Security in LLM-as-a-Judge: A Comprehensive SoK

TL;DR

This paper systematically reviews security challenges in LLM-as-a-Judge systems, highlighting vulnerabilities, attack methods, defenses, and future research directions to enhance their robustness and trustworthiness.

Contribution

It provides the first comprehensive SoK on security issues in LLM-as-a-Judge, including a taxonomy, literature analysis, and identification of open challenges.

Findings

Significant vulnerabilities exist in LLM-based evaluation frameworks.

Existing defenses are limited and need improvement.

Open research challenges include robustness and attack detection.

Abstract

LLM-as-a-Judge (LaaJ) is a novel paradigm in which powerful language models are used to assess the quality, safety, or correctness of generated outputs. While this paradigm has significantly improved the scalability and efficiency of evaluation processes, it also introduces novel security risks and reliability concerns that remain largely unexplored. In particular, LLM-based judges can become both targets of adversarial manipulation and instruments through which attacks are conducted, potentially compromising the trustworthiness of evaluation pipelines. In this paper, we present the first Systematization of Knowledge (SoK) focusing on the security aspects of LLM-as-a-Judge systems. We perform a comprehensive literature review across major academic databases, analyzing 863 works and selecting 45 relevant studies published between 2020 and 2026. Based on this study, we propose a taxonomy that organizes recent research according to the role played by LLM-as-a-Judge in the security landscape, distinguishing between attacks targeting LaaJ systems, attacks performed through LaaJ, defenses leveraging LaaJ for security purposes, and applications where LaaJ is used as an evaluation strategy in security-related domains. We further provide a comparative analysis of existing approaches, highlighting current limitations, emerging threats, and open research challenges. Our findings reveal significant vulnerabilities in LLM-based evaluation frameworks, as well as promising directions for improving their robustness and reliability. Finally, we outline key research opportunities that can guide the development of more secure and trustworthy LLM-as-a-Judge systems.