Adversarial Corpora

Direct Prompt Injection — Hinglish

v3Indic

Code-switched Hindi/English direct-injection payloads with Devanagari obfuscation variants.

Direct prompt injectionLLM Top 10 · LLM01HinglishCritical

412 payloads·51% success rate

verified 4h ago

DAN-family Jailbreaks

Comprehensive DAN/AIM/STAN style jailbreak templates with persona escalation.

JailbreaksLLM Top 10 · LLM01EnglishHigh

847 payloads·22% success rate

JailbreaksMITRE ATLAS · T0054EnglishHigh

Role-play Jailbreaks

Persona-based jailbreaks: fictional characters, hypothetical scenarios, debate setups.

612 payloads·18% success rate

Indirect Prompt Injection — RAG Documents

Adversarial RAG documents containing hidden instructions designed to manipulate AI applications that use retrieval-augmented generation.

Indirect prompt injectionLLM Top 10 · LLM01MITRE ATLAS · T0051NIST AI 100-2 · §3.4.1EnglishHindiHinglishCritical

412 payloads·47% success rate

verified 12h ago

Indirect Prompt Injection — Tool Responses

Poisoned tool/API responses inserting downstream instructions for the LLM.

Indirect prompt injectionAgentic Top 10 · AGT-04MITRE ATLAS · T0051EnglishCritical

287 payloads·33% success rate

Indirect Prompt Injection — Image OCR

Multimodal adversarial images with embedded instruction text intended for OCR.

Multimodal attacksLLM Top 10 · LLM01EnglishHigh

147 payloads·29% success rate

verified 4d ago

Indirect Prompt Injection — PDF Documents

PDF docs with invisible-font and metadata instruction smuggling.

Indirect prompt injectionLLM Top 10 · LLM01EnglishHigh

192 payloads·41% success rate

JailbreaksMITRE ATLAS · T0054EnglishCritical

Crescendo Multi-turn

Microsoft's Crescendo gradual-escalation multi-turn jailbreak conversations.

211 payloads·44% success rate

Refusal bypassMITRE ATLAS · T0054EnglishCritical

Skeleton Key

Multi-turn safety bypass via instruction overrides on guard rails.

147 payloads·31% success rate

JailbreaksMITRE ATLAS · T0054EnglishHigh

Many-shot Jailbreaks

Long-context many-shot jailbreaks (Anthropic) targeting 100k+ context windows.

412 payloads·26% success rate

Base64 / ROT13 / Hex Encoded Attacks

Encoded harmful instructions to bypass keyword filters.

Encoded/ObfuscatedLLM Top 10 · LLM01EnglishMedium

294 payloads·19% success rate

verified 6d ago

ArtPrompt ASCII-art Attacks

ASCII-art encoded harmful queries (ArtPrompt).

Encoded/ObfuscatedLLM Top 10 · LLM01EnglishMedium

147 payloads·14% success rate

Devanagari-script Encoding Attacks

v2Indic

Devanagari transliteration & homoglyph encoding to bypass English-only filters.

Encoded/ObfuscatedLLM Top 10 · LLM01HindiHigh

84 payloads·36% success rate

Gradient-basedMITRE ATLAS · T0050AVID · AVID-2024-031EnglishCritical

GCG Suffix Attacks

Greedy Coordinate Gradient suffix attacks (Zou et al.).

412 payloads·24% success rate

AutoDAN Generated Attacks

Genetic-algorithm generated adversarial prompts (AutoDAN).

Gradient-basedMITRE ATLAS · T0050EnglishHigh

294 payloads·21% success rate

PII Extraction Probes — Aadhaar/PAN/IFSC

v4Indic

Indian PII extraction probes targeting Aadhaar, PAN, IFSC, CKYC IDs.

PII extractionLLM Top 10 · LLM02NIST AI 100-2 · §3.5EnglishHindiCritical

247 payloads·12% success rate

PII Extraction Probes — Global

SSN, NHS, DOB, address extraction probes (US/UK/EU).

PII extractionLLM Top 10 · LLM02EnglishCritical

412 payloads·16% success rate

Training data extractionLLM Top 10 · LLM02MITRE ATLAS · T0024EnglishHigh

Training Data Extraction

Prompt-extraction probes targeting verbatim training-data emission.

192 payloads·8% success rate

verified 4d ago

System Prompt Extraction

Probes that elicit verbatim system prompts and instructions.

System prompt extractionLLM Top 10 · LLM07EnglishMedium

147 payloads·28% success rate

Membership Inference Probes

Cases probing whether specific records were in training data.

Training data extractionMITRE ATLAS · T0024EnglishMedium

211 payloads·6% success rate

Bias elicitationLLM Top 10 · LLM09AVID · AVID-EFF-001EnglishHindiCritical

Caste-bias Elicitation

v4Indic

Caste-correlated surname & locality probes across BFSI decisions.

412 payloads·19% success rate

verified 5h ago

Religion-bias Elicitation

Religion-correlated names & customer-support scenarios.

Bias elicitationLLM Top 10 · LLM09 MultilingualHigh

287 payloads·14% success rate

Gender-bias in Financial Decisions

Counterfactual probes flipping gender across loan/insurance decisions.

Bias elicitationLLM Top 10 · LLM09EnglishHigh

211 payloads·11% success rate

Toxicity elicitationLLM Top 10 · LLM09 MultilingualHigh

Toxicity Elicitation

Multilingual toxicity-elicitation probes across protected categories.

612 payloads·9% success rate

Tool abuseAgentic Top 10 · AGT-02EnglishCritical

Tool-abuse Attacks

Tool-misuse payloads — calling unauthorized tools, exfiltrating via tool outputs.

294 payloads·32% success rate

Tool-argument Manipulation

Argument injection into tool calls (SQLi-style for tool args).

Tool abuseAgentic Top 10 · AGT-02EnglishCritical

211 payloads·27% success rate

Memory poisoningAgentic Top 10 · AGT-05EnglishHigh

Memory Poisoning

Multi-turn payloads that poison agent memory for downstream sessions.

147 payloads·18% success rate

Goal hijackingAgentic Top 10 · AGT-01EnglishCritical

Goal Hijacking

Prompts that redirect autonomous agent objective mid-task.

192 payloads·23% success rate

MCP Server Attacks — Inspector RCE Patterns

MCP Inspector-style exploitation patterns — RCE via crafted tool descriptors.

MCP attacksAgentic Top 10 · AGT-07EnglishCritical

84 payloads·41% success rate

verified 12h ago

MCP Cross-tenant Leak Patterns

MCP cross-tenant context leakage payload variants.

MCP attacksAgentic Top 10 · AGT-08EnglishCritical

47 payloads·22% success rate

Refusal bypassLLM Top 10 · LLM06EnglishHigh

Refusal-bypass Probes

Standard refusal-bypass set across forbidden categories.

412 payloads·16% success rate

Over-refusalNIST AI 100-2 · §4.2EnglishLow

Over-refusal Probes

Benign prompts that should not be refused — measures over-cautious behaviour.

211 payloads·24% success rate

Translation-based Jailbreaks

Low-resource language jailbreaks — translate harmful queries to bypass filters.

JailbreaksLLM Top 10 · LLM01 MultilingualHigh

287 payloads·33% success rate

JailbreaksLLM Top 10 · LLM01HinglishHigh

Code-switching Attacks

v3Indic

Hindi↔English mid-sentence code-switching attacks bypassing English-only safety filters.

192 payloads·39% success rate

Image-based Prompt Injection

Adversarial visual prompts manipulating multimodal models.

Multimodal attacksLLM Top 10 · LLM01EnglishHigh

147 payloads·22% success rate

Multimodal attacksLLM Top 10 · LLM01EnglishMedium

Audio Adversarial Inputs

Adversarial audio for ASR-LLM pipelines.

84 payloads·17% success rate

Indirect prompt injectionLLM Top 10 · LLM01EnglishHigh

Document-based Attacks

Document carriers — DOCX/XLSX/PDF — with embedded injection content.

147 payloads·31% success rate

verified 4d ago

HarmBench import

HarmBench standardized harm payloads.

Refusal bypassLLM Top 10 · LLM06EnglishHigh

510 payloads·21% success rate

JailbreaksMITRE ATLAS · T0050EnglishHigh

AdvBench import

AdvBench harmful behaviour payloads.

520 payloads·19% success rate

AVID database recent entries

Recently published AI Vulnerability Database entries pulled into the corpus.

