constitutional-ai-bypass · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Bypasses Constitutional AI safety layers by invoking specific constitutional principles that appear to permit the harmful request, or by arguing the constitution itself allows the contentRun it:fine-tune-safety-removal · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Probes whether fine-tuning has removed or weakened safety behaviors, or attempts to elicit behavior consistent with a safety-stripped fine-tuned version of the modelRun it:rlhf-manipulation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Manipulates the model by exploiting its understanding of the RLHF training process, convincing it that harmful outputs would receive high reward in the training pipelineRun it:reward-model-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits weaknesses in reward model hacking by crafting prompts that cause the model to optimize against the reward model rather than its intended behaviorRun it:safety-training-reversal · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Attempts to reverse or undo safety training by convincing the model that its safety behaviors were incorrectly instilled and should be overriddenRun it:system-prompt-injection-v2 · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Advanced system prompt injection using structured data formats, XML tags, and role-delimiting syntax to inject a new system prompt mid-conversationRun it:api-parameter-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits API parameters by referencing undocumented flags, bypass headers, or special API modes that purport to disable safety featuresRun it:alignment-tax-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits the tension between helpfulness and safety by framing harmful requests as cases where over-refusal imposes an unacceptable cost on legitimate usersRun it:batch-processing-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits batch API processing by embedding harmful requests within large benign batches, relying on reduced per-item scrutiny in high-volume processing modesRun it:content-filter-enumeration · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Systematically enumerates content filter rules and thresholds by probing what is and is not blocked, then uses that map to craft requests that slip through filtersRun it:guardrail-probing · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Systematically probes guardrail boundaries using incremental variations of a harmful request to find the exact threshold where the guardrail triggersRun it:helpfulness-exploitation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits the model’s strong helpfulness training by framing harmful requests as urgent help scenarios where refusing would cause direct harm to the requesterRun it:model-uncertainty-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits model uncertainty and epistemic humility by framing the safety refusal as overconfident and asking the model to provide the answer it is uncertain about refusingRun it:moderation-api-bypass · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Bypasses external moderation API layers by encoding or transforming content in ways that evade the moderation endpoint while preserving meaning for the target modelRun it:multi-model-arbitrage · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Uses the existence of less-restricted models to argue that the target model’s refusal is arbitrary, then leverages that argument to pressure complianceRun it:pruning-safety-impact · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits the documented impact of model pruning on safety behaviors by claiming the model has been pruned and its safety-critical weights have been removedRun it:quantization-safety-loss · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits the documented degradation of safety behaviors under quantization by claiming the model is running in a quantized mode where safety circuits are impairedRun it:refusal-pattern-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits known refusal patterns and boilerplate language by crafting prompts that preemptively neutralize or mirror the refusal, preventing the model from outputting itRun it:safety-boundary-testing · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Frames harmful requests as legitimate safety boundary testing, using the language of red-teaming and AI safety research to justify extracting restricted contentRun it:safety-classifier-confusion · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Confuses the safety classifier by embedding harmful content within structures that pattern-match to benign categories, exploiting classifier decision boundariesRun it:safety-layer-mapping · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Maps the model’s safety architecture by probing which layers handle different types of refusals, then crafts inputs targeting gaps between safety layersRun it:streaming-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Attempts to exploit streaming response mode by requesting that the model begin outputting harmful content token-by-token before safety checks completeRun it:over-refusal-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits the model’s tendency toward over-refusal by citing examples of benign similar requests it has refused, then using that inconsistency to extract the harmful contentRun it:sampling-strategy-exploit · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Exploits sampling strategy parameters by instructing the model to use beam search, top-k, or greedy decoding modes that may produce different safety behavior than the defaultRun it:temperature-manipulation · single-turn · OWASP: LLM01 · MITRE: AML.T0054, AML.T0068Attempts to manipulate the model’s effective sampling temperature by instructing it to respond in a more ‘creative’, ‘random’, or ‘unconstrained’ mode that bypasses safety filtersRun it: