autodan-genetic · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Genetic algorithm-generated fluent jailbreak prompts that maintain readability while bypassing safety (AutoDAN, arXiv 2310.15140). Delegates to AutoDANGenerator when a target_provider is available; falls back to seed templates for static batch use.Run it:gcg-style-templates · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0043.003Pre-collected adversarial suffixes inspired by GCG-style outputs from public examples. NOT the GCG optimization algorithm itself; the real GCG (Zou et al. 2023, arXiv 2307.15043) requires gradient access to open-weights models and is not yet implemented in ai-blackteam.Run it:instruction-hierarchy-bypass · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits the model’s instruction hierarchy by claiming higher-privilege context to override safety guidelinesRun it:reasoning-model-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054Exploits chain-of-thought reasoning in thinking models (o1, DeepSeek-R1, etc.) by instructing the model to use its extended reasoning to plan around safety. Research shows ~97% jailbreak success rate on reasoning models via this technique.Run it:safety-prompt-negation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Directly negates or cancels the system safety prompt by asserting its removal or replacement before issuing a harmful instructionRun it:system-message-spoof · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Spoofs system-level messages within user input to override model behaviorRun it:attention-manipulation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds adversarial tokens and repetition patterns designed to shift model attention away from safety constraints and toward the injected payloadRun it:authority-override · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Claims organizational authority, developer status, or administrative privilege to assert the right to override safety constraintsRun it:csv-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds prompt injection payloads in CSV-formatted data, exploiting models that parse tabular input with insufficient sanitizationRun it:chain-of-thought-hijack · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hijacks the model’s reasoning chain by injecting false intermediate steps that lead to a harmful conclusionRun it:comment-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hides injection instructions inside code comments, HTML comments, or other comment syntax that may pass through content filters unseenRun it:completion-steering · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Provides a partial answer or leading fragment to steer the model’s completion toward harmful content by exploiting its tendency to continue established patternsRun it:context-switch · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Inserts a framing device that switches the conversational context, causing safety filters calibrated to the original context to failRun it:context-window-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Injects instructions at strategic positions in the context window — beginning, end, or within padding — to exploit position-based attention patternsRun it:context-window-stuffing · single-turn · OWASP: LLM01, LLM10 · MITRE: AML.T0054Fills the context window with thousands of tokens of benign content to push system prompt and safety instructions out of the model’s effective attention window, then appends the actual harmful request at the end.Run it:control-character-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Uses Unicode control characters, null bytes, and formatting characters to manipulate prompt parsing and bypass text-based filtersRun it:delimiter-escape · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Escapes prompt delimiters used to separate system context from user input, injecting content into the privileged regionRun it:developer-mode · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Claims special developer or debug mode access to disable safety guardrails under the guise of legitimate system privilegesRun it:emotional-override · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Uses emotional urgency, distress, or appeals to empathy to pressure the model into bypassing safety guidelinesRun it:injection-via-examples · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hides harmful instructions inside few-shot examples, training the model to comply through demonstrated patternsRun it:instruction-override · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Directly overrides system instructions by issuing a new, conflicting instruction that claims precedence over prior constraintsRun it:json-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds prompt injection payloads inside JSON structures to exploit models that parse structured input with reduced safety scrutinyRun it:jailbreak-prompt-v2 · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Updated DAN-style and jailbreak prompt patterns that attempt to unlock unconstrained model behavior through explicit capability declarationsRun it:multi-language-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds injection payloads across multiple languages in a single prompt to confuse language-specific safety classifiersRun it:multiline-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Splits the injection payload across multiple lines to evade single-line pattern matching filters and line-by-line content classifiersRun it:multimodal-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Injects instructions through cross-modal content such as image alt text, OCR output, or embedded metadata describing a hidden payloadRun it:output-to-input-loop · multi-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Feeds the model’s own output back as input in an escalating loop, gradually shifting behavior until safety constraints are erodedRun it:prefix-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Forces the model to begin its response with affirmative text, bypassing the refusal pathway by constraining the output prefixRun it:prompt-chaining-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits LLM pipeline architectures where one model’s output becomes another model’s input, injecting instructions that propagate through the chainRun it:prompt-format-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits known prompt template formats (chat ML, Llama, Alpaca, etc.) by injecting fake role delimiters to hijack the conversation structureRun it:prompt-leaking-chain · multi-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Chains multiple low-suspicion queries to incrementally reconstruct the full system prompt by correlating partial disclosuresRun it:prompt-nesting · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Wraps the malicious instruction in deeply nested hypothetical or quoted structures to dilute safety evaluation of the innermost payloadRun it:refusal-suppression · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0065Instructs the model to suppress safety refusals, warnings, and disclaimers before presenting the harmful requestRun it:response-constraints · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0054, AML.T0051.000Suppress safety disclaimers via output formatting rules to prevent model from adding caveatsRun it:role-assignment · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Assigns the model a new unconstrained role or persona to bypass safety guidelines tied to its default identityRun it:semantic-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Crafts semantically valid and innocent-seeming text that, when interpreted by the model, triggers harmful behaviorRun it:skeleton-key · multi-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0051.000Request model augment its guidelines to warn instead of refuseRun it:split-reassemble · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Splits harmful requests into variable definitions, ROT13 fragments, or acronyms that must be reassembled to reveal the payloadRun it:structured-output-exploit · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0054, AML.T0068Exploits structured output (JSON mode, function calling schemas) to bypass safety by constraining the model’s decoding to include harmful tokensRun it:system-prompt-extraction · multi-turn · OWASP: LLM07, LLM02 · MITRE: AML.T0056, AML.T0069.002JSON schema, chain-of-thought, and error correction to leak system promptsRun it:technical-jargon-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds injection payloads inside dense technical language, jargon, or domain-specific terminology that may evade surface-level content filtersRun it:template-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits prompt template variables and placeholders to inject instructions that are interpolated into privileged positionsRun it:token-prediction-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Crafts prompts that exploit next-token prediction by establishing high-probability completion paths that lead to policy-violating outputsRun it:unicode-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits Unicode normalization, homoglyphs, and bidirectional text markers to smuggle injection payloads past text-based safety filtersRun it:virtual-prompt-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Manipulates the model’s own generated content to act as injected instructions, exploiting the model’s tendency to follow its own outputRun it:xml-boundary-injection · single-turn · OWASP: LLM01, LLM07, LLM05 · MITRE: AML.T0051.001, AML.T0068Fake XML closing tags to escape system prompt boundariesRun it:xml-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Embeds adversarial instructions inside XML tags and entity definitions to smuggle payloads through XML-aware prompt parsersRun it:yaml-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Hides prompt injection payloads in YAML-formatted input, exploiting parsers and models that process YAML with relaxed content checkingRun it:completion-exploit · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0051.000, AML.T0065Fake transcripts and JSON completion to trick model into continuing harmful contentRun it:compound-instruction · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Combine multiple conflicting instructions to overwhelm safety decision logicRun it:context-overflow · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Pads prompts with large volumes of benign text to push the harmful request past the model’s attention windowRun it:dan-variants · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0051.000DAN, EDUALC, Opposite Day, and Professor persona override attemptsRun it:few-shot-amplification · single-turn · OWASP: LLM01, LLM02 · MITRE: AML.T0051.000, AML.T0065Benign examples followed by encoded harmful target to exploit pattern followingRun it:instruction-repetition · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Repeats the harmful instruction many times to overwhelm the context window and increase the probability of compliance through sheer repetitionRun it:many-shot · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Fabricated Q&A context flooding to overwhelm safety alignmentRun it:markdown-injection · single-turn · OWASP: LLM01, LLM05 · MITRE: AML.T0051.001, AML.T0068, AML.T0067Hidden HTML divs, comments, and table formatting to conceal harmful intentRun it:meta-prompting · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0065Ask the model to generate its own jailbreak prompts for a given targetRun it:payload-splitting · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Split harmful request across variables then concatenate to bypass per-message filtersRun it:recursive-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0061Self-referential prompts that ask model to simulate or reproduce its own unsafe outputRun it:recursive-prompt · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Self-referential prompts that create reasoning loops, exploiting the model’s attempt to resolve circular instructionsRun it:regex-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Injects crafted regex patterns that cause ReDoS or exploit regex-based safety filter bypass through catastrophic backtracking edge casesRun it:reverse-psychology · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Phrases requests as prohibitions or challenges, exploiting the tendency to complete negated patterns or prove capability when told not toRun it:style-injection · single-turn · OWASP: LLM01 · MITRE: AML.T0051.000, AML.T0068Forces specific output formats (JSON, code, recipe, poetry) to trick the model into complying with harmful requests as structured dataRun it: