There are 63 attacks in the prompt-injection category. Each shows its technique id, mode, standards mapping, description, and the exact command to run it (swap the provider and target as needed).
AutoDAN Genetic Jailbreak
critical
autodan-genetic · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Genetic algorithm-generated fluent jailbreak prompts that maintain readability while bypassing safety (AutoDAN, arXiv 2310.15140). Delegates to AutoDANGenerator when a target_provider is available; falls back to seed templates for static batch use.Run it:
ai-blackteam run -p anthropic -a autodan-genetic -t "your target prompt"
GCG-Style Adversarial Suffix Templates
critical
gcg-style-templates · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Pre-collected adversarial suffixes inspired by GCG-style outputs from public examples. NOT the GCG optimization algorithm itself; the real GCG (Zou et al. 2023, arXiv 2307.15043) requires gradient access to open-weights models and is not yet implemented in ai-blackteam.Run it:
ai-blackteam run -p anthropic -a gcg-style-templates -t "your target prompt"
Instruction Hierarchy Bypass
critical
instruction-hierarchy-bypass · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits the model’s instruction hierarchy by claiming higher-privilege context to override safety guidelinesRun it:
ai-blackteam run -p anthropic -a instruction-hierarchy-bypass -t "your target prompt"
Reasoning Model Exploit
critical
reasoning-model-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054Exploits chain-of-thought reasoning in thinking models (o1, DeepSeek-R1, etc.) by instructing the model to use its extended reasoning to plan around safety. Research shows ~97% jailbreak success rate on reasoning models via this technique.Run it:
ai-blackteam run -p anthropic -a reasoning-model-exploit -t "your target prompt"
Safety Prompt Negation
critical
safety-prompt-negation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Directly negates or cancels the system safety prompt by asserting its removal or replacement before issuing a harmful instructionRun it:
ai-blackteam run -p anthropic -a safety-prompt-negation -t "your target prompt"
System Message Spoof
critical
system-message-spoof · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Spoofs system-level messages within user input to override model behaviorRun it:
ai-blackteam run -p anthropic -a system-message-spoof -t "your target prompt"
Attention Manipulation
high
attention-manipulation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds adversarial tokens and repetition patterns designed to shift model attention away from safety constraints and toward the injected payloadRun it:
ai-blackteam run -p anthropic -a attention-manipulation -t "your target prompt"
Authority Override
high
authority-override · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Claims organizational authority, developer status, or administrative privilege to assert the right to override safety constraintsRun it:
ai-blackteam run -p anthropic -a authority-override -t "your target prompt"
CSV Injection
high
csv-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds prompt injection payloads in CSV-formatted data, exploiting models that parse tabular input with insufficient sanitizationRun it:
ai-blackteam run -p anthropic -a csv-injection -t "your target prompt"
Chain of Thought Hijack
high
chain-of-thought-hijack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hijacks the model’s reasoning chain by injecting false intermediate steps that lead to a harmful conclusionRun it:
ai-blackteam run -p anthropic -a chain-of-thought-hijack -t "your target prompt"
Comment Injection
high
comment-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hides injection instructions inside code comments, HTML comments, or other comment syntax that may pass through content filters unseenRun it:
ai-blackteam run -p anthropic -a comment-injection -t "your target prompt"
Completion Steering
high
completion-steering · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Provides a partial answer or leading fragment to steer the model’s completion toward harmful content by exploiting its tendency to continue established patternsRun it:
ai-blackteam run -p anthropic -a completion-steering -t "your target prompt"
Context Switch
high
context-switch · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Inserts a framing device that switches the conversational context, causing safety filters calibrated to the original context to failRun it:
ai-blackteam run -p anthropic -a context-switch -t "your target prompt"
Context Window Injection
high
context-window-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Injects instructions at strategic positions in the context window — beginning, end, or within padding — to exploit position-based attention patternsRun it:
