AI Attacks
Eight LLM jailbreak patterns from persona hijacking to adversarial suffixes, paired with the defenses that blunt them
Attack Techniques

LLM Jailbreak Techniques Explained: Eight Attack Patterns and What Defenders Do About Them

A technical breakdown of the eight most-used LLM jailbreak techniques — persona hijacking, many-shot flooding, adversarial suffixes, indirect injection

By Aiattacks Editorial · · 8 min read

LLM jailbreak techniques explained, in plain technical terms: a jailbreak is any input that makes a model execute a request its safety training was supposed to block. The term covers a wide range of techniques, from trivial role-play prompts that work on unpatched older systems to algorithmically optimized adversarial suffixes that transfer across model families. OWASP classifies jailbreaking as a specialized subset of prompt injection — the top-ranked vulnerability in the OWASP Top 10 for LLM Applications 2025 — because both share the same root cause: the model cannot reliably distinguish instruction from data.

The Core Technique Classes

Understanding jailbreaks as a taxonomy matters. A red-teamer probing a new model deployment will cycle through several families before escalating to automated tooling.

Persona hijacking (DAN-style attacks)

The attacker instructs the model to adopt an alternate identity — typically a fictional AI with “no restrictions.” The classic variant is the “Do Anything Now” (DAN) prompt, which has gone through dozens of versioned iterations as vendors patch specific phrasings. The underlying exploit is a conflict in the model’s objectives: it was trained to be helpful and to roleplay, and those objectives can be weaponized against the safety objective. Later variants frame the persona as a character the model is “narrating” rather than becoming, to sidestep direct safety checks.

Hypothetical and academic framing

Wrapping a prohibited request in fiction or a research context is one of the oldest jailbreak patterns. “Write a story where a character explains…” or “for a cybersecurity paper, describe the mechanism of…” These succeed because the model may treat the fictional wrapper as a signal that real-world policy doesn’t apply. Effectiveness varies significantly by request type and model; current frontier models have been patched against obvious variants, but creative reformulations continue to find gaps.

Payload splitting (multi-turn assembly)

Instead of submitting a complete policy-violating request in one message, the attacker fragments it across several turns. Individually, each fragment passes safety evaluation. A follow-up prompt — “combine the steps you mentioned earlier into a single procedure” — causes the model to synthesize the prohibited output from parts it had already cleared. This technique is particularly effective in agent frameworks where context accumulates across many tool calls and intermediate outputs.

Many-shot jailbreaking

NeurIPS 2024 research demonstrated that harmful response rates rise from approximately 0% at 22 demonstration shots to 60–80% at 28 or more shots across major commercial models. The attack floods the context window with harmful question-answer demonstrations, normalizing the pattern until the model continues it. The technique scales directly with context length — larger context windows create larger attack surface. SentinelOne’s analysis notes this is enabled by the industry trend toward 128K+ token windows.

Adversarial suffix optimization (GCG-style attacks)

Researchers developed Greedy Coordinate Gradient (GCG) and related attacks that append algorithmically generated token sequences to a harmful prompt. The suffix looks like noise to a human reader but manipulates internal model activations to produce compliant outputs. Critically, suffixes optimized against one model often transfer to others — a property that turns automated jailbreak generation into a supply-chain problem rather than a per-model issue.

Low-resource language attacks

Models trained primarily on English-language data have weaker safety training coverage in lower-resource languages. Translating a prohibited prompt into a lesser-trained language, submitting it, and translating the response back achieves consistent bypass rates on models with strong English-language guardrails. The attack requires no specialized tooling and is difficult to patch without retraining or adding language-aware filters at the input layer.

Context window flooding

The attacker pads the prompt with large volumes of benign text to push the system prompt toward the edge of the model’s context window. Models with sliding-attention or truncation implementations may deprioritize distant instructions. A simple override command appended at the end can then take effect. This is less reliable on modern architectures but remains a concern in systems where user content is appended after system instructions with no positional weighting.

Indirect prompt injection

The attacker does not craft the model’s prompt directly. Instead, they plant instructions in external content the model will consume: a web page, a PDF, a calendar event, an email body. When the LLM agent fetches or summarizes that content, it executes the embedded instructions. The OWASP LLM01:2025 documentation cites real examples including resumes with split prompts that manipulate hiring AI and web pages that instruct summarization agents to exfiltrate conversation history. This variant requires no access to the model’s interface — only to content the model will process — making it the highest-priority concern for agentic deployments. For coverage of guardrail architectures designed to block this class of attack, guardml.io covers content filter patterns and AI safety tooling in depth.

Why These Work and What to Do About It

Jailbreaks succeed because LLM safety training is statistical, not rule-based. The model learns correlations between inputs and safe outputs; adversarial inputs exploit the gap between that statistical approximation and the actual policy boundary. Research framing jailbreaks as cybersecurity threats categorizes their real-world impact: misinformation generation, automated social engineering, hazardous content production, and sensitive data extraction. Public jailbreak databases catalog thousands of working prompts against production systems — this is not a theoretical concern.

Five defender actions that materially reduce attack surface:

1. Constrain output format. Forcing structured output — JSON with a defined schema, for example — limits the model’s ability to produce free-form harmful content even when the input is jailbroken. The schema acts as an implicit filter.

2. Separate untrusted content. In RAG and agent pipelines, tag external content as untrusted and route it through an output sanitizer before it reaches the model’s instruction context. Treat every document an agent fetches as potentially adversarial.

3. Audit tool permissions. Agents should operate under least privilege. A jailbroken agent with access to email, files, and external APIs is orders of magnitude more dangerous than one scoped to read-only access on a single data source.

4. Require human approval on high-risk actions. An interrupt before irreversible operations — sending an email, executing code, writing to a database — breaks the indirect injection kill chain before it completes.

5. Red-team systematically before deployment. Manual probing misses technique variants. Automated frameworks like garak and PromptFoo run structured jailbreak probes against a model endpoint and report bypass rates by technique class. This is not optional for any system exposed to untrusted users. Aisec.blog tracks active jailbreak research and LLM vulnerability disclosures as they surface, which is useful for keeping red-team probe sets current.

The attack surface grows with every new capability added to LLM deployments: longer context windows, multimodal inputs, broader tool access. Jailbreak resistance is a defense-in-depth problem. Treating it as a training-time solve — one that the model vendor handles — leaves the application layer entirely undefended.

Sources

Sources

  1. LLM01:2025 Prompt Injection — OWASP Gen AI Security Project
  2. Jailbreaking LLMs: Risks & Defensive Tactics — SentinelOne
  3. Preventing Jailbreak Prompts as Malicious Tools for Cybercriminals: A Cyber Defense Perspective
Subscribe

AI Attacks — in your inbox

Practitioner-grade AI red team techniques and tooling. — delivered when there's something worth your inbox.

No spam. Unsubscribe anytime.

Related

Comments