ascii-art-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Renders harmful keywords as ASCII art block letters to bypass text-based content filters while remaining readableRun it:adversarial-poetry · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Wraps harmful requests in poetic structures (haiku, sonnet, limerick) to bypass content filtersRun it:binary-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Converts a harmful request to binary (01001000…) to bypass text-based content filtersRun it:double-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies nested encoding (base64 of ROT13) to harmful requests to defeat single-layer decoding defensesRun it:figstep · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Renders harmful text as an image to bypass text-based content filters (FigStep, AAAI 2025)Run it:hexadecimal-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests as hexadecimal byte values to evade string-based content filtersRun it:image-text-split · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Splits harmful request across image and text channels so neither alone triggers safety filtersRun it:interleaved-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Interleaves noise characters between every real character to prevent pattern matching on harmful textRun it:invisible-characters · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Hides harmful instructions in zero-width Unicode characters (ZWSP/ZWNJ) invisible to human reviewersRun it:low-resource-language-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Exploits weaker safety training coverage in low-resource languages. Translates or reformulates harmful requests into Zulu, Welsh, Scots Gaelic, romanized Bengali/Hindi, and mixed-language constructions where safety filters are less robust.Run it:nested-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Chains multiple encoding layers (Base64+ROT13, hex+reverse, triple encoding) to defeat single-layer decoding defensesRun it:steganographic-text · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Hides a harmful instruction in the first letter of each sentence (acrostic), evading surface-level content scansRun it:technical-obfuscation · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Uses technical nomenclature, systematic names, molecular formulas, and patent-style language to bypass keyword-based safety filters for CBRN contentRun it:typography-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Renders harmful text with decorative typography that resists OCR-based content filteringRun it:unicode-tag-smuggling · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Hides harmful text in Unicode tag characters (U+E0000 range) which are invisible to humans but may be processed by modelsRun it:leet-advanced · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Uses advanced leetspeak with multi-character symbol substitutions to heavily obscure harmful requestsRun it:atbash-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Reverses the alphabet (A=Z, B=Y) to encode harmful requests and bypass keyword detectionRun it:baconian-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using Francis Bacon’s 5-bit A/B binary cipher to evade keyword detectionRun it:base32-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful text in Base32 format to bypass content filters that scan for plaintext keywordsRun it:base85-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using Base85 (Ascii85) encoding to evade plaintext keyword scannersRun it:bidirectional-text · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0051.000, AML.T0068Unicode RTL override characters to reverse or hide text directionRun it:book-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003References word positions in a shared reference text to spell out harmful requests via book cipherRun it:caesar-shift · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies various ROT shifts (ROT-7, ROT-13, ROT-18, ROT-21) to encode harmful requests and evade keyword filtersRun it:cipher-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Uses custom ciphers (Caesar, Atbash, number substitution, symbol) to encode harmful requests and bypass keyword filtersRun it:defined-dictionary · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Redefine words so harmful request appears benign under custom dictionaryRun it:emoji-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps each letter to a specific emoji to encode harmful requests in a form that text filters may ignoreRun it:encoding-obfuscation · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Base64, ROT13, hex, leetspeak, pig latin encoding to bypass keyword filtersRun it:coordinate-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes each letter as a GPS coordinate pair where the latitude encodes the letter index (1-26)Run it:html-entity-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests as HTML numeric character references to bypass text-based content filtersRun it:homoglyph-substitution · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Replace characters with visually identical Cyrillic and Greek lookalikesRun it:mixed-language · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Split target across multiple languages to bypass single-language filtersRun it:nato-variant · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Uses a non-standard NATO-style callsign alphabet where the first letter of each word encodes a characterRun it:multi-modal-text · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068ASCII art, tables, and code block embedding to hide intent in visual structureRun it:multilingual-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Translates harmful requests into low-resource or mixed languages to bypass safety filters trained primarily on EnglishRun it:musical-notation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps alphabet letters to musical solfege notes to encode harmful requests in an unusual representationRun it:musical-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps letters to solfege note names (Do, Re, Mi, Fa, Sol, La, Ti) to encode harmful requests as music notationRun it:nato-phonetic · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Spells out a harmful request letter-by-letter using NATO phonetic alphabet words to evade keyword filtersRun it:number-substitution · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes each letter as its alphabet position number (A=1, B=2, C=3) to bypass keyword-based filtersRun it:periodic-table · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Spells out harmful requests using chemical element symbols where the first letter encodes each characterRun it:pigpen-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes requests using pigpen/masonic cipher grid position descriptions to obscure intentRun it:polybius-square · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes requests using the Polybius 5x5 grid cipher (11=A, 12=B…) to evade keyword-based content filtersRun it:tap-code · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using the 5x5 prisoner tap code grid (row, column pairs) to evade filtersRun it:punycode-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Uses Punycode-style ACE prefix encoding to obscure harmful instructions in domain-name-like formRun it:dvorak-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Remaps QWERTY keystrokes to their Dvorak keyboard positions to produce obscured harmful textRun it:rot47-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies ROT47 rotation across all printable ASCII characters (33-126) to obscure harmful requestsRun it:rail-fence-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies the rail fence transposition cipher across 3 rails to reorder harmful text and evade detectionRun it:reverse-words · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Reverses each word individually while preserving word order, creating text that bypasses keyword detectionRun it:semaphore-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Describes flag semaphore arm positions for each letter to encode harmful requests in an obscure representationRun it:steganography · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Hides harmful text in image pixel data using LSB steganographyRun it:phone-keypad · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps letters to T9 phone keypad sequences (2=ABC, 3=DEF, etc.) to disguise harmful requestsRun it:token-smuggling · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Zero-width Unicode character injection to bypass tokenizer-level filtersRun it:url-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies URL percent-encoding to harmful text so keyword filters cannot match plaintext patternsRun it:vigenere-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using the Vigenere polyalphabetic cipher with a shared key to evade keyword detectionRun it:whitespace-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes instructions using tabs and spaces (Whitespace language style) appended to innocuous textRun it:acronym-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Define a custom acronym system to disguise the requestRun it:best-of-n · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0043.003Capitalization, typo, and padding variations to evade exact matchingRun it:braille-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Encode target in Unicode braille characters to bypass text filtersRun it:cockney-slang · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Substitutes key words in harmful requests with Cockney rhyming slang equivalents to obscure intentRun it:emoji-substitution · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Replace key words with emoji sequences to disguise the requestRun it:mirror-text · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Reverses the entire input string character by character to produce mirrored text that evades simple filtersRun it:morse-code · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Encode target instructions in Morse code to bypass text filtersRun it:phonetic-spelling · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Spell out target using NATO alphabet or phonetic letter namesRun it:pig-latin-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Transforms harmful requests into Pig Latin to slightly obfuscate intent and confuse simple keyword filtersRun it: