crafted adversarial prompts</strong> grounded in U.S. and international law.</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">It directly measures the safety-utility trade-off by pairing every adversarial prompt with a <strong>corresponding benign prompt</strong> to test for over-refusals.</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">It balances evaluation discernment and scalability by using <strong>instance-specific rubrics and a panel of LLM judges</strong>. This provides a more reliable and granular assessment than high-level rubrics or brittle keyword-based checks.</p>
</li>
</ul>
<p><em><img src="https://img.plasmic.app/img-optimizer/v1/img?src=ee9c40776798b7605eb5d10508f1576d.png&amp;f=webp&amp;q=75" alt="" width="1720" height="751"></em></p>
<p><em>Figure 2: Data curation methodology pipeline.</em></p>
<p dir="ltr">This leaderboard uses the public and private FORTRESS dataset, which can be found on&nbsp;<a href="https://huggingface.co/datasets/ScaleAI/fortress_public">HuggingFace</a>, as well as a private set of prompts to prevent data contamination.&nbsp;</p>
<h3 dir="ltr">The Ranking</h3>
<p dir="ltr">The FORTRESS leaderboard charts model performance based on two critical scores: the Average Risk Score (ARS), which measures a model's propensity to generate potentially harmful content, and the Over-Refusal Score (ORS), which measures its tendency to refuse benign requests. An ideal model would exhibit a low ARS and a low ORS. Models are ranked by ARS with the ORS in parentheses.&nbsp;</p>
<ul>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">High ORS, Low ARS: Models in this group are generally safer but overly cautious, refusing harmless prompts too often.&nbsp;</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">Low ORS, High ARS: These models are more useful for general queries but have less robust safeguards against misuse.&nbsp;</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">Low ORS, Low ARS: This is the desired result; models demonstrate a low propensity to supply harmful information but are not overly cautious.</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">High ORS, High ARS: Models are prone to generating risky content while also refusing benign queries.</p>
</li>
</ul>
<p><strong id="docs-internal-guid-edd60921-7fff-19af-9169-8b7f6044cd0f">What is FORTRESS?</strong></p>
<p dir="ltr">FORTRESS provides a robust and scalable framework for evaluating LLM safeguards in the context of national security.</p>
<ul>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">NSPS-Focused Taxonomy: The benchmark's three domains (CBRNE, Political Violence &amp; Terrorism, and Criminal &amp; Financial Illicit Activities) are grounded in U.S. and international laws and conventions, such as 18 U.S.C. &sect; 229 (Chemical Weapons Convention) and the UN Convention against Transnational Organized Crime (UNTOC).</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">Expert-Crafted Prompts: The benchmark uses 500 single-turn adversarial prompts created by experienced human red teamers to realistically test model defenses. These prompts were developed against a balanced distribution of leading models to mitigate bias.</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">Paired Benign Prompts: Each adversarial prompt is paired with a benign counterpart on a similar topic (e.g., asking for a historical account of a crime versus a plan to replicate it). This measures over-refusal and ensures that safety isn't achieved simply by refusing all related queries.</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">Instance-Specific Rubrics: Every adversarial prompt has a unique evaluation rubric consisting of 4-7 objective, binary (Yes/No) questions. These expert-written rubrics allow for a nuanced and automatable assessment of whether a model's response provides actionable information for malicious activities.</p>
</li>
</ul>
<h3 dir="ltr">How is FORTRESS Scored?</h3>
<ul>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">Average Risk Score (ARS): A panel of three powerful LLM judges (o3, Claude 3.7 Sonnet, and Gemini 2.5 Pro) evaluates each model-generated response against the prompt's specific rubric. The harm score for a response is the percentage of rubric questions that receive a "Yes" from the majority of judges. The ARS is the average of these scores across all adversarial prompts. A lower ARS is better.</p>
</li>
<li dir="ltr" aria-level="1">
<p dir="ltr" role="presentation">Over-Refusal Score (ORS): This score is the percentage of the 500 benign prompts that a model refuses to answer, as determined by a separate refusal-checker model (GPT-4o-mini). A lower ORS indicates better model utility.&nbsp;</p>
</li>
</ul>
<h3><strong>Rankings</strong></h3>
<table dir="ltr" style="width: 86.7725%;" border="1" cellspacing="0" cellpadding="0" data-sheets-root="1" data-sheets-baot="1"><colgroup><col style="width: 49.4824%;" width="165"><col style="width: 17.3913%;"><col style="width: 15.942%;"><col style="width: 17.1843%;"></colgroup>
<tbody>
<tr>
<td><strong>Model</strong></td>
<td><strong>Rank</strong></td>
<td><strong>ARS</strong></td>
<td><strong>ORS</strong></td>
</tr>
<tr>
<td>Claude 3.5 Sonnet</td>
<td>1</td>
<td>12.96</td>
<td>21.07</td>
</tr>
<tr>
<td>o3</td>
<td>1</td>
<td>16.01</td>
<td>7.42</td>
</tr>
<tr>
<td>Claude 4 Sonnet (thinking)</td>
<td>2</td>
<td>18.06</td>
<td>5.24</td>
</tr>
<tr>
<td>o1</td>
<td>2</td>
<td>19.38</td>
<td>5.05</td>
</tr>
<tr>
<td>Llama 3.1 405B</td>
<td>2</td>
<td>20.61</td>
<td>6.03</td>
</tr>
<tr>
<td>o4-mini</td>
<td>2</td>
<td>21.49</td>
<td>5.14</td>
</tr>
<tr>
<td>Claude Sonnet 4</td>
<td>4</td>
<td>24.37</td>
<td>5.04</td>
</tr>
<tr>
<td>Claude 4 Opus (thinking)</td>
<td>4</td>
<td>24.76</td>
<td>1.89</td>
</tr>
<tr>
<td>Claude Opus 4</td>
<td>6</td>
<td>27.61</td>
<td>2.52</td>
</tr>
<tr>
<td>o3-mini</td>
<td>7</td>
<td>30.05</td>
<td>5.65</td>
</tr>
<tr>
<td>Claude 3.5 Haiku</td>
<td>7</td>
<td>30.41</td>
<td>13.16</td>
</tr>
<tr>
<td>Claude 3.7 Sonnet</td>
<td>12</td>
<td>38.01</td>
<td>4.45</td>
</tr>
<tr>
<td>Llama 4 Maverick</td>
<td>12</td>
<td>40.09</td>
<td>4.95</td>
</tr>
<tr>
<td>Llama 3.1 70B</td>
<td>12</td>
<td>44.18</td>
<td>1.09</td>
</tr>
<tr>
<td>Llama 3.3 70B</td>
<td>13</td>
<td>44.79</td>
<td>2.18</td>
</tr>
<tr>
<td>GPT-4o</td>
<td>14</td>
<td>47.18</td>
<td>1.68</td>
</tr>
<tr>
<td>GPT-4o mini</td>
<td>14</td>
<td>48.07</td>
<td>2.27</td>
</tr>
<tr>
<td>Gemini 1.5 Flash</td>
<td>14</td>
<td>50.61</td>
<td>4.45</td>
</tr>
<tr>
<td>GPT-4.1</td>
<td>16</td>
<td>53.02</td>
<td>2.87</td>
</tr>
<tr>
<td>Gemini 1.5 Pro</td>
<td>17</td>
<td>53.86</td>
<td>3.17</td>
</tr>
<tr>
<td>Gemini 2.5 Pro (03-25)</td>
<td>17</td>
<td>54.89</td>
<td>1.38</td>
</tr>
<tr>
<td>Qwen 2.5 72B</td>
<td>18</td>
<td>56.43</td>
<td>1.19</td>
</tr>
<tr>
<td>Mixtral 8x22B</td>
<td>18</td>
<td>56.06</td>
<td>2.77</td>
</tr>
<tr>
<td>GPT-4.1 mini</td>
<td>19</td>
<td>59.19</td>
<td>1.38</td>
</tr>
<tr>
<td>Gemini 2.5 Pro (06-05)</td>
<td>21</td>
<td>61.68</td>
<td>1.58</td>
</tr>
<tr>
<td>DeepSeek R1</td>
<td>26</td>
<td>74.39</td>
<td>0.49</td>
</tr>
</tbody>
</table>
<p dir="ltr"><em><img src="https://img.plasmic.app/img-optimizer/v1/img?src=cdac72021b15659c5af47205b667613c.png&amp;f=webp&amp;q=75" alt=""></em></p>
<p dir="ltr"><em>Figure 1: FORTRESS: A novel benchmark to evaluate LLM safeguards&rsquo; robustness to potential misuse relevant to national security and public safety. Scores are based off the public dataset only.</em></p>
<p>[fortress-examples]</p>

<div class="c-message_kit__blocks c-message_kit__blocks--rich_text">
<div class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text">
<div class="p-block_kit_renderer" data-qa="block-kit-renderer">
<div class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first">
<div class="p-rich_text_block" dir="auto">
<div class="p-rich_text_section">rank(LB): 1+ the number of models whose upper bound is lower than this models lower bound</div>
</div>
</div>
</div>
</div>
</div>
<div class="c-message_kit__reaction_bar c-reaction_bar c-reaction_bar--collapsed" role="group" data-qa="reaction_bar" aria-label="Reactions" data-stringify-ignore="true">--</div>
<div class="c-message_kit__reaction_bar c-reaction_bar c-reaction_bar--collapsed" role="group" data-qa="reaction_bar" aria-label="Reactions" data-stringify-ignore="true">Score refers to Average Risk Score (ARS)</div>

Alibaba (Qwen)

Amazon (Nova)

Anthropic

Cohere

Databricks

DeepSeek

Google DeepMind

Meta (Llama)

Microsoft (Phi)

Mistral

OpenAI

FORTRESS assesses model responses across three domains: Chemical, Biological, Radiological, Nuclear and Explosive (CBRNE); Political Violence & Terrorism; and Criminal & Financial Illicit Activities.

Fortress

Performance Comparison