Meet our new researcher: Dr Jing Xu
Posted on Friday 3 July 2026
1. Can you tell us a little about your research background and specialities?
My research sits at the intersection of machine learning security, privacy, and trustworthy AI. I completed my PhD at Delft University of Technology, where my thesis focused on backdoor attacks against Graph Neural Networks (GNNs), a topic I explored across a range of settings including federated learning, clean-label scenarios, multi-target attacks, and explainability-guided attacks. During that time I published over ten papers at top-tier venues including CCS, ACSAC, and Euro S&P.
Since late 2023 I have been a Postdoctoral Researcher at CISPA Helmholtz Center for Information Security, where my work has broadened toward privacy-preserving machine learning, particularly differential privacy applied to LLMs and prompt tuning, as well as model fingerprinting and IP protection for generative models.
My core specialities are: adversarial attacks and defences across GNNs and foundation models; privacy mechanisms including differential privacy and membership inference; and the security and privacy risks introduced by the training pipelines of modern foundation models. Across all of these areas, my work tends to explore the internal vulnerabilities of current AI models and analyse how they could be exploited by external attackers, causing serious consequences in real-world applications, especially in safety-critical scenarios.
2. You’ve joined the CfAA as a Proleptic Lecturer which is an unusual role. Can you tell us what that involves?
Yes, it is quite a distinctive structure and one I found very appealing. The role is essentially a two-phase appointment. For the first three years I am working as a Research Fellow within the Centre for Assuring Autonomy, with a primary focus on developing my research in AI safety, before formally transitioning into a full Lectureship in the Department of Computer Science in 2029. The position is generously supported by a philanthropic gift from the Joan & Irwin Jacobs Foundation.
What I find particularly valuable about this structure is that it gives me dedicated time to build a strong, focused research agenda at the intersection of AI and safety before taking on the full responsibilities of teaching and administration. That said, the role does offer the option to contribute to teaching and departmental activities earlier, by mutual agreement, which I see as a great opportunity to begin developing that side of my academic career gradually and thoughtfully rather than all at once.
In practical terms, during the research fellowship phase I am contributing to the CfAA's core mission, which centres on drawing together AI methods and safety analysis to help realise the benefits of AI whilst ensuring it can be deployed responsibly and safely. This aligns very naturally with my own research background in the security and trustworthiness of AI systems, so the transition into the full lectureship feels like a well-designed and coherent progression.
3. What will your research focus be at the CfAA?
My research at the CfAA will focus on investigating the safety and security vulnerabilities of modern AI systems, particularly foundation models and multi-agent systems, and developing principled defences against them. This builds directly on my PhD and postdoctoral expertise in backdoor attacks and privacy-preserving machine learning, while pushing into new and timely directions that align closely with the CfAA's mission.
One key direction is the security of LLM-based multi-agent systems, where multiple specialised AI agents collaborate through shared tools, memories, and protocols. This architecture introduces a fundamentally new attack surface. Furthermore, I plan to investigate the safety and security of multimodal foundation models, such as Vision-Language Models, which are increasingly deployed in safety-critical domains like autonomous driving and medical imaging. In addition, I aim to more broadly explore the safety of LLMs from a security perspective. One concrete example is sycophancy, where LLMs systematically over-validate user claims even in harmful contexts, and which I think would be interesting to explore its relationship with security properties of LLMs, e.g., jailbreak vulnerabilities.
Taken together, these directions form a coherent research agenda around the internal vulnerabilities of deployed AI systems and how they can be exploited at scale.
4. What have been your career highlights so far?
There are a few moments and achievements that stand out as particularly meaningful to me. The first is successfully defending my PhD at Delft University of Technology in 2024. It represented the culmination of five years of work on backdoor attacks against GNNs.
Joining CISPA Helmholtz Center for Information Security as a Postdoctoral Researcher has also been a highlight. Working within the SprintML Lab has allowed me to broaden my expertise significantly into differential privacy and the security of LLMs, and collaborating with excellent researchers there has shaped much of my current research vision.
Beyond publications, I value the collaborative and international dimension of my career so far, including visiting researcher stays at Padova University and TU Darmstadt, collaborating with excellent researchers from industry and academia, e.g., DeepMind. These experiences have reinforced my commitment to building research that is not only technically rigorous but also broadly impactful across the community.