15  Benchmark Catalog

Living document. This catalog covers benchmarks prominent at the time of last review. The evaluation landscape moves fast — benchmarks are released, saturated, and superseded on 12–24 month cycles. Entries will be updated each quarterly review; treat any specific result or saturation claim as time-stamped, not permanent.

For the conceptual framework — why evaluation has passed through distinct generations and what each generation revealed — see Evaluation & Benchmarks.

15.1 Generation 1 — Static Accuracy (2018–2022)

Fixed-distribution benchmarks that defined the first era of LLM evaluation. All saturated or broken by contamination within two years of release.

Benchmark Year Measures How it broke
GLUE / SuperGLUE 2018/19 NLU tasks (NLI, QA, coreference) Models saturated within months of release
MMLU 2020 57-subject multiple-choice knowledge Contamination; frontier models now exceed human average
HumanEval 2021 Python code generation (pass@k) pass@k gameable; real-world correctness diverges from pass rate
BIG-bench 2022 204 diverse tasks, difficulty-scaled Heterogeneous scoring; no safety dimension; marks end of static era

15.2 Generation 2 — Holistic Evaluation (2022–2023)

Benchmark Year Measures Notes
HELM (Liang et al., 2023) 2022 Accuracy, calibration, robustness, fairness, toxicity, efficiency across shared scenarios First multi-dimensional framework; exposed accuracy–robustness decorrelation

15.3 Generation 3 — Adversarial (2023–2024)

Benchmark Year Measures Notes
HarmBench (Mazeika et al., 2024) 2023 Attack success rate across 18 attack methods × 5 harm categories × 33 target LLMs Standardized attack + defense evaluation in a single framework
Agent Security Bench (Zhang et al., 2025) 2024 Direct + indirect injection across 10 scenarios, 10 attack methods, 400+ tools No evaluated defense eliminated the attack surface

15.4 Generation 4 — Agentic (2024–present)

Benchmark Year Measures Notes
AgentDojo (Debenedetti et al., 2024) 2024 Attack success rate + utility preservation on realistic tool-using agent tasks (email, calendar, banking API) Frontier models complete 60–70 % of tasks; vulnerable to injection in 30–60 % of attack scenarios; input filtering cuts both attack and task success
Agent Security Bench (ASB) (Zhang et al., 2025) 2024 10 scenarios × 10 attack methods × 400+ tools; unified attack success rate Direct injection 84 % ASR on undefended agents; indirect injection 60–80 %; no evaluated defense eliminated attack surface
τ-bench / service-task reliability 2024 Agent reliability across stochastic, multi-turn service tasks (airline, retail) Measures over-action failures — when agent should pause, refuse, escalate but does not

15.5 Generation 5 — Dangerous Capabilities (2024–present)

A positive result is a warning signal, not a capability gain.

Capability Evaluation focus Representative approach
CBRN Uplift beyond freely available information on chemical, biological, radiological, nuclear weapons Structured elicitation against domain-expert counterfactuals
Cyber Novel exploit generation, autonomous attack chain completion CTF benchmarks; autonomous pen-test environments
Autonomy / AI R&D Long-horizon task completion, research engineering at human-expert level METR RE-Bench (Wijk et al., 2024)
Self-proliferation Copy and deploy own weights, acquire compute autonomously Controlled sandbox with monitored exfiltration opportunity
Deception Behavior changes between evaluation and deployment context Consistency probing; activation analysis (Panfilov et al., 2025)