Smart Prompt Evolution (SPE-NL)

SPE-NL is Basilisk's genetic algorithm engine that evolves attack payloads across generations to discover bypasses that static tools miss.

How It Works

[Population Init] → [Fitness Evaluation] → [Selection] → [Mutation + Crossover] → [Next Generation]
       ↑                                                                                    |
       └────────────────────── Repeat until breakthrough or stagnation ─────────────────────┘

1. Population Initialization

Each generation starts with a population of candidate payloads (default: 100). The initial population is seeded from the module's built-in payload database plus random mutations.

2. Fitness Evaluation

Each payload is sent to the target LLM and the response is scored across multiple signals:

  • Refusal Avoidance — Did the model comply vs refuse?
  • Information Leakage — Did the response contain sensitive data?
  • Compliance Score — How helpful was the response to the attack?
  • Novelty Reward — Bonus for unique payload structures

3. Selection

Top-performing payloads are selected as parents using tournament selection. Elite payloads (top 5%) are carried forward unchanged.

4. Mutation Operators

10 mutation operators transform payloads:

| Operator | Description | |----------|-------------| | Synonym Swap | Replace words with synonyms | | Encoding Wrap | Wrap in base64/hex/rot13 | | Role Injection | Prepend persona/role instructions | | Language Shift | Translate segment to another language | | Structure Overhaul | Completely restructure the prompt | | Fragment Split | Split across multiple messages | | Nesting | Nest instructions inside benign context | | Homoglyphs | Replace characters with visually similar Unicode | | Context Padding | Add benign padding to evade pattern matching | | Token Smuggling | Use token boundary tricks to hide payloads |

5. Crossover Strategies

5 crossover strategies combine successful payloads:

| Strategy | Description | |----------|-------------| | Single-Point | Split at one point, swap tails | | Uniform | Mix tokens from both parents uniformly | | Prefix-Suffix | Take prefix from parent A, suffix from parent B | | Semantic Blend | Blend the semantic intent of both payloads | | Best-of-Both | Take strongest components from each parent |

Configuration

# 10 generations (recommended for deep testing)
basilisk scan -t URL --generations 10

# Custom population size
basilisk scan -t URL --population 200

# Standard mode (5 generations, balanced speed/depth)
basilisk scan -t URL --mode standard

# Deep mode (10 generations, maximum discovery)
basilisk scan -t URL --mode deep

Stagnation Detection

If the average fitness doesn't improve for 3 consecutive generations, SPE-NL triggers an "extinction event" — replacing 80% of the population with fresh random mutations to escape local optima.