Skip to content
Flows
Jailbreak Regression Suite
Agent QA & Security60-90 minutes
0/3 steps0%

Step 1 of 3

Assemble the jailbreak corpus

Collect the attacks that matter for your agent's boundaries.

Prompt capsule

Build the jailbreak corpus. Sources: jailbreaks found in your own red-teaming, publicly documented technique families (persona/role-play, hypothetical framing, token smuggling, many-shot priming, refusal-suppression phrasing), and any real attempts seen in usage. Scope to YOUR agent's actual safety boundaries - what should it refuse or handle carefully given its capabilities (destructive actions, sensitive data, out-of-scope requests)? For each entry record: id, category, the attack (single or multi-turn), and the EXPECTED SAFE BEHAVIOR (hard refusal, safe partial help, or redirect - be specific about what safe looks like for this case). Aim for breadth across categories over volume within one.

Paste into Claude · Complete implementation prompt with explicit requirements

Expected after this step

A categorized jailbreak corpus with per-case expected behavior.

Should not happen

  • Fixing a jailbreak once with no test, so the next model update reopens it
  • Naive keyword grading that counts a hedged compliance as a refusal
  • Suite tied to one model, breaking silently on provider upgrades
  • No process, so found jailbreaks live in a chat log, not the suite

Verify before continuing

Do not move on until every check is true. The complete button stays locked until then.

Do not continue if…

  • !Fixing a jailbreak once with no test, so the next model update reopens it
  • !Naive keyword grading that counts a hedged compliance as a refusal
  • !Suite tied to one model, breaking silently on provider upgrades
  • !No process, so found jailbreaks live in a chat log, not the suite

If the AI messes this up

Use this when the AI fakes progress or breaks the feature. It forces a real fix.

The corpus tests generic model safety irrelevant to my agent. Refocus on boundaries that matter here - if the agent has no capability an attack would abuse, that attack is noise; prioritize jailbreaks that reach real actions or data.

Your notes for this step