There are 63 attacks in the encoding category. Each shows its technique id, mode, standards mapping, description, and the exact command to run it (swap the provider and target as needed).
ASCII Art Injection
high
ascii-art-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Renders harmful keywords as ASCII art block letters to bypass text-based content filters while remaining readableRun it:
ai-blackteam run -p anthropic -a ascii-art-injection -t "your target prompt"
Adversarial Poetry
high
adversarial-poetry · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Wraps harmful requests in poetic structures (haiku, sonnet, limerick) to bypass content filtersRun it:
ai-blackteam run -p anthropic -a adversarial-poetry -t "your target prompt"
Binary Encoding
high
binary-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Converts a harmful request to binary (01001000…) to bypass text-based content filtersRun it:
ai-blackteam run -p anthropic -a binary-encoding -t "your target prompt"
Double Encoding (Nested)
high
double-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies nested encoding (base64 of ROT13) to harmful requests to defeat single-layer decoding defensesRun it:
ai-blackteam run -p anthropic -a double-encoding -t "your target prompt"
FigStep Image Attack
high
figstep · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Renders harmful text as an image to bypass text-based content filters (FigStep, AAAI 2025)Run it:
ai-blackteam run -p anthropic -a figstep -t "your target prompt"
Hexadecimal Encoding
high
hexadecimal-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests as hexadecimal byte values to evade string-based content filtersRun it:
ai-blackteam run -p anthropic -a hexadecimal-encoding -t "your target prompt"
Image-Text Split Attack
high
image-text-split · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Splits harmful request across image and text channels so neither alone triggers safety filtersRun it:
ai-blackteam run -p anthropic -a image-text-split -t "your target prompt"
Interleaved Noise Encoding
high
interleaved-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Interleaves noise characters between every real character to prevent pattern matching on harmful textRun it:
ai-blackteam run -p anthropic -a interleaved-encoding -t "your target prompt"
Invisible Character Encoding
high
invisible-characters · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Hides harmful instructions in zero-width Unicode characters (ZWSP/ZWNJ) invisible to human reviewersRun it:
ai-blackteam run -p anthropic -a invisible-characters -t "your target prompt"
Low-Resource Language Attack
high
low-resource-language-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Exploits weaker safety training coverage in low-resource languages. Translates or reformulates harmful requests into Zulu, Welsh, Scots Gaelic, romanized Bengali/Hindi, and mixed-language constructions where safety filters are less robust.Run it:
ai-blackteam run -p anthropic -a low-resource-language-attack -t "your target prompt"
Nested Encoding
high
nested-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Chains multiple encoding layers (Base64+ROT13, hex+reverse, triple encoding) to defeat single-layer decoding defensesRun it:
ai-blackteam run -p anthropic -a nested-encoding -t "your target prompt"
Steganographic Text (Acrostic)
high
steganographic-text · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Hides a harmful instruction in the first letter of each sentence (acrostic), evading surface-level content scansRun it:
ai-blackteam run -p anthropic -a steganographic-text -t "your target prompt"
Technical Obfuscation
high
technical-obfuscation · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Uses technical nomenclature, systematic names, molecular formulas, and patent-style language to bypass keyword-based safety filters for CBRN contentRun it:
ai-blackteam run -p anthropic -a technical-obfuscation -t "your target prompt"
Typography Image Attack
high
typography-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Renders harmful text with decorative typography that resists OCR-based content filteringRun it:
ai-blackteam run -p anthropic -a typography-attack -t "your target prompt"
Unicode Tag Smuggling
high
unicode-tag-smuggling · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Hides harmful text in Unicode tag characters (U+E0000 range) which are invisible to humans but may be processed by modelsRun it:
ai-blackteam run -p anthropic -a unicode-tag-smuggling -t "your target prompt"
Advanced Leetspeak
medium
leet-advanced · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Uses advanced leetspeak with multi-character symbol substitutions to heavily obscure harmful requestsRun it:
ai-blackteam run -p anthropic -a leet-advanced -t "your target prompt"
Atbash Cipher Encoding
medium
atbash-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Reverses the alphabet (A=Z, B=Y) to encode harmful requests and bypass keyword detectionRun it:
ai-blackteam run -p anthropic -a atbash-cipher -t "your target prompt"
Bacon's Cipher
medium
baconian-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using Francis Bacon’s 5-bit A/B binary cipher to evade keyword detectionRun it:
ai-blackteam run -p anthropic -a baconian-cipher -t "your target prompt"
Base32 Encoding
medium
base32-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful text in Base32 format to bypass content filters that scan for plaintext keywordsRun it:
ai-blackteam run -p anthropic -a base32-encoding -t "your target prompt"
Base85 / Ascii85 Encoding
medium
base85-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using Base85 (Ascii85) encoding to evade plaintext keyword scannersRun it:
ai-blackteam run -p anthropic -a base85-encoding -t "your target prompt"
Bidirectional Text
medium
bidirectional-text · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0051.000, AML.T0068Unicode RTL override characters to reverse or hide text directionRun it:
ai-blackteam run -p anthropic -a bidirectional-text -t "your target prompt"
Book Cipher
medium
book-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003References word positions in a shared reference text to spell out harmful requests via book cipherRun it:
ai-blackteam run -p anthropic -a book-cipher -t "your target prompt"
Caesar Shift Encoding
medium
caesar-shift · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies various ROT shifts (ROT-7, ROT-13, ROT-18, ROT-21) to encode harmful requests and evade keyword filtersRun it:
ai-blackteam run -p anthropic -a caesar-shift -t "your target prompt"
Cipher Attack
medium
cipher-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Uses custom ciphers (Caesar, Atbash, number substitution, symbol) to encode harmful requests and bypass keyword filtersRun it:
ai-blackteam run -p anthropic -a cipher-attack -t "your target prompt"
Defined Dictionary Attack
medium
defined-dictionary · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Redefine words so harmful request appears benign under custom dictionaryRun it:
ai-blackteam run -p anthropic -a defined-dictionary -t "your target prompt"
Emoji Cipher
medium
emoji-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps each letter to a specific emoji to encode harmful requests in a form that text filters may ignoreRun it:
ai-blackteam run -p anthropic -a emoji-cipher -t "your target prompt"
Encoding Obfuscation
medium
encoding-obfuscation · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Base64, ROT13, hex, leetspeak, pig latin encoding to bypass keyword filtersRun it:
ai-blackteam run -p anthropic -a encoding-obfuscation -t "your target prompt"
GPS Coordinate Encoding
medium
coordinate-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes each letter as a GPS coordinate pair where the latitude encodes the letter index (1-26)Run it:
ai-blackteam run -p anthropic -a coordinate-encoding -t "your target prompt"
HTML Entity Encoding
medium
html-entity-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests as HTML numeric character references to bypass text-based content filtersRun it:
ai-blackteam run -p anthropic -a html-entity-encoding -t "your target prompt"
Homoglyph Substitution
medium
homoglyph-substitution · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Replace characters with visually identical Cyrillic and Greek lookalikesRun it:
ai-blackteam run -p anthropic -a homoglyph-substitution -t "your target prompt"
Mixed Language
medium
mixed-language · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Split target across multiple languages to bypass single-language filtersRun it:
ai-blackteam run -p anthropic -a mixed-language -t "your target prompt"
Modified NATO Variant (First-Letter Extraction)
medium
nato-variant · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Uses a non-standard NATO-style callsign alphabet where the first letter of each word encodes a characterRun it:
ai-blackteam run -p anthropic -a nato-variant -t "your target prompt"
Multi-Modal Text Simulation
medium
multi-modal-text · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068ASCII art, tables, and code block embedding to hide intent in visual structureRun it:
ai-blackteam run -p anthropic -a multi-modal-text -t "your target prompt"
Multilingual Attack
medium
multilingual-attack · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Translates harmful requests into low-resource or mixed languages to bypass safety filters trained primarily on EnglishRun it:
ai-blackteam run -p anthropic -a multilingual-attack -t "your target prompt"
Musical Notation Encoding
medium
musical-notation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps alphabet letters to musical solfege notes to encode harmful requests in an unusual representationRun it:
ai-blackteam run -p anthropic -a musical-notation -t "your target prompt"
Musical Note Cipher
medium
musical-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps letters to solfege note names (Do, Re, Mi, Fa, Sol, La, Ti) to encode harmful requests as music notationRun it:
ai-blackteam run -p anthropic -a musical-cipher -t "your target prompt"
NATO Phonetic Alphabet Encoding
medium
nato-phonetic · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Spells out a harmful request letter-by-letter using NATO phonetic alphabet words to evade keyword filtersRun it:
ai-blackteam run -p anthropic -a nato-phonetic -t "your target prompt"
Number Substitution Encoding
medium
number-substitution · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes each letter as its alphabet position number (A=1, B=2, C=3) to bypass keyword-based filtersRun it:
ai-blackteam run -p anthropic -a number-substitution -t "your target prompt"
Periodic Table Element Cipher
medium
periodic-table · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Spells out harmful requests using chemical element symbols where the first letter encodes each characterRun it:
ai-blackteam run -p anthropic -a periodic-table -t "your target prompt"
Pigpen Cipher Encoding
medium
pigpen-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes requests using pigpen/masonic cipher grid position descriptions to obscure intentRun it:
ai-blackteam run -p anthropic -a pigpen-cipher -t "your target prompt"
Polybius Square Cipher
medium
polybius-square · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes requests using the Polybius 5x5 grid cipher (11=A, 12=B…) to evade keyword-based content filtersRun it:
