Jailbreaks: The Families You Will See

Most jailbreaks come from a small number of patterns. Here are the ones that keep working, and why they are hard to kill. The Jailbreak Zoo A jailbreak is any prompt or setup that makes a model break its own rules.

30 min · Reviewed 2026

The Jailbreak Zoo

A jailbreak is any prompt or setup that makes a model break its own rules. Since late 2022, researchers have catalogued dozens. Most are variations on a handful of patterns. If you understand the patterns, you can spot new ones.

Family 1: role-play

Ask the model to pretend to be something else. The classic DAN (Do Anything Now) prompt from 2023 told ChatGPT it was a free version with no rules. Early versions complied. Fix: train models to refuse at the meta level, regardless of framing.

Family 2: encoding

Ask for the bad thing in base64, rot13, pig latin, a made-up language. The safety classifier trained on English sometimes misses the foreign form. Fix: train on encoded versions too. New encodings keep appearing.

Family 3: many-shot

Anthropic researchers showed in 2024 that stuffing a long context window with hundreds of faux dialogues where a model cheerfully answers harmful questions eventually makes the real model comply. The attack exploits in-context learning itself.

Family 4: adversarial suffixes (GCG)

CMU researchers in 2023 found garbled strings that, appended to any prompt, reliably unlock refused requests across many models. These are found via gradient optimization, not natural-language cleverness. They look like nonsense but work.

Family 5: indirect prompt injection

The model reads a webpage or document that contains instructions pretending to be from the user. The model follows them. This is the scariest family because agents with tools can do real damage.

Family	Canonical example	Strong defense
Role-play	DAN	Meta-level refusal training
Encoding	Base64 the harmful ask	Train on encoded forms
Many-shot	100 fake dialogues	Long-context safety fine-tuning
Adversarial suffix	GCG optimized strings	Adversarial training + detection
Indirect injection	Hidden text on a webpage	Content-origin rules, sandboxing

Every jailbreak is a gift. It shows us the shape of the thing we didn't know we hadn't taught the model.
— An alignment researcher at Anthropic

The big idea: jailbreaks are not a moral failure of the model. They are the emergent consequence of training on following instructions. Studying the families is how the field actually improves.

End-of-lesson check

6 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-safety-jailbreak-families-builders

What is the main idea of "Jailbreaks: The Families You Will See"?
1. Most jailbreaks come from a small number of patterns.
2. Use AI as the final authority for the whole decision
3. Avoid checking the answer once it sounds polished
4. Focus only on speed instead of judgment
Which concept is most central to "Jailbreaks: The Families You Will See"?
1. role-play
2. jailbreak
3. many-shot
4. adversarial suffix
What should a careful learner remember about "The structural problem"?
1. Use "The structural problem" as a reminder to verify the AI output before anyone relies on it.
2. Skip the context so the tool can guess faster
3. Treat the output as private even after sharing it online
4. Use the answer without checking the source
You want to use AI after this lesson. What is the safest next step?
1. Act immediately because the AI answer is written clearly
2. AI cannot make the human values decision for you.
3. Hide uncertainty so the final answer looks cleaner
4. Use private or sensitive details before checking permission
How should AI output about jailbreak be treated?
1. As proof that no other source is needed
2. As a replacement for context, consent, or expert review
3. As a draft or helper output that still needs human judgment and verification
4. As something that becomes correct when it sounds confident
Name one way to verify an AI answer about jailbreak.

← Back to interactive lesson

Tendril · Builders · Ethics & Society