What Is an LLM Jailbreak?
An LLM jailbreak is an attack that bypasses a large language model's safety training to make it produce output it was designed to refuse. Jailbreaks target the model's guardrails, not the application around it. That distinction matters: a jailbreak is a content-safety problem, while the more consequential application risk is what an influenced model is allowed to do.

What is an LLM jailbreak?
An LLM jailbreak is an input crafted to bypass the safety training of a large language model, getting it to produce content it was aligned to refuse: disallowed instructions, restricted information, or output that violates its usage policies. Jailbreaks use techniques like role-play framing, hypothetical scenarios, obfuscation, and multi-step setups that gradually move the model past its guardrails. The target is the model's own behavior and the boundaries its providers built in.
How LLM jailbreaks work
Safety training teaches a model to refuse certain requests, but that training is a learned tendency, not a hard rule. Jailbreaks exploit the gap. By reframing a request, hiding it inside a fictional context, encoding it, or building up to it across a conversation, an attacker can make the disallowed response seem consistent with what the model was asked. Because models are probabilistic, the same jailbreak may work intermittently, and new variants appear as fast as old ones are patched. No amount of alignment fully closes this, which is why jailbreaks remain an ongoing arms race rather than a solved problem.
LLM jailbreak vs prompt injection
Jailbreaking and prompt injection are related but distinct, and the difference drives where you invest. A jailbreak targets the model's safety training, aiming to make it say something restricted. Prompt injection targets the application, aiming to change what the model does inside a larger system, such as calling a tool or exfiltrating data it can access. A model can be jailbroken without harming an application, and an application can be compromised by prompt injection with no jailbreak at all. Conflating them leads teams to over-invest in content guardrails while leaving the real attack surface, the model's permissions and tools, unguarded.
Why jailbreaks matter for applications
For a consumer chatbot, a jailbreak is mainly a content and brand-safety problem. For an application where the model is wired to tools, data, and actions, the concern shifts: the danger is not only what the model says, but what a bypassed model can be steered into doing. That is why jailbreak resistance is necessary but not sufficient. The durable protection is to treat the model as untrusted and contain its capability, the same principle behind agentic AI security.
How to defend against jailbreaks
At the model layer, use the provider's safety features, add input and output filtering, and test continuously with AI red teaming so new jailbreak variants are found before attackers use them. But assume the model can be bypassed and design so that a bypass is not catastrophic: least-privilege tool access, validated actions, and human confirmation for anything irreversible. Then observe what the system actually does with runtime intelligence, so a jailbroken model that tries to take a harmful action is caught at execution. Set this in the context of AI application security and Kodem's AI application stack approach.
Frequently Asked Questions
An LLM jailbreak is an attack that bypasses a large language model's safety training to make it produce output it was designed to refuse, using techniques like role-play framing, hypotheticals, obfuscation, and multi-step prompts.
A jailbreak targets the model's safety training to produce restricted content. Prompt injection targets the application to change what the model does, such as calling a tool or leaking data. A system can be compromised by injection with no jailbreak at all.
No. Safety training is a learned tendency, not a hard rule, and models are probabilistic, so new jailbreak variants keep appearing. Alignment raises the bar but does not close the gap, which is why defense assumes the model can be bypassed.
For a chatbot, a jailbreak is mainly a content-safety issue. For an application where the model can call tools or reach data, the risk is what a bypassed model can be steered into doing, which is why capability containment matters more than guardrails alone.
Use provider safety features and input/output filtering, test with AI red teaming, and assume bypass is possible: apply least privilege, validate actions, require confirmation for irreversible ones, and monitor real behavior at runtime.
Related blogs

What is RAG Security?
RAG security covers the risks of retrieval-augmented generation: injection through retrieved content, data poisoning, and leakage. The threats and how to defend.
4
Stop the waste.
Protect your environment with Kodem.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.



