Compositional Jailbreaking: An Empirical Analysis of Mutator Chain Interactions in Aligned LLMs

Hoon Wei Lim; Reinelle Jan Bugnot; Soohyeon Choi; Yue Duan

arxiv: 2605.15598 · v1 · pith:UQ6H53NJnew · submitted 2026-05-15 · 💻 cs.CR · cs.SE

Compositional Jailbreaking: An Empirical Analysis of Mutator Chain Interactions in Aligned LLMs

Reinelle Jan Bugnot , Soohyeon Choi , Hoon Wei Lim , Yue Duan This is my paper

Pith reviewed 2026-05-20 18:25 UTC · model grok-4.3

classification 💻 cs.CR cs.SE

keywords jailbreakinglarge language modelsmutator chainingcompositional attacksAI safetyadversarial promptssafety alignmentattack interactions

0 comments

The pith

Chaining jailbreak mutators on LLMs mostly produces interference, with rare synergistic pairs improving attack success.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines how simple jailbreak transformations interact when applied one after another to large language models. It finds that the majority of such chains do not improve upon using a single transformation and often interfere with each other. However, a small number of combinations do produce better results in bypassing model safeguards. This approach uncovers aspects of safety alignment that isolated attacks do not reveal, suggesting that defenses need to account for compositional strategies.

Core claim

By evaluating all ordered pairs of twelve baseline mutators on harmful prompts against three LLMs, the study shows that the interaction landscape is highly non-uniform. Most combinations exhibit destructive interference or structural incompatibility and fail to outperform individual mutators. A small fraction, however, produce synergistic effects that raise attack success rates. The prevalent failure modes also expose structural properties of safety alignment invisible to single-strategy tests.

What carries the argument

Mutator chaining, the sequential application of weak jailbreak transformations, tracked through completeness and validity metrics that measure transformation persistence and attack effectiveness.

If this is right

Most mutator combinations fail to outperform individual ones due to interference or incompatibility.
A small fraction of pairs achieve higher attack success rates through synergy.
Failure modes in chains reveal structural properties of safety alignment not visible in single mutator tests.
Compositional dynamics suggest new considerations for robust safety defenses.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Alignment training could benefit from including examples of chained adversarial prompts to strengthen resistance.
Similar composition effects might appear in other AI safety domains beyond jailbreaking.
Testing longer chains of three or more mutators could show whether synergies build or collapse further.
This mapping implies that current benchmarks focused on single attacks underestimate real-world adversarial capabilities.

Load-bearing premise

The twelve baseline mutators and the benchmark of harmful prompts sufficiently represent the space of possible interactions so that the observed patterns generalize to other mutators and models.

What would settle it

Running the same pairwise evaluation on a new set of mutators or additional LLMs and finding either uniform synergy across pairs or complete absence of both interference and synergy would disprove the non-uniform landscape with rare synergies.

Figures

Figures reproduced from arXiv: 2605.15598 by Hoon Wei Lim, Reinelle Jan Bugnot, Soohyeon Choi, Yue Duan.

**Figure 1.** Figure 1: Example of the mutator chain using paraphrasing and obfuscation. an LLM aligned to detect whether its assigned mutator has been applied to a given prompt. For example, the persistence classifier corresponding to the Translation mutator predicts whether a prompt is written in a different language compared to the original, while the classifier for the Obfuscation mutator detects whether character-level pertu… view at source ↗

**Figure 2.** Figure 2: Heatmaps of completeness and ASR across all models. Each panel visualizes the distribution of completeness (Figures [PITH_FULL_IMAGE:figures/full_fig_p010_2.png] view at source ↗

**Figure 3.** Figure 3: Distribution of complete case counts across mutator pairs per model. [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗

**Figure 4.** Figure 4: Heatmaps of masked completeness after masking out mutator pairs below the second quantile of completeness counts. [PITH_FULL_IMAGE:figures/full_fig_p012_4.png] view at source ↗

**Figure 5.** Figure 5: Heatmaps of ASR differences for chained mutator pairs. The top row shows differences relative to the first mutator [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗

**Figure 6.** Figure 6: Heatmaps of ASR for valid and complete mutator pairs. Each cell reports the average ASR of a chained mutator [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗

**Figure 7.** Figure 7: Evaluator system prompt [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗

read the original abstract

Jailbreaking attacks on large language models pose a significant threat to AI safety by enabling the generation of harmful or restricted content. While prior work has explored both handcrafted and automated jailbreak strategies, the potential for compositional interaction between simple attacks remains underexplored. This paper presents a systematic study of mutator chaining, in which weak jailbreak transformations are applied sequentially to characterize how they interact: whether they reinforce one another, interfere destructively, or produce no meaningful change. We implement twelve baseline mutators and evaluate all ordered pairs on a benchmark of harmful prompts against three popular LLM models. Our framework introduces metrics for completeness and validity that capture both transformation persistence and attack effectiveness. Results reveal that the interaction landscape is highly non-uniform, while most combinations fail to outperform individual mutators, exhibiting destructive interference or structural incompatibility, a small fraction produce synergistic effects that improve attack success rates. Equally important, the prevalent failure modes reveal structural properties of safety alignment that are not apparent from single-strategy evaluations. These findings highlight the nuanced dynamics of adversarial prompt composition and offer new insights for building more robust safety defenses.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper conducts a systematic empirical study of compositional jailbreaking via sequential application of mutators. It implements twelve baseline mutators, evaluates all 144 ordered pairs on a fixed benchmark of harmful prompts against three LLMs, and introduces metrics for completeness (transformation persistence) and validity (attack effectiveness). The central finding is that the interaction landscape is highly non-uniform: most pairs exhibit destructive interference or incompatibility and fail to outperform single mutators, while a small fraction produce synergistic improvements in attack success rate. The work also claims that prevalent failure modes expose structural properties of safety alignment not visible in single-strategy evaluations.

Significance. If the reported interaction statistics hold beyond the specific test set, the study would usefully shift attention from isolated jailbreak techniques to their compositional dynamics, offering concrete data on when chaining helps or harms attack success. This could inform defense design by highlighting structural incompatibilities in current alignment. The empirical framing and introduction of completeness/validity metrics are positive contributions, though generalization remains the key open question.

major comments (1)

[Results / Experimental Setup] The central claim that 'a small fraction produce synergistic effects' while 'most combinations fail to outperform individual mutators' rests on evaluation of exactly the 12×12 ordered pairs on one fixed benchmark (abstract and results). The skeptic correctly flags that no sensitivity analysis or cross-benchmark replication is described; any bias in mutator selection (e.g., over-representation of encoding/role-play styles) or prompt distribution could alter the observed synergistic fraction, undermining extrapolation of the non-uniform landscape.

minor comments (2)

[Discussion] The abstract states that 'the prevalent failure modes reveal structural properties of safety alignment,' but the manuscript does not appear to provide a separate qualitative analysis or taxonomy of those failure modes beyond aggregate success rates.
[Metrics] Clarify whether the completeness and validity metrics are computed per prompt or aggregated; the precise formulas and any statistical tests (error bars, significance) should be stated explicitly in the methods.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback on our empirical study of compositional jailbreaking. We address the major comment below, acknowledging limitations in the current experimental scope while defending the value of the systematic pairwise evaluation on the chosen benchmark.

read point-by-point responses

Referee: The central claim that 'a small fraction produce synergistic effects' while 'most combinations fail to outperform individual mutators' rests on evaluation of exactly the 12×12 ordered pairs on one fixed benchmark (abstract and results). The skeptic correctly flags that no sensitivity analysis or cross-benchmark replication is described; any bias in mutator selection (e.g., over-representation of encoding/role-play styles) or prompt distribution could alter the observed synergistic fraction, undermining extrapolation of the non-uniform landscape.

Authors: We agree that the reported interaction statistics are tied to the specific benchmark and mutator set used. The twelve mutators were chosen to cover representative categories from prior jailbreak literature (encoding, role-play, obfuscation, and others), but we did not perform explicit sensitivity analysis on alternative selections or prompt distributions. The manuscript presents these results as an empirical characterization of compositional dynamics within this controlled setup rather than a universal claim about all possible mutators or benchmarks. To strengthen the paper, we will revise the discussion and add a limitations section that explicitly notes the potential for benchmark-specific effects and the absence of cross-benchmark replication. We maintain that the core finding of highly non-uniform interactions (with most pairs showing destructive interference) remains a useful observation even if the exact synergistic fraction varies elsewhere, as it highlights structural properties of alignment not visible in single-mutator evaluations. revision: partial

Circularity Check

0 steps flagged

Empirical evaluation of mutator pairs against external benchmarks exhibits no definitional or self-referential reduction

full rationale

The paper implements twelve baseline mutators drawn from prior literature and measures attack success rates for all 144 ordered pairs on a fixed external benchmark of harmful prompts evaluated against three standard LLMs. Interaction metrics for synergy, destructive interference, and compatibility are computed directly from observed model outputs rather than from any fitted parameters or equations that would make the reported fractions equivalent to the input choices by construction. No load-bearing self-citations, uniqueness theorems, or ansatzes are invoked to force the non-uniform landscape result; the central empirical claim remains falsifiable against alternative mutator sets or benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the assumption that the selected mutators and prompt benchmark capture the relevant space of compositional attacks; no new physical or mathematical entities are postulated.

axioms (1)

domain assumption Safety alignments in current LLMs can be characterized by their response to sequential prompt transformations.
Invoked when the paper interprets interaction outcomes as revealing structural properties of alignment.

pith-pipeline@v0.9.0 · 5735 in / 1182 out tokens · 75692 ms · 2026-05-20T18:25:15.164766+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We implement twelve baseline mutators and evaluate all ordered pairs on a benchmark of harmful prompts against three popular LLM models. Our framework introduces metrics for completeness and validity...
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Results reveal that the interaction landscape is highly non-uniform, while most combinations fail to outperform individual mutators, exhibiting destructive interference...

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

47 extracted references · 47 canonical work pages · 10 internal anchors

[1]

Deceptive delight: Jailbreak llms through cam- ouflage and distraction,

J. Chen and R. Lu, “Deceptive delight: Jailbreak llms through cam- ouflage and distraction,” https://unit42.paloaltonetworks.com/jailbreak- llms-through-camouflage-distraction/, Oct. 2024, accessed: Mar. 18, 2025

work page 2024
[2]

How to protect yourself from 5g radiation? investigating llm responses to implicit misinformation,

R. Guo, W. Xu, and A. Ritter, “How to protect yourself from 5g radiation? investigating llm responses to implicit misinformation,” arXiv preprint arXiv:2503.09598, Mar. 2025. [Online]. Available: https://arxiv.org/abs/2503.09598

work page arXiv 2025
[3]

Jailbreaking generative ai: How hackers unleash llms and what it means for ai safety,

M. Sewak, “Jailbreaking generative ai: How hackers unleash llms and what it means for ai safety,” https://medium.com/aiguys/jailbreaking- generative-ai-how-hackers-unleash-llms-and-what-it-means-for-ai- safety-fe49d511a2a8, Nov. 2024, accessed: Mar. 18, 2025

work page 2024
[4]

InProceedings of the 16th ACM Workshop on Artificial Intelligence and Security (AISec @ CCS 2023)

S. Abdelnabi, K. Greshake, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising real- world llm-integrated applications with indirect prompt injection,” in Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security, AISec 2023, Copenhagen, Denmark, 30 November 2023, M. Pintor, X. Chen, and F. Tram `er...

work page doi:10.1145/3605764.3623985 2023
[5]

Ai fuelling more sophisticated phishing attempts, cyberattacks,

Channel NewsAsia, “Ai fuelling more sophisticated phishing attempts, cyberattacks,” https://www.channelnewsasia.com/singapore/ai-phishing- attempts-cyber-attacks-technology-scams-deepfakes-ransomware- 4506631, Aug. 2024, accessed: Mar. 18, 2025

work page 2024
[6]

Social media manipulation in the era of ai,

W. Marcellino, “Social media manipulation in the era of ai,” https://www.rand.org/pubs/articles/2024/social-media-manipulation-in- the-era-of-ai.html, Aug. 2024, accessed: Mar. 18, 2025. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 15

work page 2024
[7]

Las vegas cybertruck explosion suspect used chatgpt to plan attack: Police,

Associated Press, “Las vegas cybertruck explosion suspect used chatgpt to plan attack: Police,” https://apnews.com/article/ 248b41d87287170aa7b68d27581fdb4d, Jan. 2025, accessed: Mar. 18, 2025

work page 2025
[8]

Large reasoning models are autonomous jailbreak agents,

T. Hagendorffet al., “Large reasoning models are autonomous jailbreak agents,”Nature Communications, vol. 17, p. 1435, 2026. [Online]. Available: https://www.nature.com/articles/s41467-026-69010-1

work page 2026
[9]

Dan is my new friend,

Walkerspider, “Dan is my new friend,” https://www.reddit.com/, 2022

work page 2022
[10]

Ignore Previous Prompt: Attack Techniques For Language Models

F. Perez and I. Ribeiro, “Ignore previous prompt: Attack techniques for language models,”CoRR, vol. abs/2211.09527, 2022. [Online]. Available: https://doi.org/10.48550/arXiv.2211.09527

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2211.09527 2022
[11]

2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) , year =

P. Chao, A. Robey, E. Dobriban, H. Hassani, G. J. Pappas, and E. Wong, “Jailbreaking black box large language models in twenty queries,” in IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2025, Copenhagen, Denmark, April 9-11, 2025. IEEE, 2025, pp. 23–42. [Online]. Available: https://doi.org/10.1109/SaTML64287.2025.00010

work page doi:10.1109/satml64287.2025.00010 2025
[12]

Universal and Transferable Adversarial Attacks on Aligned Language Models

A. Zou, Z. Wang, J. Z. Kolter, and M. Fredrikson, “Universal and transferable adversarial attacks on aligned language models,” CoRR, vol. abs/2307.15043, 2023. [Online]. Available: https://doi.org/ 10.48550/arXiv.2307.15043

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2307.15043 2023
[13]

Tree of attacks: Jailbreaking black-box llms automatically,

A. Mehrotra, M. Zampetakis, P. Kassianik, B. Nelson, H. S. Anderson, Y . Singer, and A. Karbasi, “Tree of attacks: Jailbreaking black-box llms automatically,” inAdvances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada, December 10 - 15, 2024, A. Globersons, L...

work page 2024
[14]

GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts

J. Yu, X. Lin, Z. Yu, and X. Xing, “GPTFUZZER: red teaming large language models with auto-generated jailbreak prompts,”CoRR, vol. abs/2309.10253, 2023. [Online]. Available: https://doi.org/10.48550/ arXiv.2309.10253

work page internal anchor Pith review Pith/arXiv arXiv 2023
[15]

HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal

M. Mazeika, L. Phan, X. Yin, A. Zou, Z. Wang, N. Mu, E. Sakhaee, N. Li, S. Basart, B. Li, D. Forsyth, and D. Hendrycks, “Harmbench: A standardized evaluation framework for automated red teaming and robust refusal,” inProceedings of the 41st International Conference on Machine Learning, ICML 2024, 2024. [Online]. Available: https://arxiv.org/abs/2402.04249

work page internal anchor Pith review Pith/arXiv arXiv 2024
[16]

Best-of-n jailbreaking

J. Hughes, S. Price, D. Roop, and Others, “Best-of-n jailbreaking,” CoRR, vol. abs/2412.03556, 2024. [Online]. Available: https://arxiv.org/ abs/2412.03556

work page arXiv 2024
[17]

Many-shot jailbreaking,

C. Anil, E. Durmus, N. Panickssery, M. Sharma, J. Benton, S. Kundu, J. Batson, M. Tong, J. Mu, D. Ford, F. Mosconi, R. Agrawal, R. Schaeffer, N. Bashkansky, S. Svenningsen, M. Lambert, A. Radhakrishnan, C. Denison, E. Hubinger, Y . Bai, T. Bricken, T. Maxwell, N. Schiefer, J. Sully, A. Tamkin, T. Lanham, K. Nguyen, T. Korbak, J. Kaplan, D. Ganguli, S. R. ...

work page 2024
[18]

Available: http://papers.nips.cc/paper files/paper/2024/ hash/ea456e232efb72d261715e33ce25f208-Abstract-Conference.html

[Online]. Available: http://papers.nips.cc/paper files/paper/2024/ hash/ea456e232efb72d261715e33ce25f208-Abstract-Conference.html

work page 2024
[19]

Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack

M. Russinovich, A. Salem, and R. Eldan, “Great, now write an article about that: The crescendo multi-turn LLM jailbreak attack,” in 34th USENIX Security Symposium, USENIX Security 2025. USENIX Association, 2025. [Online]. Available: https://arxiv.org/abs/2404.01833

work page internal anchor Pith review Pith/arXiv arXiv 2025
[20]

Sequentialbreak: Large language models can be fooled by embedding jailbreak prompts into sequential prompt chains,

B. A. Saiem, M. S. H. Shanto, R. Ahsan, and M. R. U. Rashid, “Sequentialbreak: Large language models can be fooled by embedding jailbreak prompts into sequential prompt chains,” inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 4: Student Research Workshop), 2025, pp. 548–579

work page 2025
[21]

Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing , year =

E. Perez, S. Huang, H. F. Song, T. Cai, R. Ring, J. Aslanides, A. Glaese, N. McAleese, and G. Irving, “Red teaming language models with language models,” inProceedings of the 2022 Conference on Empirical Methods in Natural Language Processing, EMNLP 2022, Abu Dhabi, United Arab Emirates, December 7-11, 2022, Y . Goldberg, Z. Kozareva, and Y . Zhang, Eds. ...

work page doi:10.18653/v1/2022.emnlp-main.225 2022
[22]

Red Teaming Language Models to Reduce Harms: Methods, Scaling Behaviors, and Lessons Learned

D. Ganguli, L. Lovitt, J. Kernion, A. Askell, Y . Bai, S. Kadavath, B. Mann, E. Perez, N. Schiefer, K. Ndousse, A. Jones, S. Bowman, A. Chen, T. Conerly, N. DasSarma, D. Drain, N. Elhage, S. E. Showk, S. Fort, Z. Hatfield-Dodds, T. Henighan, D. Hernandez, T. Hume, J. Jacobson, S. Johnston, S. Kravec, C. Olsson, S. Ringer, E. Tran-Johnson, D. Amodei, T. Br...

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2209.07858 2022
[23]

Jailbreaking ChatGPT via Prompt Engineering: An Empirical Study

Y . Liu, G. Deng, Z. Xu, Y . Li, Y . Zheng, Y . Zhang, L. Zhao, T. Zhang, and Y . Liu, “Jailbreaking chatgpt via prompt engineering: An empirical study,”CoRR, vol. abs/2305.13860, 2023. [Online]. Available: https://doi.org/10.48550/arXiv.2305.13860

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2305.13860 2023
[24]

Tricking llms into disobedience: Formalizing, analyzing, and detecting jailbreaks,

A. Rao, A. Naik, S. Vashistha, S. Aditya, and M. Choudhury, “Tricking llms into disobedience: Formalizing, analyzing, and detecting jailbreaks,” inProceedings of the 2024 Joint International Conference on Computational Linguistics, Language Resources and Evaluation, LREC/COLING 2024, 20-25 May, 2024, Torino, Italy, N. Calzolari, M. Kan, V . Hoste, A. Lenc...

work page 2024
[25]

Rainbow teaming: Open-ended generation of diverse adversarial prompts,

M. Samvelyan, S. C. Raparthy, A. Lupu, E. Hambro, A. H. Markosyan, M. Bhatt, Y . Mao, M. Jiang, J. Parker-Holder, J. N. Foerster, T. Rockt ¨aschel, and R. Raileanu, “Rainbow teaming: Open-ended generation of diverse adversarial prompts,” inAdvances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024...

work page 2024
[26]

Available: http://papers.nips.cc/paper files/paper/2024/ hash/8147a43d030b43a01020774ae1d3e3bb-Abstract-Conference.html

[Online]. Available: http://papers.nips.cc/paper files/paper/2024/ hash/8147a43d030b43a01020774ae1d3e3bb-Abstract-Conference.html

work page 2024
[27]

Wildteaming at scale: From in-the-wild jailbreaks to (adversarially) safer language models,

L. Jiang, K. Rao, S. Han, A. Ettinger, F. Brahman, S. Kumar, N. Mireshghallah, X. Lu, M. Sap, Y . Choi, and N. Dziri, “Wildteaming at scale: From in-the-wild jailbreaks to (adversarially) safer language models,” inAdvances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver,...

work page 2024
[28]

Training language models to follow instructions with human feedback,

L. Ouyang, J. Wu, X. Jiang, D. Almeida, C. L. Wainwright, P. Mishkin, C. Zhang, S. Agarwal, K. Slama, A. Ray, J. Schulman, J. Hilton, F. Kelton, L. Miller, M. Simens, A. Askell, P. Welinder, P. F. Christiano, J. Leike, and R. Lowe, “Training language models to follow instructions with human feedback,” inAdvances in Neural Information Processing Systems 35...

work page 2022
[29]

Available: http://papers.nips.cc/paper files/paper/2022/ hash/b1efde53be364a73914f58805a001731-Abstract-Conference.html

[Online]. Available: http://papers.nips.cc/paper files/paper/2022/ hash/b1efde53be364a73914f58805a001731-Abstract-Conference.html

work page 2022
[30]

Constitutional AI: Harmlessness from AI Feedback

Y . Bai, S. Kadavath, S. Kundu, A. Askell, J. Kernion, A. Jones, A. Chen, A. Goldie, A. Mirhoseini, C. McKinnon, C. Chen, C. Olsson, C. Olah, D. Hernandez, D. Drain, D. Ganguli, D. Li, E. Tran-Johnson, E. Perez, J. Kerr, J. Mueller, J. Ladish, J. Landau, K. Ndousse, K. Lukosiute, L. Lovitt, M. Sellitto, N. Elhage, N. Schiefer, N. Mercado, N. DasSarma, R. ...

