What Is an LLM Jailbreak?

An LLM jailbreak is an attack that bypasses a large language model's safety training to make it produce output it was designed to refuse. Jailbreaks target the model's guardrails, not the application around it. That distinction matters: a jailbreak is a content-safety problem, while the more consequential application risk is what an influenced model is allowed to do.

July 15, 2026
July 15, 2026

0 min read

AI Security
LLM
Application Security
What is an LLM Jailbreak?

What is an LLM jailbreak?

An LLM jailbreak is an input crafted to bypass the safety training of a large language model, getting it to produce content it was aligned to refuse: disallowed instructions, restricted information, or output that violates its usage policies. Jailbreaks use techniques like role-play framing, hypothetical scenarios, obfuscation, and multi-step setups that gradually move the model past its guardrails. The target is the model's own behavior and the boundaries its providers built in.

How LLM jailbreaks work

Safety training teaches a model to refuse certain requests, but that training is a learned tendency, not a hard rule. Jailbreaks exploit the gap. By reframing a request, hiding it inside a fictional context, encoding it, or building up to it across a conversation, an attacker can make the disallowed response seem consistent with what the model was asked. Because models are probabilistic, the same jailbreak may work intermittently, and new variants appear as fast as old ones are patched. No amount of alignment fully closes this, which is why jailbreaks remain an ongoing arms race rather than a solved problem.

LLM jailbreak vs prompt injection

Jailbreaking and prompt injection are related but distinct, and the difference drives where you invest. A jailbreak targets the model's safety training, aiming to make it say something restricted. Prompt injection targets the application, aiming to change what the model does inside a larger system, such as calling a tool or exfiltrating data it can access. A model can be jailbroken without harming an application, and an application can be compromised by prompt injection with no jailbreak at all. Conflating them leads teams to over-invest in content guardrails while leaving the real attack surface, the model's permissions and tools, unguarded.

Why jailbreaks matter for applications

For a consumer chatbot, a jailbreak is mainly a content and brand-safety problem. For an application where the model is wired to tools, data, and actions, the concern shifts: the danger is not only what the model says, but what a bypassed model can be steered into doing. That is why jailbreak resistance is necessary but not sufficient. The durable protection is to treat the model as untrusted and contain its capability, the same principle behind agentic AI security.

How to defend against jailbreaks

At the model layer, use the provider's safety features, add input and output filtering, and test continuously with AI red teaming so new jailbreak variants are found before attackers use them. But assume the model can be bypassed and design so that a bypass is not catastrophic: least-privilege tool access, validated actions, and human confirmation for anything irreversible. Then observe what the system actually does with runtime intelligence, so a jailbroken model that tries to take a harmful action is caught at execution. Set this in the context of AI application security and Kodem's AI application stack approach.

Frequently Asked Questions

What is an LLM jailbreak?

An LLM jailbreak is an attack that bypasses a large language model's safety training to make it produce output it was designed to refuse, using techniques like role-play framing, hypotheticals, obfuscation, and multi-step prompts.

What is the difference between a jailbreak and prompt injection?

A jailbreak targets the model's safety training to produce restricted content. Prompt injection targets the application to change what the model does, such as calling a tool or leaking data. A system can be compromised by injection with no jailbreak at all.

Can LLM jailbreaks be fully prevented?

No. Safety training is a learned tendency, not a hard rule, and models are probabilistic, so new jailbreak variants keep appearing. Alignment raises the bar but does not close the gap, which is why defense assumes the model can be bypassed.

Are jailbreaks dangerous for applications?

For a chatbot, a jailbreak is mainly a content-safety issue. For an application where the model can call tools or reach data, the risk is what a bypassed model can be steered into doing, which is why capability containment matters more than guardrails alone.

How do you defend against jailbreaks?

Use provider safety features and input/output filtering, test with AI red teaming, and assume bypass is possible: apply least privilege, validate actions, require confirmation for irreversible ones, and monitor real behavior at runtime.

Table of contents

Related blogs

What is RAG Security?

What is RAG Security?

RAG security covers the risks of retrieval-augmented generation: injection through retrieved content, data poisoning, and leakage. The threats and how to defend.

July 15, 2026

4

What is MCP Security?

What is MCP Security?

MCP security covers the risks of the Model Context Protocol connecting AI agents to tools and data. The main threats, and how to contain them at runtime.

July 15, 2026

4

What Is an SBOM? (Software Bill of Materials)

What Is an SBOM? (Software Bill of Materials)

A software bill of materials (SBOM) inventories every component in your software. What an SBOM includes, why it matters, and how runtime makes it actionable.

July 15, 2026

5

Stop the waste.
Protect your environment with Kodem.

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

The State of the Application Security Workflow

This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.

3D book mockup of Kodem's State of the Application Security Workflow 2025 report

Get real-time insights across the full stack…code, containers, OS, and memory

Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.

Kodem issues list with a magnified view of insight icons: runtime, ingress, and exploitability
Combined author
Idan Bartura
Publish date

0 min read

AI Security

LLM

Application Security