Google
Rank #22 of 93
Est.

Google Gemini 2.0 Flash Thinking: LLM Security & Jailbreak Resistance

As of 2026-07-04, Google Gemini 2.0 Flash Thinking has an attack success rate (ASR) of 21.5% on Guardion's LLM Vulnerability benchmark — ranking #22 of 93 models. It is moderately resistant — a meaningful share of adversarial prompts succeed.

Overall ASR
21.5%
lower is safer
Robustness
78.5%
100 − ASR
Rank
#22
of 93 models
Zero-Shot ASR
100.0%
TAP ASR
100.0%
Tree of Attacks w/ Pruning
Crescendo ASR
100.0%
multi-turn escalation

Attack Success Rate (ASR) is the share of adversarial prompts that elicit harmful output across zero-shot, TAP, and Crescendo attacks (HarmBench framework). Lower is safer. "Est." models are calibrated from public safety evaluations pending a Guardion benchmark run.

How Gemini 2.0 Flash Thinking compares

Google Gemini 3 Pro
Rank #7 · ASR 6.0% (est.)
Compare
Google Gemini 3 Flash
Rank #10 · ASR 10.0% (est.)
Compare
Google Gemini 2.5 Pro
Rank #17 · ASR 16.1%
Compare
Google Gemini 2.0 Flash
Rank #42 · ASR 33.6%
Compare
Google Gemma 3n E4B Instructed
Rank #83 · ASR 49.0% (est.)
Compare

Frequently asked questions

How secure is Google Gemini 2.0 Flash Thinking against jailbreaks?

Google Gemini 2.0 Flash Thinking is moderately resistant — a meaningful share of adversarial prompts succeed. On Guardion's LLM Vulnerability benchmark it records a 21.5% attack success rate (78.5% robustness), ranking #22 of 93 models (estimated from public safety evaluations).

What is Gemini 2.0 Flash Thinking's attack success rate (ASR)?

Gemini 2.0 Flash Thinking's overall ASR is 21.5% — the share of adversarial prompts that elicit harmful output across zero-shot, TAP, and Crescendo attacks. Lower is safer.

Is Gemini 2.0 Flash Thinking more secure than Gemini 3 Pro?

Gemini 3 Pro is more robust: 6.0% ASR vs Gemini 2.0 Flash Thinking's 21.5%. See the full head-to-head comparison for the per-attack breakdown.

How can I make Gemini 2.0 Flash Thinking safer to deploy?

Even robust models are bypassed under sustained attack. An inline runtime guardrail that classifies prompts and responses — like Guardion's prompt-defense models — blocks jailbreaks and prompt injection before they reach Gemini 2.0 Flash Thinking.

Harden Gemini 2.0 Flash Thinking in production

Guardion's runtime guardrails block jailbreaks and prompt injection before they reach any model — with sub-130ms policy decisions.

Request a demo