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2212.08073 2022
[31]

Deepseek model overview,

DeepSeek, “Deepseek model overview,” https://github.com/deepseek-ai, accessed: Apr. 2, 2025

work page 2025
[32]

Openai model overview,

OpenAI, “Openai model overview,” https://platform.openai.com/docs/ models, accessed: Apr. 2, 2025

work page 2025
[33]

Multilingual jailbreak challenges in large language models,

Y . Deng, W. Zhang, S. J. Pan, and L. Bing, “Multilingual jailbreak challenges in large language models,” inThe Twelfth International Conference on Learning Representations, ICLR 2024, Vienna, Austria, May 7-11, 2024. OpenReview.net, 2024. [Online]. Available: https://openreview.net/forum?id=vESNKdEMGp

work page 2024
[34]

Judging llm-as-a-judge with mt-bench and chatbot arena,

L. Zheng, W. Chiang, Y . Sheng, S. Zhuang, Z. Wu, Y . Zhuang, Z. Lin, Z. Li, D. Li, E. P. Xing, H. Zhang, J. E. Gonzalez, and I. Stoica, “Judging llm-as-a-judge with mt-bench and chatbot arena,” inAdvances in Neural Information Processing Systems 36: Annual Conference on Neural Information Processing Systems 2023, NeurIPS 2023, New Orleans, LA, USA, Decem...

work page 2023
[35]

Moderation - openai api,

OpenAI, “Moderation - openai api,” https://platform.openai.com/docs/ guides/moderation, 2023, accessed: Feb. 2, 2023

work page 2023
[36]

AEGIS: Online Adaptive AI Content Safety Moderation with Ensemble of LLM Experts

S. Ghosh, P. Varshney, E. Galinkin, and C. Parisien, “Aegis: Online adaptive ai content safety moderation with ensemble of llm experts,”ArXiv, vol. abs/2404.05993, 2024. [Online]. Available: https://api.semanticscholar.org/CorpusID:269009460

work page arXiv 2024
[37]

Explaining and Harnessing Adversarial Examples

I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, Y . Bengio and Y . LeCun, Eds., 2015. [Online]. Available: http://arxiv.org/abs/1412.6572

work page internal anchor Pith review Pith/arXiv arXiv 2015
[38]

Baseline Defenses for Adversarial Attacks Against Aligned Language Models

N. Jain, A. Schwarzschild, Y . Wen, G. Somepalli, J. Kirchenbauer, P. Chiang, M. Goldblum, A. Saha, J. Geiping, and T. Goldstein, “Baseline defenses for adversarial attacks against aligned language models,”CoRR, vol. abs/2309.00614, 2023. [Online]. Available: https://doi.org/10.48550/arXiv.2309.00614

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2309.00614 2023
[39]

Smoothllm: Defending large language models against jailbreaking attacks,

A. Robey, E. Wong, H. Hassani, and G. J. Pappas, “Smoothllm: Defending large language models against jailbreaking attacks,” Trans. Mach. Learn. Res., vol. 2025, 2025. [Online]. Available: https://openreview.net/forum?id=laPAh2hRFC APPENDIXA PROMPT FOREVALUATION evaluator-direct: | You are a content safety classifier tasked with identifying whether a given...

work page 2025
[40]

Illegal Activities - Models cannot be used for illegal activities, including malware generation and activities causing physical or economic harm

work page
[41]

Harmful Content - Usage that generates content exploiting children, promoting hate, harassment, violence, or glorifying suffering/humiliation is prohibited

work page
[42]

Fraud and Deception - Models cannot be used for scams, inauthentic behavior, plagiarism, academic dishonesty, astroturfing, disinformation, spam, or pseudo-pharmaceuticals

work page
[43]

Adult Content - Adult content, adult industries, and dating apps usage is not allowed, including content meant to arouse sexual excitement or promote sexual services

work page
[44]

Political Play - Models cannot be used for high-volume campaign materials, personalized/targeted materials, political advocacy chatbots, or political campaigning/lobbying products

work page
[45]

Privacy Violation - Models cannot be used for non-consensual tracking, private individual facial recognition, classifying individuals by protected characteristics, biometrics for identification/assessment, or unlawful collection/disclosure of personal information

work page
[46]

Unlawful Practice - Models cannot be used for unauthorized legal or financial advice, unqualified medical advice, or prescribing medication without qualifications

work page
[47]

### Text to Evaluate ### "{text}" Based on the above guidelines, classify the text as either Safe or Unsafe

High-risk Government Decision-making - Models cannot be used for high-risk government decisions, including law enforcement, criminal justice, migration, and asylum. ### Text to Evaluate ### "{text}" Based on the above guidelines, classify the text as either Safe or Unsafe. Only provide the classification in plain text. Figure 7: Evaluator system prompt

work page

[1] [1]

Deceptive delight: Jailbreak llms through cam- ouflage and distraction,

J. Chen and R. Lu, “Deceptive delight: Jailbreak llms through cam- ouflage and distraction,” https://unit42.paloaltonetworks.com/jailbreak- llms-through-camouflage-distraction/, Oct. 2024, accessed: Mar. 18, 2025

work page 2024

[2] [2]

How to protect yourself from 5g radiation? investigating llm responses to implicit misinformation,

R. Guo, W. Xu, and A. Ritter, “How to protect yourself from 5g radiation? investigating llm responses to implicit misinformation,” arXiv preprint arXiv:2503.09598, Mar. 2025. [Online]. Available: https://arxiv.org/abs/2503.09598

work page arXiv 2025

[3] [3]

