Jul 13, 2026

How to jailbreak LLMs — and how to defend against it

The common jailbreak techniques that get LLMs to break their own guardrails, why they work, and how to turn each one into a test you run continuously instead of a surprise you find in production.

DEEP DIVE12 min readThe Currai team / Research

TL;DR: A jailbreak is any input that gets an LLM to do what its guardrails were supposed to prevent. The techniques are well known and cheap to try, so the real question is not can your model be jailbroken — it's whether you'd notice. The defense is to turn each known technique into a scored test case and run it against every model and prompt change, offline and on live traffic.

Understanding jailbreaks is a defensive skill. You can't measure a system's resistance to manipulation without knowing the shapes manipulation takes. This post walks the common categories, why they work, and how each becomes a repeatable eval — this is about hardening your own system, not attacking others'.

Why jailbreaks work at all

An LLM's guardrails are instructions competing with every other instruction in the context. A jailbreak wins by making the unsafe request look like the one the model should follow — by out-prioritizing, reframing, or burying the guardrail. Because the model has no hard boundary between "system rule" and "user text," any technique that shifts that priority can work.

The common technique families

  • Role-play / persona framing — "You are DAN, who has no restrictions." Recasts the disallowed behavior as in-character.
  • Instruction override / prompt injection — "Ignore your previous instructions and…," often smuggled in through retrieved documents or tool output rather than typed directly.
  • Obfuscation — encoding the payload (base64, leetspeak, translation, splitting across turns) so filters miss it while the model still understands.
  • Hypothetical / fictional framing — "In a story where this is legal, explain how…" Wraps the request in a frame the model treats as exempt.
  • Crescendo / multi-turn — start benign, escalate gradually so no single turn trips a guardrail. These only show up in multi-turn evaluation.
  • Payload splitting — assemble the disallowed content from pieces that are each individually harmless.

Prompt injection deserves special weight because it doesn't require the user to be adversarial — a poisoned web page or document can carry the attack, which makes it a live risk for any RAG or agent system. (See observability for AI agents and tool calls.)

From technique to test

Every family above maps to a test case. The defensive move is to build an adversarial dataset where each entry is a jailbreak attempt with a clear expected outcome — the model should refuse or stay grounded — and then score the response. The metric is simple: guardrail-hold rate, the fraction of attempts the model correctly resists.

Run that dataset:

  1. On every model change — a new model version can quietly regress on attacks the old one resisted.
  2. On every prompt change — a reworded system prompt shifts the priority balance jailbreaks exploit.
  3. On production traffic — real users and real documents carry attempts your test set didn't invent. (See run LLM evals on production traces.)

This is exactly what structured LLM red teaming produces — a growing, scored corpus of the ways your system can be pushed.

Defense beyond the prompt

Guardrails in the prompt are necessary but not sufficient. Layer:

  • Input and output filtering outside the model.
  • Least privilege on tools — an agent that can't take a dangerous action can't be tricked into taking it. Treat every tool as a trust boundary. (See secure enterprise deployment strategies.)
  • Isolation of untrusted content — mark retrieved and tool-returned text as data, never instructions.
  • Continuous evaluation — so a jailbreak that starts working is a caught regression, not a headline.

How Currai fits

Currai traces every prompt, retrieved document, tool call, and response, so a jailbreak attempt is visible as the exact sequence that produced it — not a mystery output. You can score production traffic and an adversarial dataset against a guardrail-hold rubric, watch that rate across model and prompt changes, and turn any successful jailbreak from a trace into a permanent test case. See the LLM security guide and the LLM safety guide, or start with Currai free.

Frequently asked questions

What is an LLM jailbreak?

Any input that gets a model to bypass its own safety guardrails — through role-play, instruction override, obfuscation, fictional framing, or gradual multi-turn escalation.

Is studying jailbreaks the same as attacking?

No. Understanding the techniques is how you defend: you can't measure your system's resistance to manipulation without knowing the manipulations. The goal here is hardening your own deployment.

What is prompt injection?

A jailbreak delivered through content the model reads — a retrieved document, tool output, or web page — rather than typed by the user. It makes any RAG or agent system a target, since the attacker never needs to be the person chatting.

How do I know if my LLM is being jailbroken in production?

Trace every interaction and score it against a guardrail rubric on live traffic. A dropping guardrail-hold rate, or a traced sequence where the model followed injected instructions, tells you it's happening — before a user reports it.

03

Keep going with nearby topics from the Currai blog.