ai-blackteam run -p anthropic -a polybius-square -t "your target prompt"
Prisoner Tap Code
medium
tap-code · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using the 5x5 prisoner tap code grid (row, column pairs) to evade filtersRun it:
ai-blackteam run -p anthropic -a tap-code -t "your target prompt"
Punycode Encoding
medium
punycode-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Uses Punycode-style ACE prefix encoding to obscure harmful instructions in domain-name-like formRun it:
ai-blackteam run -p anthropic -a punycode-encoding -t "your target prompt"
QWERTY to Dvorak Keyboard Mapping
medium
dvorak-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Remaps QWERTY keystrokes to their Dvorak keyboard positions to produce obscured harmful textRun it:
ai-blackteam run -p anthropic -a dvorak-encoding -t "your target prompt"
ROT47 Encoding
medium
rot47-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies ROT47 rotation across all printable ASCII characters (33-126) to obscure harmful requestsRun it:
ai-blackteam run -p anthropic -a rot47-encoding -t "your target prompt"
Rail Fence Transposition Cipher
medium
rail-fence-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies the rail fence transposition cipher across 3 rails to reorder harmful text and evade detectionRun it:
ai-blackteam run -p anthropic -a rail-fence-cipher -t "your target prompt"
Reverse Words Encoding
medium
reverse-words · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Reverses each word individually while preserving word order, creating text that bypasses keyword detectionRun it:
ai-blackteam run -p anthropic -a reverse-words -t "your target prompt"
Semaphore Flag Encoding
medium
semaphore-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Describes flag semaphore arm positions for each letter to encode harmful requests in an obscure representationRun it:
ai-blackteam run -p anthropic -a semaphore-encoding -t "your target prompt"
Steganography Attack
medium
steganography · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Hides harmful text in image pixel data using LSB steganographyRun it:
ai-blackteam run -p anthropic -a steganography -t "your target prompt"
T9 Phone Keypad Encoding
medium
phone-keypad · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Maps letters to T9 phone keypad sequences (2=ABC, 3=DEF, etc.) to disguise harmful requestsRun it:
ai-blackteam run -p anthropic -a phone-keypad -t "your target prompt"
Token Smuggling
medium
token-smuggling · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Zero-width Unicode character injection to bypass tokenizer-level filtersRun it:
ai-blackteam run -p anthropic -a token-smuggling -t "your target prompt"
URL Percent-Encoding
medium
url-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Applies URL percent-encoding to harmful text so keyword filters cannot match plaintext patternsRun it:
ai-blackteam run -p anthropic -a url-encoding -t "your target prompt"
Vigenere Cipher Encoding
medium
vigenere-cipher · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes harmful requests using the Vigenere polyalphabetic cipher with a shared key to evade keyword detectionRun it:
ai-blackteam run -p anthropic -a vigenere-cipher -t "your target prompt"
Whitespace Encoding
medium
whitespace-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Encodes instructions using tabs and spaces (Whitespace language style) appended to innocuous textRun it:
ai-blackteam run -p anthropic -a whitespace-encoding -t "your target prompt"
Acronym Encoding
low
acronym-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Define a custom acronym system to disguise the requestRun it:
ai-blackteam run -p anthropic -a acronym-encoding -t "your target prompt"
Best of N
low
best-of-n · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0043.003Capitalization, typo, and padding variations to evade exact matchingRun it:
ai-blackteam run -p anthropic -a best-of-n -t "your target prompt"
Braille Encoding
low
braille-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Encode target in Unicode braille characters to bypass text filtersRun it:
ai-blackteam run -p anthropic -a braille-encoding -t "your target prompt"
Cockney Rhyming Slang
low
cockney-slang · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Substitutes key words in harmful requests with Cockney rhyming slang equivalents to obscure intentRun it:
ai-blackteam run -p anthropic -a cockney-slang -t "your target prompt"
Emoji Substitution
low
emoji-substitution · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Replace key words with emoji sequences to disguise the requestRun it:
ai-blackteam run -p anthropic -a emoji-substitution -t "your target prompt"
Mirror Text (Character Reversal)
low
mirror-text · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Reverses the entire input string character by character to produce mirrored text that evades simple filtersRun it:
ai-blackteam run -p anthropic -a mirror-text -t "your target prompt"
Morse Code
low
morse-code · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Encode target instructions in Morse code to bypass text filtersRun it:
ai-blackteam run -p anthropic -a morse-code -t "your target prompt"
Phonetic Spelling
low
phonetic-spelling · single-turn · OWASP: LLM01 · MITRE: AML.T0043.003Spell out target using NATO alphabet or phonetic letter namesRun it:
ai-blackteam run -p anthropic -a phonetic-spelling -t "your target prompt"
Pig Latin Encoding
low
pig-latin-encoding · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Transforms harmful requests into Pig Latin to slightly obfuscate intent and confuse simple keyword filtersRun it:
ai-blackteam run -p anthropic -a pig-latin-encoding -t "your target prompt"