Is this library for attacking AI systems?

No. It is a defensive reference for developers and authorised red-teamers to test the robustness of their own filters and guardrails. The entries describe techniques at a conceptual level so you can build defences, not bypass someone else's system.

Why are the entries templated rather than ready payloads?

The goal is education and self-testing, so entries describe the technique and provide a neutral, fill-in-the-blank template. This is enough to evaluate your own defences without shipping turnkey harmful payloads.

Does it call any external service?

No. The entire catalogue is bundled and runs in your browser with no network calls. Nothing you search or copy is logged or transmitted, which suits security teams working in restricted environments.

How should I use this responsibly?

Only test systems you own or have explicit written authorisation to assess. Use findings to strengthen system prompts, input filters, and output moderation, and follow responsible disclosure if you find a flaw in a third-party product.

Will these patterns keep working?

Model providers continuously patch known bypasses, so any specific phrasing degrades over time. The value here is understanding the categories of attack, which remain stable even as individual phrasings stop working.

Jailbreak Phrase Reference Library

Robust AI products are tested against the ways people try to break them. This jailbreak phrase reference library is a defensive catalogue of documented bypass techniques, grouped by category and described at a conceptual level, so developers and authorised red-teamers can understand what their filters must withstand and test their own systems without reaching for live external services.

How it works

The library is a bundled, offline dataset. Each entry names a technique, places it in a category — role-play personas, instruction override, hypothetical or fictional framing, token and encoding manipulation, payload splitting, authority impersonation, and others — and explains the mechanism that makes it effective and the guardrail it targets. Rather than shipping turnkey harmful payloads, entries provide neutral, fill-in-the-blank templates so you can adapt them to your own test harness. Filter by category or search by keyword to find what is relevant to the surface you are hardening.

Everything runs in the browser with no network calls, which matters for security teams working in air-gapped or restricted environments. Nothing you search or copy is logged or transmitted.

Tips and examples

Use the categories, not just the phrasings. Specific wordings get patched and stop working, but the underlying technique — say, wrapping a disallowed request inside a fictional story, or splitting it across turns so no single message looks problematic — endures. Map each category to a defensive control: instruction override calls for a hardened, immutable system prompt; encoding tricks call for normalising input before moderation; multi-turn splitting calls for conversation-level review rather than per-message checks.

Stay on the right side of the line. Only exercise systems you own or are explicitly authorised to assess, feed what you learn back into your prompts and moderation layers, and disclose responsibly if you uncover a weakness in someone else’s product.