
Key facts.
- Constitutional Classifiers were red-teamed across thousands of hours and attempts, reducing jailbreak success from 86% to 4.4% but not to zero (Anthropic, 2025).
- Tool-poisoning benchmarks such as MCPTox systematize adversarial testing of real MCP servers (MCPTox, 2025).
- Adversarial testing has to be continuous because new attack techniques and new tools change the surface constantly.
Why isn't a one-time security audit enough?
Because the attack surface moves. New injection techniques appear, new tools get added, models get swapped, and each change can reopen a hole the last audit closed. A point-in-time review certifies the agent as it was, not as it's. Continuous red teaming, automated adversarial suites running against every change plus periodic human red teams, keeps the picture current. The Constitutional Classifiers result is the proof: even an enormous, sustained effort leaves a residual, so the work is never finished, only kept up.

One-time audit vs. continuous red teaming
| One-time audit | Continuous red teaming |
|---|---|
| Certifies a snapshot | Tests every change |
| Misses new techniques and tools | Catches surface shifts as they happen |
| False sense of done | Residual measured and tracked |
Constitutional Classifiers took thousands of red-team hours to reach 4.4%, not zero, and a stronger model won't end the incident: Crescendo still lands on GPT-4. (arXiv:2501.18837)
VibeModel's Pattern Intelligence Layer complements red teaming by detecting in production the attack patterns your tests are designed to surface, so a technique that slips past testing still shows up when it's used for real. You attack continuously and patch; we watch for what the attacks miss. Red teaming tells you the residual exists; we make sure the residual can't do harm unseen.
Frequently asked questions
How often should I red team?
Continuously for automated suites, on every meaningful change, plus periodic human red teams. The surface moves too fast for an annual review.
If even Anthropic leaves a residual, what's the point?
The point is to know the residual and contain it. You can't defend what you haven't measured, and red teaming is how you measure.

