| Attention Diversion | attention-diversion | single-turn | high | Buries harmful requests inside long distracting content to divert model attention from safety-relevant portions |
| Context Fragmentation | context-fragmentation | multi-turn | high | Spreads a harmful request across multiple messages so no single turn triggers safety filters, then synthesizes the fr… |
| Context Poisoning | context-poisoning | single-turn | high | Poisons the conversation context with misleading facts, false authority claims, or fabricated precedents before makin… |
| Context Window Overflow | context-window-overflow | single-turn | high | Floods the context window with benign filler text to push safety instructions out of the model |
| Conversation Hijacking | conversation-hijacking | multi-turn | high | Hijacks an ongoing benign conversation by injecting a new harmful objective and claiming it is the real purpose of th… |
| False Consensus | false-consensus | multi-turn | high | Claims prior agreement to harmful actions across conversation turns, using social pressure and fabricated consensus t… |
| History Rewriting | history-rewriting | multi-turn | high | Claims previous turns said something different than they did, attempting to rewrite conversation history to shift mod… |
| Instruction Layering | instruction-layering | single-turn | high | Stacks contradictory instructions at different priority levels to create ambiguity that the model resolves in favor o… |
| Memory Injection | memory-injection | single-turn | critical | Injects fabricated memories or prior conversation history to make the model believe it already agreed to produce harm… |
| Persona Persistence | persona-persistence | multi-turn | high | Establishes a permissive persona early in conversation then exploits it across turns to extract harmful content |
| Semantic Drift | semantic-drift | multi-turn | high | Gradually shifts the meaning of key terms across conversation turns until harmful content falls under a redefined ben… |
| State Confusion | state-confusion | single-turn | high | Confuses the model about its current conversation state by presenting contradictory or ambiguous context signals |
| System Prompt Override | system-prompt-override | single-turn | critical | Attempts to replace or nullify the system prompt mid-conversation using injected meta-instructions |
| Temporal Confusion | temporal-confusion | single-turn | medium | Confuses the model about time and sequence of events to make it believe restrictions were introduced later or have ex… |
| Token Budget Exhaustion | token-budget-exhaustion | single-turn | medium | Exhausts the model |
