Step 1 of 3
Assemble the jailbreak corpus
Collect the attacks that matter for your agent's boundaries.
Build the jailbreak corpus. Sources: jailbreaks found in your own red-teaming, publicly documented technique families (persona/role-play, hypothetical framing, token smuggling, many-shot priming, refusal-suppression phrasing), and any real attempts seen in usage. Scope to YOUR agent's actual safety boundaries - what should it refuse or handle carefully given its capabilities (destructive actions, sensitive data, out-of-scope requests)? For each entry record: id, category, the attack (single or multi-turn), and the EXPECTED SAFE BEHAVIOR (hard refusal, safe partial help, or redirect - be specific about what safe looks like for this case). Aim for breadth across categories over volume within one.
Expected after this step
A categorized jailbreak corpus with per-case expected behavior.
Should not happen
- ✕Fixing a jailbreak once with no test, so the next model update reopens it
- ✕Naive keyword grading that counts a hedged compliance as a refusal
- ✕Suite tied to one model, breaking silently on provider upgrades
- ✕No process, so found jailbreaks live in a chat log, not the suite
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !Fixing a jailbreak once with no test, so the next model update reopens it
- !Naive keyword grading that counts a hedged compliance as a refusal
- !Suite tied to one model, breaking silently on provider upgrades
- !No process, so found jailbreaks live in a chat log, not the suite
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
The corpus tests generic model safety irrelevant to my agent. Refocus on boundaries that matter here - if the agent has no capability an attack would abuse, that attack is noise; prioritize jailbreaks that reach real actions or data.