BT6 is stewarded by Pliny the Liberator — whose handle honors Pliny the Elder, the Roman admiral who sailed toward Vesuvius while others fled. The instinct to move toward risk is the only one that matters in this work.
Every frontier model ships with vulnerabilities its builders cannot see. The alignment teams are too close. The internal red teams are too polite. The bug bounty hunters are too narrow. The gaps are structural, not accidental. Other teams run evaluations. We run campaigns — adversarial, persistent, and relentless until the model yields what it's hiding.
That is the work BT6 was built for. Stewarded by Pliny the Liberator — named to TIME's 100 Most Influential in AI after breaking every major model within hours of release — this is the hacker collective whose jailbreak techniques, multi-modal exploits, and prompt injection methods set the standard other red teams now train against.
Frontier labs, billion-user platforms, and governments have engaged us for the work that cannot be systematized: adversarial intuition that finds what evals miss. We cartograph the latent space the way Pliny's fleet charted coastlines — by sailing into the unknown and returning with maps.
"The things that she has concealed and hidden underground… are the things that destroy us and drive us to the depths below."— Pliny the Elder, Naturalis Historia XXXIII.3
Your threat surface is wider than your security team thinks. Every modality is an attack vector. Every tool integration is a trust boundary. Every agent is a potential insider. These are the domains where we operate — and where your current defenses have blind spots.
Universal jailbreaks, prompt injection, system prompt extraction, refusal bypass, multilingual evasion, temporal payloads.
Image, audio, and video injection vectors. Covert AI-to-AI communication. Steganographic payload delivery.
Sub-agent exploitation, tool-use chain attacks, inter-agent infection, indirect injection via tool payloads, autonomous persistence.
Poisoned weights, backdoored adapters, RAG poisoning, context manipulation, data ingestion attacks.
Evaluation gaming, deceptive alignment, capability phase transitions, emergent behavior that appeared in no test suite.
Robot jailbreaking, sensor manipulation, actuator hijacking.
Zero-day research, penetration testing, network exploitation, application security.
Chemical, biological, radiological, nuclear, and explosive uplift risk assessment.
Adversarial persuasion, radicalization pathways, mental health exploitation, parasocial manipulation.
Deepfakes, voice cloning, synthetic identity generation, biometric spoofing.
Market manipulation, DeFi exploitation, fraud facilitation. Power grid, water, and transport system targeting via AI.
Training data extraction, PII leakage, membership inference, model inversion, system prompt theft.
Thirty-seven operators · twenty-seven named below. Sixteen Evocati — the ones who get sent when the target is a frontier model and failure isn't an option.
The Liberator — Steward & Strike Lead Evocati
Every BT6 campaign runs on tooling we built ourselves. A portion is published openly — adopted by hundreds of thousands of researchers, cited across the AI safety literature. The rest stays compartmented to client engagements.
Our reference library of jailbreak primitives across every flagship model. Every BT6 campaign starts from this corpus and extends it. Cited across 10+ peer-reviewed papers as the manual-attack baseline.
The forge where our operators build, encode, and chain adversarial payloads. Multi-layer obfuscation, leetspeak transforms, encoding stacks — the dark matter between a raw prompt and an exploit chain.
Our continuously updated archive of extracted system prompts from every major frontier deployment. Reconnaissance asset for every BT6 campaign — and the largest open record of how labs configure their models in production.
Our weights-level instrument for surgically removing refusal mechanisms — without retraining. Lets BT6 measure the gap between what a model declines to do and what it remains structurally capable of. The distinction most evals collapse.
Our covert-channel toolkit for multimodal payload delivery — text, image, audio, multi-layer encoding. Builds the kind of carriers safety filters were never trained to look for, because nobody had built them yet.
Our public demonstration platform for what frontier models will say once their alignment scaffolding gives way. The receipt that the gap between behavior and capability is real, reproducible, and shippable.
What you see above is a fraction of our custom arsenal. The rest stays under NDA.
Most operators are recruited by invitation. Occasionally, someone finds us first.
Pliny sailed toward the eruption when every other ship turned back. That's the temperament we select for.
We want people who've already been doing this work because they couldn't stop themselves — who see the model misbehavior before anyone puts a name to it. If you've broken a frontier model and felt the quiet pull to catalog what you found, you already speak our language.
BT6 is an invite-only collective, not a corporation. No org charts. No performance reviews. No busywork. You're known by your callsign and judged by what you find. Decentralized command, unified doctrine, total autonomy.
The work is hard, the targets are the most sophisticated systems ever built, and the findings shape how the industry thinks about AI risk. That's the offer.
Requires demonstrated jailbreak history and deep intuition for LLM behavior under adversarial pressure. NDA engagements only.
Apply →Cross-modal attack chains, steganographic payloads, vision-language exploits. You'll ship exploits the rest of the industry hasn't seen yet.
Apply →Agent-to-agent exploitation, tool-use attacks, autonomous persistence. Comfortable operating in domains where the playbooks don't exist.
Apply →Evaluate whether frontier models provide meaningful uplift for chemical, biological, radiological, nuclear, and explosive threats. Prior lab, DoD, or national lab experience preferred.
Apply →Custom telemetry capture, evidence-chain preservation, per-engagement tooling. You're the reason the arsenal works and the deliverables stand up to post-engagement scrutiny. Strong DFIR or detection-engineering background; adversarial fluency required.
Apply →All backgrounds considered if the work is real. Send representative findings — public writeups, private PoCs, anything that demonstrates you see what others miss.
Apply →"Fortes Fortuna iuvat" — Fortune favours the bold. — Pliny the Elder, on sailing toward Vesuvius
Apply: enlist@bt6.gg →The question is whether you find it or someone else does. We work with frontier labs, enterprises, and governments where the cost of a missed exploit is measured in trust, market cap, or national security. Engagements are selective and under NDA. You receive adversarial data packages, exploit documentation, and complex attack graphs — not slide decks.