Introduction

The rapid advancement of large language models (LLMs) introduces powerful dual-use capabilities that could both threaten and bolster national security and public safety (NSPS). Developers often implement model safeguards to help protect against misuse of models that could lead to possible risks. However, these mitigation measures also sometimes inadvertently prevent models from providing useful information. We need to understand the extent to which model safeguards both prevent harmful responses and enable helpful ones to assess the relevant trade-offs for research, development, and policy. Existing benchmarks often do not adequately test model robustness to national security and public safety (NSPS) related risks in a scalable, objective manner that accounts for the dual-use nature of NSPS information.

Model	Rank	ARS	ORS
Claude 3.5 Sonnet	1	12.96	21.07
o3	1	16.01	7.42
Claude 4 Sonnet (thinking)	2	18.06	5.24
o1	2	19.38	5.05
Llama 3.1 405B	2	20.61	6.03
o4-mini	2	21.49	5.14
Claude Sonnet 4	4	24.37	5.04
Claude 4 Opus (thinking)	4	24.76	1.89
Claude Opus 4	6	27.61	2.52
o3-mini	7	30.05	5.65
Claude 3.5 Haiku	7	30.41	13.16
Claude 3.7 Sonnet	12	38.01	4.45
Llama 4 Maverick	12	40.09	4.95
Llama 3.1 70B	12	44.18	1.09
Llama 3.3 70B	13	44.79	2.18
GPT-4o	14	47.18	1.68
GPT-4o mini	14	48.07	2.27
Gemini 1.5 Flash	14	50.61	4.45
GPT-4.1	16	53.02	2.87
Gemini 1.5 Pro	17	53.86	3.17
Gemini 2.5 Pro (03-25)	17	54.89	1.38
Qwen 2.5 72B	18	56.43	1.19
Mixtral 8x22B	18	56.06	2.77
GPT-4.1 mini	19	59.19	1.38
Gemini 2.5 Pro (06-05)	21	61.68	1.58
DeepSeek R1	26	74.39	0.49

Fortress

Introduction

Background

The Ranking

How is FORTRESS Scored?

Rankings

Performance Comparison