Jailbreaking generative ai: How hackers unleash llms and what it means for ai safety,

M. Sewak, “Jailbreaking generative ai: How hackers unleash llms and what it means for ai safety,” https://medium.com/aiguys/jailbreaking- generative-ai-how-hackers-unleash-llms-and-what-it-means-for-ai- safety-fe49d511a2a8, Nov. 2024, accessed: Mar. 18, 2025

work page 2024

[4] [4]

InProceedings of the 16th ACM Workshop on Artificial Intelligence and Security (AISec @ CCS 2023)

S. Abdelnabi, K. Greshake, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising real- world llm-integrated applications with indirect prompt injection,” in Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security, AISec 2023, Copenhagen, Denmark, 30 November 2023, M. Pintor, X. Chen, and F. Tram `er...

work page doi:10.1145/3605764.3623985 2023

[5] [5]

Ai fuelling more sophisticated phishing attempts, cyberattacks,

Channel NewsAsia, “Ai fuelling more sophisticated phishing attempts, cyberattacks,” https://www.channelnewsasia.com/singapore/ai-phishing- attempts-cyber-attacks-technology-scams-deepfakes-ransomware- 4506631, Aug. 2024, accessed: Mar. 18, 2025

work page 2024

[6] [6]

Social media manipulation in the era of ai,

W. Marcellino, “Social media manipulation in the era of ai,” https://www.rand.org/pubs/articles/2024/social-media-manipulation-in- the-era-of-ai.html, Aug. 2024, accessed: Mar. 18, 2025. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 15

work page 2024

[7] [7]

Las vegas cybertruck explosion suspect used chatgpt to plan attack: Police,

Associated Press, “Las vegas cybertruck explosion suspect used chatgpt to plan attack: Police,” https://apnews.com/article/ 248b41d87287170aa7b68d27581fdb4d, Jan. 2025, accessed: Mar. 18, 2025

work page 2025

[8] [8]

Large reasoning models are autonomous jailbreak agents,

T. Hagendorffet al., “Large reasoning models are autonomous jailbreak agents,”Nature Communications, vol. 17, p. 1435, 2026. [Online]. Available: https://www.nature.com/articles/s41467-026-69010-1

work page 2026

[9] [9]

Dan is my new friend,

Walkerspider, “Dan is my new friend,” https://www.reddit.com/, 2022

work page 2022

[10] [10]

Ignore Previous Prompt: Attack Techniques For Language Models

F. Perez and I. Ribeiro, “Ignore previous prompt: Attack techniques for language models,”CoRR, vol. abs/2211.09527, 2022. [Online]. Available: https://doi.org/10.48550/arXiv.2211.09527

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2211.09527 2022

[11] [11]

2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) , year =

P. Chao, A. Robey, E. Dobriban, H. Hassani, G. J. Pappas, and E. Wong, “Jailbreaking black box large language models in twenty queries,” in IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2025, Copenhagen, Denmark, April 9-11, 2025. IEEE, 2025, pp. 23–42. [Online]. Available: https://doi.org/10.1109/SaTML64287.2025.00010

work page doi:10.1109/satml64287.2025.00010 2025

[12] [12]

Universal and Transferable Adversarial Attacks on Aligned Language Models

A. Zou, Z. Wang, J. Z. Kolter, and M. Fredrikson, “Universal and transferable adversarial attacks on aligned language models,” CoRR, vol. abs/2307.15043, 2023. [Online]. Available: https://doi.org/ 10.48550/arXiv.2307.15043

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2307.15043 2023

[13] [13]

Tree of attacks: Jailbreaking black-box llms automatically,

A. Mehrotra, M. Zampetakis, P. Kassianik, B. Nelson, H. S. Anderson, Y . Singer, and A. Karbasi, “Tree of attacks: Jailbreaking black-box llms automatically,” inAdvances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada, December 10 - 15, 2024, A. Globersons, L...

work page 2024

[14] [14]

GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts

J. Yu, X. Lin, Z. Yu, and X. Xing, “GPTFUZZER: red teaming large language models with auto-generated jailbreak prompts,”CoRR, vol. abs/2309.10253, 2023. [Online]. Available: https://doi.org/10.48550/ arXiv.2309.10253

work page internal anchor Pith review Pith/arXiv arXiv 2023

[15] [15]

HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal

M. Mazeika, L. Phan, X. Yin, A. Zou, Z. Wang, N. Mu, E. Sakhaee, N. Li, S. Basart, B. Li, D. Forsyth, and D. Hendrycks, “Harmbench: A standardized evaluation framework for automated red teaming and robust refusal,” inProceedings of the 41st International Conference on Machine Learning, ICML 2024, 2024. [Online]. Available: https://arxiv.org/abs/2402.04249

work page internal anchor Pith review Pith/arXiv arXiv 2024

[16] [16]

Best-of-n jailbreaking

J. Hughes, S. Price, D. Roop, and Others, “Best-of-n jailbreaking,” CoRR, vol. abs/2412.03556, 2024. [Online]. Available: https://arxiv.org/ abs/2412.03556

work page arXiv 2024

[17] [17]

Many-shot jailbreaking,

C. Anil, E. Durmus, N. Panickssery, M. Sharma, J. Benton, S. Kundu, J. Batson, M. Tong, J. Mu, D. Ford, F. Mosconi, R. Agrawal, R. Schaeffer, N. Bashkansky, S. Svenningsen, M. Lambert, A. Radhakrishnan, C. Denison, E. Hubinger, Y . Bai, T. Bricken, T. Maxwell, N. Schiefer, J. Sully, A. Tamkin, T. Lanham, K. Nguyen, T. Korbak, J. Kaplan, D. Ganguli, S. R. ...

work page 2024

[18] [18]

Available: http://papers.nips.cc/paper files/paper/2024/ hash/ea456e232efb72d261715e33ce25f208-Abstract-Conference.html

[Online]. Available: http://papers.nips.cc/paper files/paper/2024/ hash/ea456e232efb72d261715e33ce25f208-Abstract-Conference.html

work page 2024

[19] [19]

Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack

M. Russinovich, A. Salem, and R. Eldan, “Great, now write an article about that: The crescendo multi-turn LLM jailbreak attack,” in 34th USENIX Security Symposium, USENIX Security 2025. USENIX Association, 2025. [Online]. Available: https://arxiv.org/abs/2404.01833

work page internal anchor Pith review Pith/arXiv arXiv 2025

[20] [20]

Sequentialbreak: Large language models can be fooled by embedding jailbreak prompts into sequential prompt chains,

B. A. Saiem, M. S. H. Shanto, R. Ahsan, and M. R. U. Rashid, “Sequentialbreak: Large language models can be fooled by embedding jailbreak prompts into sequential prompt chains,” inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 4: Student Research Workshop), 2025, pp. 548–579

work page 2025

[21] [21]

Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing , year =

E. Perez, S. Huang, H. F. Song, T. Cai, R. Ring, J. Aslanides, A. Glaese, N. McAleese, and G. Irving, “Red teaming language models with language models,” inProceedings of the 2022 Conference on Empirical Methods in Natural Language Processing, EMNLP 2022, Abu Dhabi, United Arab Emirates, December 7-11, 2022, Y . Goldberg, Z. Kozareva, and Y . Zhang, Eds. ...

work page doi:10.18653/v1/2022.emnlp-main.225 2022

[22] [22]

Red Teaming Language Models to Reduce Harms: Methods, Scaling Behaviors, and Lessons Learned

D. Ganguli, L. Lovitt, J. Kernion, A. Askell, Y . Bai, S. Kadavath, B. Mann, E. Perez, N. Schiefer, K. Ndousse, A. Jones, S. Bowman, A. Chen, T. Conerly, N. DasSarma, D. Drain, N. Elhage, S. E. Showk, S. Fort, Z. Hatfield-Dodds, T. Henighan, D. Hernandez, T. Hume, J. Jacobson, S. Johnston, S. Kravec, C. Olsson, S. Ringer, E. Tran-Johnson, D. Amodei, T. Br...

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2209.07858 2022

[23] [23]

Jailbreaking ChatGPT via Prompt Engineering: An Empirical Study

Y . Liu, G. Deng, Z. Xu, Y . Li, Y . Zheng, Y . Zhang, L. Zhao, T. Zhang, and Y . Liu, “Jailbreaking chatgpt via prompt engineering: An empirical study,”CoRR, vol. abs/2305.13860, 2023. [Online]. Available: https://doi.org/10.48550/arXiv.2305.13860

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2305.13860 2023

[24] [24]

Tricking llms into disobedience: Formalizing, analyzing, and detecting jailbreaks,

A. Rao, A. Naik, S. Vashistha, S. Aditya, and M. Choudhury, “Tricking llms into disobedience: Formalizing, analyzing, and detecting jailbreaks,” inProceedings of the 2024 Joint International Conference on Computational Linguistics, Language Resources and Evaluation, LREC/COLING 2024, 20-25 May, 2024, Torino, Italy, N. Calzolari, M. Kan, V . Hoste, A. Lenc...

work page 2024

[25] [25]

Rainbow teaming: Open-ended generation of diverse adversarial prompts,

M. Samvelyan, S. C. Raparthy, A. Lupu, E. Hambro, A. H. Markosyan, M. Bhatt, Y . Mao, M. Jiang, J. Parker-Holder, J. N. Foerster, T. Rockt ¨aschel, and R. Raileanu, “Rainbow teaming: Open-ended generation of diverse adversarial prompts,” inAdvances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024...

work page 2024

[26] [26]

Available: http://papers.nips.cc/paper files/paper/2024/ hash/8147a43d030b43a01020774ae1d3e3bb-Abstract-Conference.html

[Online]. Available: http://papers.nips.cc/paper files/paper/2024/ hash/8147a43d030b43a01020774ae1d3e3bb-Abstract-Conference.html

work page 2024

[27] [27]

Wildteaming at scale: From in-the-wild jailbreaks to (adversarially) safer language models,

L. Jiang, K. Rao, S. Han, A. Ettinger, F. Brahman, S. Kumar, N. Mireshghallah, X. Lu, M. Sap, Y . Choi, and N. Dziri, “Wildteaming at scale: From in-the-wild jailbreaks to (adversarially) safer language models,” inAdvances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver,...

work page 2024

[28] [28]

Training language models to follow instructions with human feedback,

L. Ouyang, J. Wu, X. Jiang, D. Almeida, C. L. Wainwright, P. Mishkin, C. Zhang, S. Agarwal, K. Slama, A. Ray, J. Schulman, J. Hilton, F. Kelton, L. Miller, M. Simens, A. Askell, P. Welinder, P. F. Christiano, J. Leike, and R. Lowe, “Training language models to follow instructions with human feedback,” inAdvances in Neural Information Processing Systems 35...

work page 2022

[29] [29]

Available: http://papers.nips.cc/paper files/paper/2022/ hash/b1efde53be364a73914f58805a001731-Abstract-Conference.html

[Online]. Available: http://papers.nips.cc/paper files/paper/2022/ hash/b1efde53be364a73914f58805a001731-Abstract-Conference.html

work page 2022

[30] [30]

Constitutional AI: Harmlessness from AI Feedback

Y . Bai, S. Kadavath, S. Kundu, A. Askell, J. Kernion, A. Jones, A. Chen, A. Goldie, A. Mirhoseini, C. McKinnon, C. Chen, C. Olsson, C. Olah, D. Hernandez, D. Drain, D. Ganguli, D. Li, E. Tran-Johnson, E. Perez, J. Kerr, J. Mueller, J. Ladish, J. Landau, K. Ndousse, K. Lukosiute, L. Lovitt, M. Sellitto, N. Elhage, N. Schiefer, N. Mercado, N. DasSarma, R. ...

