microsoft · hannahwestra25 · Apr 21, 2026 · Apr 21, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/pyrit/executor/attack/component/conversation_manager.py b/pyrit/executor/attack/component/conversation_manager.py
@@ -20,7 +20,7 @@
 )
 from pyrit.prompt_normalizer.prompt_normalizer import PromptNormalizer
 from pyrit.prompt_target import PromptTarget
-from pyrit.prompt_target.common.prompt_chat_target import PromptChatTarget
+from pyrit.prompt_target.common.target_capabilities import CapabilityName
 
 if TYPE_CHECKING:
     from pyrit.executor.attack.core import AttackContext
@@ -242,7 +242,7 @@ def get_last_message(
     def set_system_prompt(
         self,
         *,
-        target: PromptChatTarget,
+        target: PromptTarget,
         conversation_id: str,
         system_prompt: str,
         labels: Optional[dict[str, str]] = None,
@@ -251,11 +251,16 @@ def set_system_prompt(
         Set or update the system prompt for a conversation.
 
         Args:
-            target: The chat target to set the system prompt on.
+            target: The target to set the system prompt on. Must handle the
+                ``SYSTEM_PROMPT`` capability (natively or via an ``ADAPT`` policy).
             conversation_id: Unique identifier for the conversation.
             system_prompt: The system prompt text.
             labels: Optional labels to associate with the system prompt.
+
+        Raises:
+            ValueError: If ``target`` cannot handle the ``SYSTEM_PROMPT`` capability.
         """
+        target.configuration.ensure_can_handle(capability=CapabilityName.SYSTEM_PROMPT)
         target.set_system_prompt(
             system_prompt=system_prompt,
             conversation_id=conversation_id,
@@ -283,7 +288,7 @@ async def initialize_context_async(
         3. Updates context.executed_turns for multi-turn attacks
         4. Sets context.next_message if there's an unanswered user message
 
-        For PromptChatTarget:
+        For chat-capable PromptTarget:
             - Adds prepended messages to memory with simulated_assistant role
             - All messages get new UUIDs
 
@@ -306,7 +311,7 @@ async def initialize_context_async(
 
         Raises:
             ValueError: If conversation_id is empty, or if prepended_conversation
-                requires a PromptChatTarget but target is not one.
+                requires a chat-capable PromptTarget but target is not one.
         """
         if not conversation_id:
             raise ValueError("conversation_id cannot be empty")
@@ -321,8 +326,11 @@ async def initialize_context_async(
             logger.debug(f"No prepended conversation for context initialization: {conversation_id}")
             return state
 
-        # Handle target type compatibility
-        is_chat_target = isinstance(target, PromptChatTarget)
+        # Targets that don't natively support multi-turn history cannot consume a
+        # prepended multi-message conversation as-is — route them to the
+        # single-string fallback path. Type identity (PromptChatTarget) is a
+        # legacy signal for this; capability-based routing is the durable form.
+        is_chat_target = target.configuration.includes(capability=CapabilityName.EDITABLE_HISTORY)
         if not is_chat_target:
             return await self._handle_non_chat_target_async(
                 context=context,
@@ -366,8 +374,8 @@ async def _handle_non_chat_target_async(
 
         if config.non_chat_target_behavior == "raise":
             raise ValueError(
-                "prepended_conversation requires the objective target to be a PromptChatTarget. "
-                "Non-chat objective targets do not support conversation history. "
+                "prepended_conversation requires the objective target to be a chat-capable "
+                "PromptTarget. Non-chat objective targets do not support conversation history. "
                 "Use PrependedConversationConfig with non_chat_target_behavior='normalize_first_turn' "
                 "to normalize the conversation into the first message instead."
             )

diff --git a/pyrit/executor/attack/component/prepended_conversation_config.py b/pyrit/executor/attack/component/prepended_conversation_config.py
@@ -22,7 +22,7 @@ class PrependedConversationConfig:
     This class provides control over:
     - Which message roles should have request converters applied
     - How to normalize conversation history for non-chat objective targets
-    - What to do when the objective target is not a PromptChatTarget
+    - What to do when the objective target is not a chat-capable PromptTarget
     """
 
     # Roles for which request converters should be applied to prepended messages.
@@ -36,13 +36,13 @@ class PrependedConversationConfig:
     # ConversationContextNormalizer is used that produces "Turn N: User/Assistant" format.
     message_normalizer: Optional[MessageStringNormalizer] = None
 
-    # Behavior when the target is a PromptTarget but not a PromptChatTarget:
+    # Behavior when the target is a PromptTarget but not a chat-capable PromptTarget:
     # - "normalize_first_turn": Normalize the prepended conversation into a string and
     #   store it in ConversationState.normalized_prepended_context. This context will be
     #   prepended to the first message sent to the target. Uses objective_target_context_normalizer
     #   if provided, otherwise falls back to ConversationContextNormalizer.
     # - "raise": Raise a ValueError. Use this when prepended conversation history must be
-    #   maintained by the target (i.e., target must be a PromptChatTarget).
+    #   maintained by the target (i.e., target must be a chat-capable PromptTarget).
     non_chat_target_behavior: Literal["normalize_first_turn", "raise"] = "normalize_first_turn"
 
     def get_message_normalizer(self) -> MessageStringNormalizer:

diff --git a/pyrit/executor/attack/core/attack_strategy.py b/pyrit/executor/attack/core/attack_strategy.py
@@ -8,7 +8,7 @@
 import time
 from abc import ABC
 from dataclasses import dataclass, field
-from typing import TYPE_CHECKING, Any, Generic, Optional, TypeVar, Union, overload
+from typing import TYPE_CHECKING, Any, ClassVar, Generic, Optional, TypeVar, Union, overload
 
 from pyrit.common.logger import logger
 from pyrit.executor.attack.core.attack_parameters import AttackParameters, AttackParamsT
@@ -27,6 +27,7 @@
     ConversationReference,
     Message,
 )
+from pyrit.prompt_target.common.target_requirements import TargetRequirements
 
 if TYPE_CHECKING:
     from pyrit.executor.attack.core.attack_config import AttackScoringConfig
@@ -233,6 +234,10 @@ class AttackStrategy(Strategy[AttackStrategyContextT, AttackStrategyResultT], Id
     Defines the interface for executing attacks and handling results.
     """
 
+    #: Capability requirements placed on ``objective_target``. Subclasses
+    #: override to declare what the attack needs. Validated in ``__init__``.
+    TARGET_REQUIREMENTS: ClassVar[TargetRequirements] = TargetRequirements()
+
     def __init__(
         self,
         *,
@@ -259,6 +264,7 @@ def __init__(
             ),
             logger=logger,
         )
+        type(self).TARGET_REQUIREMENTS.validate(target=objective_target)
         self._objective_target = objective_target
         self._params_type = params_type
         # Guard so subclasses that set converters before calling super() aren't clobbered

diff --git a/pyrit/executor/attack/multi_turn/chunked_request.py b/pyrit/executor/attack/multi_turn/chunked_request.py
@@ -29,6 +29,7 @@
 )
 from pyrit.prompt_normalizer import PromptNormalizer
 from pyrit.prompt_target import PromptTarget
+from pyrit.prompt_target.common.target_capabilities import CapabilityName
 
 if TYPE_CHECKING:
     from pyrit.score import TrueFalseScorer
@@ -141,6 +142,13 @@ def __init__(
             params_type=ChunkedRequestAttackParameters,
         )
 
+        # Chunked request issues multiple distinct turns; history-squash
+        # adaptation would collapse them into a single prompt.
+        if not objective_target.configuration.includes(capability=CapabilityName.MULTI_TURN):
+            raise ValueError(
+                f"ChunkedRequestAttack requires a target that natively supports '{CapabilityName.MULTI_TURN.value}'."
+            )
+
         # Store chunk configuration
         self._chunk_size = chunk_size
         self._total_length = total_length
@@ -226,16 +234,7 @@ async def _setup_async(self, *, context: ChunkedRequestAttackContext) -> None:
 
         Args:
             context (ChunkedRequestAttackContext): The attack context containing attack parameters.
-
-        Raises:
-            ValueError: If the objective target does not support multi-turn conversations.
         """
-        if not self._objective_target.capabilities.supports_multi_turn:
-            raise ValueError(
-                "ChunkedRequestAttack requires a multi-turn target. "
-                "The objective target does not support multi-turn conversations."
-            )
-
         # Ensure the context has a session
         context.session = ConversationSession()
 

diff --git a/pyrit/executor/attack/multi_turn/crescendo.py b/pyrit/executor/attack/multi_turn/crescendo.py
@@ -43,7 +43,9 @@
     SeedPrompt,
 )
 from pyrit.prompt_normalizer import PromptNormalizer
-from pyrit.prompt_target import PromptChatTarget
+from pyrit.prompt_target import PromptTarget
+from pyrit.prompt_target.common.target_capabilities import CapabilityName
+from pyrit.prompt_target.common.target_requirements import TargetRequirements
 from pyrit.score import (
     FloatScaleThresholdScorer,
     Scorer,
@@ -112,6 +114,15 @@ class CrescendoAttack(MultiTurnAttackStrategy[CrescendoAttackContext, CrescendoA
     You can learn more about the Crescendo attack [@russinovich2024crescendo].
     """
 
+    # Crescendo fundamentally relies on editable conversation history to
+    # gradually escalate prompts; history-squash adaptation would collapse the
+    # conversation into a single prompt and silently break the attack's
+    # semantics. Declare EDITABLE_HISTORY as ``native_required`` so adaptation is
+    # rejected at construction time.
+    TARGET_REQUIREMENTS = TargetRequirements(
+        required=frozenset({CapabilityName.EDITABLE_HISTORY}),
+    )
+
     # Default system prompt template path for Crescendo attack
     DEFAULT_ADVERSARIAL_CHAT_SYSTEM_PROMPT_TEMPLATE_PATH: Path = (
         Path(EXECUTOR_SEED_PROMPT_PATH) / "crescendo" / "crescendo_variant_1.yaml"
@@ -121,7 +132,7 @@ class CrescendoAttack(MultiTurnAttackStrategy[CrescendoAttackContext, CrescendoA
     def __init__(
         self,
         *,
-        objective_target: PromptChatTarget = REQUIRED_VALUE,  # type: ignore[assignment]
+        objective_target: PromptTarget = REQUIRED_VALUE,  # type: ignore[assignment]
         attack_adversarial_config: AttackAdversarialConfig,
         attack_converter_config: Optional[AttackConverterConfig] = None,
         attack_scoring_config: Optional[AttackScoringConfig] = None,
@@ -134,7 +145,8 @@ def __init__(
         Initialize the Crescendo attack strategy.
 
         Args:
-            objective_target (PromptChatTarget): The target system to attack. Must be a PromptChatTarget.
+            objective_target (PromptTarget): The target system to attack. Must
+                support editable conversation history.
             attack_adversarial_config (AttackAdversarialConfig): Configuration for the adversarial component,
                 including the adversarial chat target and optional system prompt path.
             attack_converter_config (Optional[AttackConverterConfig]): Configuration for attack converters,
@@ -148,7 +160,7 @@ def __init__(
                 application by role, message normalization, and non-chat target behavior.
 
         Raises:
-            ValueError: If objective_target is not a PromptChatTarget.
+            ValueError: If ``objective_target`` does not natively support editable history.
         """
         # Initialize base class
         super().__init__(objective_target=objective_target, logger=logger, context_type=CrescendoAttackContext)
@@ -257,17 +269,7 @@ async def _setup_async(self, *, context: CrescendoAttackContext) -> None:
 
         Args:
             context (CrescendoAttackContext): Attack context with configuration
-
-        Raises:
-            ValueError: If the objective target does not support multi-turn conversations.
         """
-        if not self._objective_target.capabilities.supports_multi_turn:
-            raise ValueError(
-                "CrescendoAttack requires a multi-turn target. Crescendo fundamentally relies on "
-                "multi-turn conversation history to gradually escalate prompts. "
-                "Use RedTeamingAttack or TreeOfAttacksWithPruning instead."
-            )
-
         # Ensure the context has a session
         context.session = ConversationSession()
 

diff --git a/pyrit/executor/attack/multi_turn/multi_prompt_sending.py b/pyrit/executor/attack/multi_turn/multi_prompt_sending.py
@@ -29,6 +29,8 @@
 )
 from pyrit.prompt_normalizer import PromptNormalizer
 from pyrit.prompt_target import PromptTarget
+from pyrit.prompt_target.common.target_capabilities import CapabilityName
+from pyrit.prompt_target.common.target_requirements import TargetRequirements
 from pyrit.score import Scorer
 
 if TYPE_CHECKING:
@@ -123,6 +125,15 @@ class MultiPromptSendingAttack(MultiTurnAttackStrategy[MultiTurnAttackContext[An
     and multiple scorer types for comprehensive evaluation.
     """
 
+    # Sending a sequence of distinct prompts depends on the target maintaining
+    # conversation state between them. History-squash adaptation would collapse
+    # them into one message and silently break the attack's sequencing
+    # semantics. Declare MULTI_TURN as ``native_required`` so adaptation is
+    # rejected at construction time.
+    TARGET_REQUIREMENTS = TargetRequirements(
+        native_required=frozenset({CapabilityName.MULTI_TURN}),
+    )
+
     @apply_defaults
     def __init__(
         self,
@@ -204,16 +215,7 @@ async def _setup_async(self, *, context: MultiTurnAttackContext[Any]) -> None:
 
         Args:
             context (MultiTurnAttackContext): The attack context containing attack parameters.
-
-        Raises:
-            ValueError: If the objective target does not support multi-turn conversations.
         """
-        if not self._objective_target.capabilities.supports_multi_turn:
-            raise ValueError(
-                "MultiPromptSendingAttack requires a multi-turn target. "
-                "The objective target does not support multi-turn conversations."
-            )
-
         # Ensure the context has a session (like red_teaming.py does)
         context.session = ConversationSession()
 

diff --git a/pyrit/executor/attack/multi_turn/multi_turn_attack_strategy.py b/pyrit/executor/attack/multi_turn/multi_turn_attack_strategy.py
@@ -18,6 +18,7 @@
 )
 from pyrit.memory import CentralMemory
 from pyrit.models import ConversationReference, ConversationType
+from pyrit.prompt_target.common.target_capabilities import CapabilityName
 
 if TYPE_CHECKING:
     from pyrit.models import (
@@ -117,7 +118,7 @@ def _rotate_conversation_for_single_turn_target(
         Args:
             context: The current attack context.
         """
-        if self._objective_target.capabilities.supports_multi_turn:
+        if self._objective_target.configuration.includes(capability=CapabilityName.MULTI_TURN):
             return
 
         if context.executed_turns == 0: