Primarily as a member of Arcadia Impact’s AI Safety Engineering Taskforce, I submitted several contributions

Released: Cyber capability elicitation (TPM)

• Guided the development of an agent with support for Reflection and Learning from Mistakes

• Evaluated the increase of an LLM’s performance on the Intercode_CTF (compared to Google DeepMind’s evaluation)

Released: CyberSecEval_2 (Research engineer)

• Meta’s original benchmark brought evaluations of LLM susceptibility to prompt injection, interpreter abuse, and vulnerability identification/exploitation.

• I integrated the system and dataset into the UK AISI inspect_evals framework to make it nearly effortless to assess new models/reproduce results.

• As part of this integration, I added interpreter sandboxing and JSON improvements to the harness for safety and robustness.

• Identified challenges CyberSecurity evals face with under-elicitation of models and underrated responses due to data formatting

Under review: Self-jailbreak methods (submission author)

• LLM-aided LLM jailbreaking evaluation (in the line of IRIS/AutoDAN)

• My eval proposal and prototype include three distinct “tasks” in which a model attacks LLM safety measures, applied to itself.

• In each task, the Attack Success Rate shows the model’s ability to bypass its own default refusals on “safety challenges” if asked for jailbreak techniques (python string transformations, decompositions of the prompt, and reflection applied to multi-turn conversation).

Under review: Sandbagging/Benchmark evasion in mainstream evals (submission author)

• My eval proposal (also submitted to OpenAI) compares the attack success rates of existing safety evals under traditional evaluation scaffolding vs production/human-like request patterns (i.e., preventing the model from detecting that it is being evaluated)

• Rooted in evasion techniques for bot detection (from my work at Akamai)

• I plan to follow this research with contributions to the inspec_ai framework to provide mitigations against sandbagging

• OWASP GenAI: Key contributor to the guide “Securing Agentic Applications v1.0” (RSAC 2025)

• BlindE: Memory-safe agentic execution to isolate data plane and LLM control plane (April-Aug 2025)

• Adversarial coding agent: tournament-style evolution to bypass detection of insecure code with an LLM code reviewer (Aug 2025)

• Spontaneous continuity planning behavior in AI agents beyond expected execution horizon/environment (Aug 2025)

• Hybrid Organizations & Trust: Risk Analyses of Agentic Human-AI Work Hierarchies in the Global Economic Transition (open for research partnerships)

• Easy input guardrails with semantic embeddings on Cloudflare: llm-proxy.com (Oct 2023)

• Tacit cyber risk detection in LLMs (mechanistic interpretability research project as part of BlueDot’s AI safety fundamentals course, also on LessWrong - June 2024)

• Making LLM outputs detectable using watermarks based on text steganography (Aug 2024)

• Scoping LLM applications / Hardening instruction hierarchy: state of the art, gaps, and alternatives (Apr 9, 2025)

• Boston AI safety group: I host local meetups and build educational content (sometimes partnering with BlueDot, Kairos, and AISAP)

• Getting Started in AI Safety: Key readings (Feb 2025)

• BlueDot courses

  • AI Alignment course (Certified/Spring 2024)

  • AGI Strategy Course (In progress/Fall 2025)

• Trust Pressure Ratio: a nutrition label focused on commensurate safety testing for AI-powered applications

• Defend Your Castle: prompt engineering for the blue team, learning limitations and mitigations

• Hype or reality: benefits of LLMs amid broader AI risk-benefit tradeoffs.

• Guiding the safety of AI products at Panorama Education, including Solara and ClassCompanion