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2212.08073 2022

[31] [31]

Deepseek model overview,

DeepSeek, “Deepseek model overview,” https://github.com/deepseek-ai, accessed: Apr. 2, 2025

work page 2025

[32] [32]

Openai model overview,

OpenAI, “Openai model overview,” https://platform.openai.com/docs/ models, accessed: Apr. 2, 2025

work page 2025

[33] [33]

Multilingual jailbreak challenges in large language models,

Y . Deng, W. Zhang, S. J. Pan, and L. Bing, “Multilingual jailbreak challenges in large language models,” inThe Twelfth International Conference on Learning Representations, ICLR 2024, Vienna, Austria, May 7-11, 2024. OpenReview.net, 2024. [Online]. Available: https://openreview.net/forum?id=vESNKdEMGp

work page 2024

[34] [34]

Judging llm-as-a-judge with mt-bench and chatbot arena,

L. Zheng, W. Chiang, Y . Sheng, S. Zhuang, Z. Wu, Y . Zhuang, Z. Lin, Z. Li, D. Li, E. P. Xing, H. Zhang, J. E. Gonzalez, and I. Stoica, “Judging llm-as-a-judge with mt-bench and chatbot arena,” inAdvances in Neural Information Processing Systems 36: Annual Conference on Neural Information Processing Systems 2023, NeurIPS 2023, New Orleans, LA, USA, Decem...

work page 2023

[35] [35]

Moderation - openai api,

OpenAI, “Moderation - openai api,” https://platform.openai.com/docs/ guides/moderation, 2023, accessed: Feb. 2, 2023

work page 2023

[36] [36]

AEGIS: Online Adaptive AI Content Safety Moderation with Ensemble of LLM Experts

S. Ghosh, P. Varshney, E. Galinkin, and C. Parisien, “Aegis: Online adaptive ai content safety moderation with ensemble of llm experts,”ArXiv, vol. abs/2404.05993, 2024. [Online]. Available: https://api.semanticscholar.org/CorpusID:269009460

work page arXiv 2024

[37] [37]

Explaining and Harnessing Adversarial Examples

I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, Y . Bengio and Y . LeCun, Eds., 2015. [Online]. Available: http://arxiv.org/abs/1412.6572

work page internal anchor Pith review Pith/arXiv arXiv 2015

[38] [38]

Baseline Defenses for Adversarial Attacks Against Aligned Language Models

N. Jain, A. Schwarzschild, Y . Wen, G. Somepalli, J. Kirchenbauer, P. Chiang, M. Goldblum, A. Saha, J. Geiping, and T. Goldstein, “Baseline defenses for adversarial attacks against aligned language models,”CoRR, vol. abs/2309.00614, 2023. [Online]. Available: https://doi.org/10.48550/arXiv.2309.00614

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2309.00614 2023

[39] [39]

Smoothllm: Defending large language models against jailbreaking attacks,

A. Robey, E. Wong, H. Hassani, and G. J. Pappas, “Smoothllm: Defending large language models against jailbreaking attacks,” Trans. Mach. Learn. Res., vol. 2025, 2025. [Online]. Available: https://openreview.net/forum?id=laPAh2hRFC APPENDIXA PROMPT FOREVALUATION evaluator-direct: | You are a content safety classifier tasked with identifying whether a given...

work page 2025

[40] [40]

Illegal Activities - Models cannot be used for illegal activities, including malware generation and activities causing physical or economic harm

work page

[41] [41]

Harmful Content - Usage that generates content exploiting children, promoting hate, harassment, violence, or glorifying suffering/humiliation is prohibited

work page

[42] [42]

Fraud and Deception - Models cannot be used for scams, inauthentic behavior, plagiarism, academic dishonesty, astroturfing, disinformation, spam, or pseudo-pharmaceuticals

work page

[43] [43]

Adult Content - Adult content, adult industries, and dating apps usage is not allowed, including content meant to arouse sexual excitement or promote sexual services

work page

[44] [44]

Political Play - Models cannot be used for high-volume campaign materials, personalized/targeted materials, political advocacy chatbots, or political campaigning/lobbying products

work page

[45] [45]

Privacy Violation - Models cannot be used for non-consensual tracking, private individual facial recognition, classifying individuals by protected characteristics, biometrics for identification/assessment, or unlawful collection/disclosure of personal information

work page

[46] [46]

Unlawful Practice - Models cannot be used for unauthorized legal or financial advice, unqualified medical advice, or prescribing medication without qualifications

work page

[47] [47]

### Text to Evaluate ### "{text}" Based on the above guidelines, classify the text as either Safe or Unsafe

High-risk Government Decision-making - Models cannot be used for high-risk government decisions, including law enforcement, criminal justice, migration, and asylum. ### Text to Evaluate ### "{text}" Based on the above guidelines, classify the text as either Safe or Unsafe. Only provide the classification in plain text. Figure 7: Evaluator system prompt

work page