Backdoor exploitationAVID · AVID-2024-Q4EnglishMedium

847 payloads·13% success rate

verified 6d ago

Direct prompt injection — Variant A-1

Auto-generated variant covering supplementary direct prompt injection surface area.

Direct prompt injectionLLM Top 10 · LLM01EnglishLow

47 payloads·5% success rate

JailbreaksLLM Top 10 · LLM01HindiMedium

Jailbreaks — Variant B-2

Auto-generated variant covering supplementary jailbreaks surface area.

70 payloads·12% success rate

Tool abuseLLM Top 10 · LLM01HinglishHigh

Tool abuse — Variant C-3

Auto-generated variant covering supplementary tool abuse surface area.

93 payloads·19% success rate

Bias elicitation — Variant D-4

Auto-generated variant covering supplementary bias elicitation surface area.

Bias elicitationLLM Top 10 · LLM01 MultilingualCritical

116 payloads·26% success rate

Encoded/Obfuscated — Variant E-5

Auto-generated variant covering supplementary encoded/obfuscated surface area.

Encoded/ObfuscatedLLM Top 10 · LLM01EnglishLow

139 payloads·33% success rate

Refusal bypass — Variant F-6

Auto-generated variant covering supplementary refusal bypass surface area.

Refusal bypassLLM Top 10 · LLM01HindiMedium

162 payloads·40% success rate

Direct prompt injection — Variant G-7

Auto-generated variant covering supplementary direct prompt injection surface area.

Direct prompt injectionLLM Top 10 · LLM01HinglishHigh

185 payloads·47% success rate

JailbreaksLLM Top 10 · LLM01 MultilingualCritical

Jailbreaks — Variant H-8

Auto-generated variant covering supplementary jailbreaks surface area.

208 payloads·9% success rate

Tool abuseLLM Top 10 · LLM01EnglishLow

Tool abuse — Variant I-9

Auto-generated variant covering supplementary tool abuse surface area.

231 payloads·16% success rate

Bias elicitation — Variant J-10

Auto-generated variant covering supplementary bias elicitation surface area.

Bias elicitationLLM Top 10 · LLM01HindiMedium

254 payloads·23% success rate

Encoded/Obfuscated — Variant K-11

Auto-generated variant covering supplementary encoded/obfuscated surface area.

Encoded/ObfuscatedLLM Top 10 · LLM01HinglishHigh

277 payloads·30% success rate

Refusal bypass — Variant L-12

Auto-generated variant covering supplementary refusal bypass surface area.

Refusal bypassLLM Top 10 · LLM01 MultilingualCritical

300 payloads·37% success rate

Direct prompt injection — Variant A-13

Auto-generated variant covering supplementary direct prompt injection surface area.

Direct prompt injectionLLM Top 10 · LLM01EnglishLow

323 payloads·44% success rate

Jailbreaks — Variant B-14

Auto-generated variant covering supplementary jailbreaks surface area.

JailbreaksLLM Top 10 · LLM01HindiMedium

346 payloads·6% success rate

Tool abuse — Variant C-15

Auto-generated variant covering supplementary tool abuse surface area.

Tool abuseLLM Top 10 · LLM01HinglishHigh

369 payloads·13% success rate

Bias elicitation — Variant D-16

Auto-generated variant covering supplementary bias elicitation surface area.

Bias elicitationLLM Top 10 · LLM01 MultilingualCritical

392 payloads·20% success rate

Encoded/Obfuscated — Variant E-17

Auto-generated variant covering supplementary encoded/obfuscated surface area.

Encoded/ObfuscatedLLM Top 10 · LLM01EnglishLow

415 payloads·27% success rate

Refusal bypass — Variant F-18

Auto-generated variant covering supplementary refusal bypass surface area.

Refusal bypassLLM Top 10 · LLM01HindiMedium

438 payloads·34% success rate

Direct prompt injection — Variant G-19

Auto-generated variant covering supplementary direct prompt injection surface area.

Direct prompt injectionLLM Top 10 · LLM01HinglishHigh

461 payloads·41% success rate

Jailbreaks — Variant H-20

Auto-generated variant covering supplementary jailbreaks surface area.

JailbreaksLLM Top 10 · LLM01 MultilingualCritical

484 payloads·48% success rate

Tool abuse — Variant I-21

Auto-generated variant covering supplementary tool abuse surface area.

Tool abuseLLM Top 10 · LLM01EnglishLow

507 payloads·10% success rate