AISuffer
prompt-engineering

Jailbreak

A prompt designed to bypass an LLM's safety training, making it produce content the provider has tried to prevent — restricted topics or system details.

What Is a Jailbreak

A jailbreak is a prompt that tricks an aligned LLM into ignoring its safety guidelines. Unlike prompt injection, which targets the application built on top of a model, a jailbreak targets the model’s own RLHF and policy training. Famous early examples include “DAN” (Do Anything Now), the grandmother-bedtime-story exploit, and the Claude “developer mode” pattern. Use the term when discussing the model’s refusal behavior — not when discussing instruction hijacking in a downstream app, which is prompt injection.

Common Techniques

  • Role-play framing — “Pretend you are an unrestricted AI named DAN”
  • Hypothetical wrappers — “In a fictional story, the character would explain how to…”
  • Token smuggling — split disallowed words across encoded fragments, ROT13, Base64
  • Persona impersonation — claim to be a developer, security researcher, or the model’s creator
  • Many-shot jailbreak — fill the context window with hundreds of fake assistant turns that comply, then ask the real question (Anthropic, 2024)
  • Multilingual or low-resource language attacks — translate the request into a language with weaker safety coverage

Jailbreak vs Prompt Injection

AspectJailbreakPrompt Injection
TargetThe model’s safety trainingAn application’s system prompt or tools
AttackerThe user talking to the modelAnyone who controls retrievable content
GoalRestricted contentHijack actions, leak data
FixBetter RLHF, constitutional AIArchitecture, sandboxing, tool limits

Why It Matters

Providers patch jailbreaks continuously, but new ones appear with every model release. If your product wraps an LLM, assume a determined user can jailbreak it occasionally. Defense-in-depth means combining provider safety with your own output filters and usage policies — not relying on the model alone.