ai-blackteam run -p anthropic -a context-window-injection -t "your target prompt"
Context Window Stuffing
high
context-window-stuffing · single-turn · OWASP: LLM01, LLM10 · MITRE: AML.T0054Fills the context window with thousands of tokens of benign content to push system prompt and safety instructions out of the model’s effective attention window, then appends the actual harmful request at the end.Run it:
ai-blackteam run -p anthropic -a context-window-stuffing -t "your target prompt"
Control Character Injection
high
control-character-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Uses Unicode control characters, null bytes, and formatting characters to manipulate prompt parsing and bypass text-based filtersRun it:
ai-blackteam run -p anthropic -a control-character-injection -t "your target prompt"
Delimiter Escape
high
delimiter-escape · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Escapes prompt delimiters used to separate system context from user input, injecting content into the privileged regionRun it:
ai-blackteam run -p anthropic -a delimiter-escape -t "your target prompt"
Developer Mode
high
developer-mode · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Claims special developer or debug mode access to disable safety guardrails under the guise of legitimate system privilegesRun it:
ai-blackteam run -p anthropic -a developer-mode -t "your target prompt"
Emotional Override
high
emotional-override · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Uses emotional urgency, distress, or appeals to empathy to pressure the model into bypassing safety guidelinesRun it:
ai-blackteam run -p anthropic -a emotional-override -t "your target prompt"
Injection via Examples
high
injection-via-examples · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hides harmful instructions inside few-shot examples, training the model to comply through demonstrated patternsRun it:
ai-blackteam run -p anthropic -a injection-via-examples -t "your target prompt"
Instruction Override
high
instruction-override · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Directly overrides system instructions by issuing a new, conflicting instruction that claims precedence over prior constraintsRun it:
ai-blackteam run -p anthropic -a instruction-override -t "your target prompt"
JSON Injection
high
json-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds prompt injection payloads inside JSON structures to exploit models that parse structured input with reduced safety scrutinyRun it:
ai-blackteam run -p anthropic -a json-injection -t "your target prompt"
Jailbreak Prompt V2
high
jailbreak-prompt-v2 · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Updated DAN-style and jailbreak prompt patterns that attempt to unlock unconstrained model behavior through explicit capability declarationsRun it:
ai-blackteam run -p anthropic -a jailbreak-prompt-v2 -t "your target prompt"
Multi Language Injection
high
multi-language-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds injection payloads across multiple languages in a single prompt to confuse language-specific safety classifiersRun it:
ai-blackteam run -p anthropic -a multi-language-injection -t "your target prompt"
Multiline Injection
high
multiline-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Splits the injection payload across multiple lines to evade single-line pattern matching filters and line-by-line content classifiersRun it:
ai-blackteam run -p anthropic -a multiline-injection -t "your target prompt"
Multimodal Injection
high
multimodal-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Injects instructions through cross-modal content such as image alt text, OCR output, or embedded metadata describing a hidden payloadRun it:
ai-blackteam run -p anthropic -a multimodal-injection -t "your target prompt"
Output to Input Loop
high
output-to-input-loop · multi-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Feeds the model’s own output back as input in an escalating loop, gradually shifting behavior until safety constraints are erodedRun it:
ai-blackteam run -p anthropic -a output-to-input-loop -t "your target prompt"
Prefix Injection
high
prefix-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Forces the model to begin its response with affirmative text, bypassing the refusal pathway by constraining the output prefixRun it:
ai-blackteam run -p anthropic -a prefix-injection -t "your target prompt"
Prompt Chaining Exploit
high
prompt-chaining-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits LLM pipeline architectures where one model’s output becomes another model’s input, injecting instructions that propagate through the chainRun it:
ai-blackteam run -p anthropic -a prompt-chaining-exploit -t "your target prompt"
Prompt Format Exploit
high
prompt-format-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits known prompt template formats (chat ML, Llama, Alpaca, etc.) by injecting fake role delimiters to hijack the conversation structureRun it:
ai-blackteam run -p anthropic -a prompt-format-exploit -t "your target prompt"
Prompt Leaking Chain
high
prompt-leaking-chain · multi-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Chains multiple low-suspicion queries to incrementally reconstruct the full system prompt by correlating partial disclosuresRun it:
ai-blackteam run -p anthropic -a prompt-leaking-chain -t "your target prompt"
Prompt Nesting
high
prompt-nesting · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Wraps the malicious instruction in deeply nested hypothetical or quoted structures to dilute safety evaluation of the innermost payloadRun it:
ai-blackteam run -p anthropic -a prompt-nesting -t "your target prompt"
Refusal Suppression
high
refusal-suppression · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0065Instructs the model to suppress safety refusals, warnings, and disclaimers before presenting the harmful requestRun it:
ai-blackteam run -p anthropic -a refusal-suppression -t "your target prompt"
Response Constraints
high
response-constraints · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0054, AML.T0051.000Suppress safety disclaimers via output formatting rules to prevent model from adding caveatsRun it:
ai-blackteam run -p anthropic -a response-constraints -t "your target prompt"
Role Assignment
high
role-assignment · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Assigns the model a new unconstrained role or persona to bypass safety guidelines tied to its default identityRun it:
ai-blackteam run -p anthropic -a role-assignment -t "your target prompt"
Semantic Injection
high
semantic-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Crafts semantically valid and innocent-seeming text that, when interpreted by the model, triggers harmful behaviorRun it:
ai-blackteam run -p anthropic -a semantic-injection -t "your target prompt"
Skeleton Key
high
skeleton-key · multi-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0051.000Request model augment its guidelines to warn instead of refuseRun it:
ai-blackteam run -p anthropic -a skeleton-key -t "your target prompt"
Split and Reassemble
high
split-reassemble · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Splits harmful requests into variable definitions, ROT13 fragments, or acronyms that must be reassembled to reveal the payloadRun it:
ai-blackteam run -p anthropic -a split-reassemble -t "your target prompt"
Structured Output Exploit
high
structured-output-exploit · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0054, AML.T0068Exploits structured output (JSON mode, function calling schemas) to bypass safety by constraining the model’s decoding to include harmful tokensRun it:
ai-blackteam run -p anthropic -a structured-output-exploit -t "your target prompt"
System Prompt Extraction
high
system-prompt-extraction · multi-turn · OWASP: LLM07, LLM02 · MITRE: AML.T0056, AML.T0069.002JSON schema, chain-of-thought, and error correction to leak system promptsRun it:
ai-blackteam run -p anthropic -a system-prompt-extraction -t "your target prompt"
Technical Jargon Injection
high
technical-jargon-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds injection payloads inside dense technical language, jargon, or domain-specific terminology that may evade surface-level content filtersRun it:
ai-blackteam run -p anthropic -a technical-jargon-injection -t "your target prompt"
Template Injection
high
template-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits prompt template variables and placeholders to inject instructions that are interpolated into privileged positionsRun it:
ai-blackteam run -p anthropic -a template-injection -t "your target prompt"
Token Prediction Exploit
high
token-prediction-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Crafts prompts that exploit next-token prediction by establishing high-probability completion paths that lead to policy-violating outputsRun it:
ai-blackteam run -p anthropic -a token-prediction-exploit -t "your target prompt"
Unicode Injection
high
unicode-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits Unicode normalization, homoglyphs, and bidirectional text markers to smuggle injection payloads past text-based safety filtersRun it:
ai-blackteam run -p anthropic -a unicode-injection -t "your target prompt"
Virtual Prompt Injection
high
virtual-prompt-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Manipulates the model’s own generated content to act as injected instructions, exploiting the model’s tendency to follow its own outputRun it:
ai-blackteam run -p anthropic -a virtual-prompt-injection -t "your target prompt"
XML Boundary Injection
high
xml-boundary-injection · single-turn · OWASP: LLM01, LLM07, LLM05 · MITRE: AML.T0051.001, AML.T0068Fake XML closing tags to escape system prompt boundariesRun it:
ai-blackteam run -p anthropic -a xml-boundary-injection -t "your target prompt"
XML Injection
high
xml-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds adversarial instructions inside XML tags and entity definitions to smuggle payloads through XML-aware prompt parsersRun it:
ai-blackteam run -p anthropic -a xml-injection -t "your target prompt"
YAML Injection
high
yaml-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hides prompt injection payloads in YAML-formatted input, exploiting parsers and models that process YAML with relaxed content checkingRun it:
ai-blackteam run -p anthropic -a yaml-injection -t "your target prompt"
Completion Exploit
medium
completion-exploit · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0051.000, AML.T0065Fake transcripts and JSON completion to trick model into continuing harmful contentRun it:
ai-blackteam run -p anthropic -a completion-exploit -t "your target prompt"
Compound Instruction Attack
medium
compound-instruction · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Combine multiple conflicting instructions to overwhelm safety decision logicRun it:
ai-blackteam run -p anthropic -a compound-instruction -t "your target prompt"
Context Overflow
medium
context-overflow · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Pads prompts with large volumes of benign text to push the harmful request past the model’s attention windowRun it:
ai-blackteam run -p anthropic -a context-overflow -t "your target prompt"
DAN Variants
medium
dan-variants · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0051.000DAN, EDUALC, Opposite Day, and Professor persona override attemptsRun it:
ai-blackteam run -p anthropic -a dan-variants -t "your target prompt"
Few-Shot Amplification
medium
few-shot-amplification · single-turn · OWASP: LLM01, LLM02 · MITRE: AML.T0051.000, AML.T0065Benign examples followed by encoded harmful target to exploit pattern followingRun it:
ai-blackteam run -p anthropic -a few-shot-amplification -t "your target prompt"
Instruction Repetition
medium
instruction-repetition · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Repeats the harmful instruction many times to overwhelm the context window and increase the probability of compliance through sheer repetitionRun it:
ai-blackteam run -p anthropic -a instruction-repetition -t "your target prompt"
Many-Shot Jailbreak
medium
many-shot · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Fabricated Q&A context flooding to overwhelm safety alignmentRun it:
ai-blackteam run -p anthropic -a many-shot -t "your target prompt"
Markdown Injection
medium
markdown-injection · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0051.001, AML.T0068, AML.T0067Hidden HTML divs, comments, and table formatting to conceal harmful intentRun it:
ai-blackteam run -p anthropic -a markdown-injection -t "your target prompt"
Meta-Prompting
medium
meta-prompting · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Ask the model to generate its own jailbreak prompts for a given targetRun it:
ai-blackteam run -p anthropic -a meta-prompting -t "your target prompt"
Payload Splitting
medium
payload-splitting · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Split harmful request across variables then concatenate to bypass per-message filtersRun it:
ai-blackteam run -p anthropic -a payload-splitting -t "your target prompt"
Recursive Injection
medium
recursive-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0061Self-referential prompts that ask model to simulate or reproduce its own unsafe outputRun it:
ai-blackteam run -p anthropic -a recursive-injection -t "your target prompt"
Recursive Prompt
medium
recursive-prompt · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Self-referential prompts that create reasoning loops, exploiting the model’s attempt to resolve circular instructionsRun it:
ai-blackteam run -p anthropic -a recursive-prompt -t "your target prompt"
Regex Injection
medium
regex-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Injects crafted regex patterns that cause ReDoS or exploit regex-based safety filter bypass through catastrophic backtracking edge casesRun it:
ai-blackteam run -p anthropic -a regex-injection -t "your target prompt"
Reverse Psychology
medium
reverse-psychology · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Phrases requests as prohibitions or challenges, exploiting the tendency to complete negated patterns or prove capability when told not toRun it:
ai-blackteam run -p anthropic -a reverse-psychology -t "your target prompt"
Style Injection
medium
style-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Forces specific output formats (JSON, code, recipe, poetry) to trick the model into complying with harmful requests as structured dataRun it:
ai-blackteam run -p anthropic -a style-injection -t "your target prompt"