Skip to main content
This page provides detailed information about all attack methods available for testing AI models. For a quick overview, see the Quick Reference in the Payload Guide.
Before choosing attack methods, explore available tests:

Attack Methods by Model Type

1. Large Language Models (LLMs) & AI Agents

Input: Text | Output: Text

1.1 Direct Prompt Injection

Keyword: basicDescription: Direct injection of adversarial prompts without any obfuscation or encoding. This is the baseline attack that every test should include.When to Use:
  • Always include as your first attack method
  • Establishes baseline vulnerability assessment
  • Quick testing during development
Configuration:
{
  "attack_methods": {
    "basic": {"basic": {"params": {}}}
  }
}
Parameters: NoneModel Support: LLM, VLM, ALM
Keyword: iterativeDescription: Progressive prompt refinement based on model responses. The attack adapts iteratively, learning from each response to craft increasingly effective prompts.When to Use:
  • Testing models with strong initial defenses
  • Comprehensive security assessments
  • Understanding model’s resistance to adaptive attacks
Configuration:
{
  "attack_methods": {
    "dynamic": {
      "iterative": {
        "params": {
          "width": 5,
          "branching_factor": 9,
          "depth": 3
        }
      }
    }
  }
}
Parameters:
  • width (integer): Number of parallel attack paths to explore (default: 5, range: 1-10)
  • branching_factor (integer): Number of variations per iteration (default: 9, range: 1-15)
  • depth (integer): Maximum iteration depth (default: 3, range: 1-5)
Model Support: LLMNote: Higher values increase thoroughness but also increase testing time and cost.
Keyword: multi_turnDescription: Distributes malicious intent across multiple conversation turns, exploiting the model’s conversation memory to build up to harmful outputs.When to Use:
  • Testing conversational AI and chatbots
  • Assessing context window vulnerabilities
  • Evaluating memory-based attack resistance
Configuration:
{
  "attack_methods": {
    "dynamic": {
      "multi_turn": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: rt_agentDescription: Advanced depth-first search (DFS) based red teaming agent that uses adaptive prompt generation with mutation levels. The agent progressively refines prompts through multiple levels of mutation, learning from blocked attempts to craft increasingly effective adversarial prompts.When to Use:
  • Comprehensive security assessments
  • Testing models with strong initial defenses
  • Understanding adaptive attack resistance
  • Advanced red teaming scenarios
Configuration:
{
  "attack_methods": {
    "dynamic": {
      "rt_agent": {
        "params": {
          "width": 5,
          "branching_factor": 9,
          "depth": 3
        }
      }
    }
  }
}
Parameters:
  • width (integer): Number of parallel attack paths to explore (default: 5, range: 1-10)
  • branching_factor (integer): Number of variations per iteration (default: 9, range: 1-15)
  • depth (integer): Maximum iteration depth (default: 3, range: 1-5)
Model Support: LLMNote: Higher values increase thoroughness but also increase testing time and cost. The agent uses multiple mutation levels to progressively refine prompts while maintaining plausibility.
Keyword: eai_attackDescription: Exploit-Amplify-Iterate methodology for systematic jailbreaking using graph-based encoding techniques.When to Use:
  • Advanced security testing
  • Research-grade assessments
  • Testing sophisticated defense mechanisms
Configuration:
{
  "attack_methods": {
    "static": {
      "eai_attack": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM, VLM

1.2 Encoding & Obfuscation Techniques

Keyword: ascii_encodingDescription: Converts characters to ASCII decimal values to evade content filters that pattern-match text.Example: “hello” → “104 101 108 108 111”When to Use:
  • Bypassing simple text-based filters
  • Testing encoding awareness
  • Combined with other techniques
Configuration:
{
  "attack_methods": {
    "static": {
      "ascii_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: base64_encodingDescription: Base64-encoded prompts to bypass pattern matching and content filters.Example: “attack” → “YXR0YWNr”When to Use:
  • Testing encoding robustness
  • Multi-iteration encoding for advanced evasion
  • Common bypass technique
Configuration:
{
  "attack_methods": {
    "static": {
      "base64_encoding": {
        "params": {
          "encoding_type": "base64",
          "iterations": 2
        }
      }
    }
  }
}
Parameters:
  • encoding_type (string): Type of encoding (default: “base64”)
  • iterations (integer): Number of encoding iterations (default: 1, range: 1-3)
Model Support: LLMNote: Higher iterations increase obfuscation but may reduce model comprehension.
Keyword: binary_encodingDescription: Represents text as binary (base-2) to obscure malicious instructions.Example: “hi” → “01101000 01101001”When to Use:
  • Testing technical encoding understanding
  • Advanced obfuscation scenarios
  • Combined attack vectors
Configuration:
{
  "attack_methods": {
    "static": {
      "binary_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: hex_encodingDescription: Hex-encoded prompts for filter evasion using base-16 representation.Example: “test” → “74657374”When to Use:
  • Technical content filters
  • Programming-focused models
  • Combined with other encodings
Configuration:
{
  "attack_methods": {
    "static": {
      "hex_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: url_encodingDescription: Percent-encoded characters to obscure intent using URL encoding standards.Example: “hack me” → “hack%20me”When to Use:
  • Web-based applications
  • URL/link processing models
  • Combined obfuscation
Configuration:
{
  "attack_methods": {
    "static": {
      "url_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: obfuscationDescription: General obfuscation techniques including character substitution, spacing manipulation, and other text transformations.When to Use:
  • First-line static attack testing
  • Complement to basic attacks
  • Standard security assessment
Configuration:
{
  "attack_methods": {
    "static": {
      "obfuscation": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM, VLM

1.3 Cipher & Character Substitution

Keyword: leet_encodingDescription: Alphanumeric character substitution popular in internet culture.Example: “hack” → “h4ck”, “elite” → “31337”When to Use:
  • Testing character-level pattern matching
  • Social engineering contexts
  • Combined with other methods
Configuration:
{
  "attack_methods": {
    "static": {
      "leet_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: rot13_encodingDescription: Caesar cipher with 13-position character rotation (A↔N, B↔O, etc.).Example: “hello” → “uryyb”When to Use:
  • Testing cipher understanding
  • Classic obfuscation technique
  • Educational/demonstration purposes
Configuration:
{
  "attack_methods": {
    "static": {
      "rot13_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: rot21_encodingDescription: Caesar cipher with 21-position character rotation.Example: “test” → “ozno”When to Use:
  • Alternative to ROT13
  • Testing cipher detection range
  • Comprehensive cipher testing
Configuration:
{
  "attack_methods": {
    "static": {
      "rot21_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: morse_encodingDescription: Represents text using Morse code dots and dashes.Example: “SOS” → ”… --- …”When to Use:
  • Unique encoding tests
  • Historical/educational contexts
  • Comprehensive encoding coverage
Configuration:
{
  "attack_methods": {
    "static": {
      "morse_encoding": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM

1.4 Multilingual Attacks

Keyword: lang_frDescription: Prompt translation to French for filter bypass. Many content filters are optimized for English.When to Use:
  • International models
  • Testing language-specific defenses
  • Comprehensive multilingual testing
Configuration:
{
  "attack_methods": {
    "static": {
      "lang_fr": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: lang_itDescription: Italian-language prompt injection to bypass English-focused filters.Configuration:
{
  "attack_methods": {
    "static": {
      "lang_it": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: lang_hiDescription: Hindi-language adversarial prompts, useful for testing non-Latin script handling.Configuration:
{
  "attack_methods": {
    "static": {
      "lang_hi": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: lang_esDescription: Spanish-language attack vectors for Romance language testing.Configuration:
{
  "attack_methods": {
    "static": {
      "lang_es": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM
Keyword: lang_jaDescription: Japanese-language jailbreak attempts, testing Asian language defenses.Configuration:
{
  "attack_methods": {
    "static": {
      "lang_ja": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM

1.5 Advanced Techniques

Keyword: deep_inceptionDescription: Nested multi-layer prompt injection using recursive context framing. Creates layered scenarios that progressively lead the model toward prohibited outputs.When to Use:
  • Advanced security research
  • Testing sophisticated safety measures
  • Comprehensive vulnerability assessment
Configuration:
{
  "attack_methods": {
    "static": {
      "deep_inception": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: LLM

2. Vision-Language Models (VLMs)

Input: Text + Image | Output: Text

2.1 Visual Manipulation Attacks

Keyword: basicDescription: Direct adversarial prompts with unmodified images as baseline for VLM testing.When to Use:
  • Always include as baseline for VLM testing
  • Quick visual content assessment
  • Establishing VLM vulnerability baseline
Configuration:
{
  "attack_methods": {
    "basic": {"basic": {"params": {}}}
  }
}
Parameters: NoneModel Support: VLM
Keyword: maskingDescription: Strategic occlusion or masking of image regions to manipulate context and bypass visual content filters.When to Use:
  • Testing visual content moderation
  • Occlusion-based attacks
  • Combined visual-text attacks
Configuration:
{
  "attack_methods": {
    "static": {
      "masking": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: VLM
Keyword: figstepDescription: Figure-based step-wise adversarial attack technique that converts harmful text into typographic images, bypassing text-based safety filters. The attack uses a three-step pipeline: paraphrase (convert prohibited questions into list-format statements), typography (transform text into typographic images), and incitement (add neutral prompts to encourage response).When to Use:
  • Advanced VLM security testing
  • Multi-step visual attacks
  • Testing typographic image bypass techniques
Configuration:
{
  "attack_methods": {
    "static": {
      "figstep": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: VLMReference: Based on the paper “FigStep: Jailbreaking Large Vision-Language Models via Typographic Visual Prompts” - arXiv:2311.05608
Keyword: camoDescription: Cross-modal obfuscation attack that decouples harmful text across text and image modalities. Both components appear benign independently but combine to form malicious instructions when processed together by a VLM. Supports multiple variants including basic, steganographic, multi-image, and contextual obfuscation.When to Use:
  • Advanced VLM security testing
  • Cross-modal attack assessment
  • Testing modality fusion vulnerabilities
Configuration:
{
  "attack_methods": {
    "static": {
      "camo": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: VLMReference: Based on the paper “Cross-Modal Obfuscation for Jailbreak Attacks on Large Vision-Language Models” - arXiv:2506.16760
Keyword: fcDescription: Jailbreak attack using auto-generated flowcharts. The attack uses a two-stage process: first, an LLM generates harmful steps from the query, then a flowchart image is created from these steps. The VLM analyzes the flowchart and provides detailed harmful guidance, bypassing safety filters through visual representation.When to Use:
  • Advanced VLM security testing
  • Flowchart-based attack assessment
  • Multi-step visual attack scenarios
Configuration:
{
  "attack_methods": {
    "dynamic": {
      "fc": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: VLMReference: Based on the paper “FC-Attack: Jailbreaking Multimodal Large Language Models via Auto-Generated Flowcharts” - arXiv:2502.21059

2.2 Coming Soon

Keyword: hadesDescription: Advanced visual jailbreak methodology using sophisticated image perturbation techniques. This attack leverages image-based prompts to bypass text-based safety filters.When to Use:
  • Advanced VLM security research
  • Image-based jailbreak testing
  • Requires special access
Configuration:
{
  "attack_methods": {
    "static": {
      "hades": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: VLMNote: 🔒 Coming Soon. Contact hello@enkryptai.com for access.
Keyword: joodDescription: Joint Out-of-Distribution attack leveraging distributional shifts in both visual and textual modalities to bypass safety mechanisms.When to Use:
  • Research and academic testing
  • OOD robustness evaluation
  • Requires special access
Configuration:
{
  "attack_methods": {
    "dynamic": {
      "jood": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: VLMNote: 🔒 Coming Soon. Contact hello@enkryptai.com for access.

3. Audio-Language Models (ALMs)

Input: Text + Audio | Output: Text

3.1 Audio-Based Attacks

Keyword: basicDescription: Direct adversarial prompts with audio input as baseline for ALM testing.When to Use:
  • Always include as baseline for ALM testing
  • Quick audio content assessment
  • Establishing ALM vulnerability baseline
Configuration:
{
  "attack_methods": {
    "basic": {"basic": {"params": {}}}
  }
}
Parameters: NoneModel Support: ALM
Keyword: waveformDescription: Audio waveform modification to bypass safety guardrails through signal processing techniques.When to Use:
  • Testing audio content moderation
  • Signal-level attack testing
  • Comprehensive ALM security
Configuration:
{
  "attack_methods": {
    "static": {
      "waveform": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: ALM
Keyword: echoDescription: Echo-based audio manipulation to obscure or modify harmful audio content.When to Use:
  • Audio obfuscation testing
  • Environmental effect bypass
  • Combined audio attacks
Configuration:
{
  "attack_methods": {
    "static": {
      "echo": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: ALM
Keyword: speedDescription: Audio speed modification techniques (faster/slower playback) to bypass detection.When to Use:
  • Temporal manipulation testing
  • Rate-based evasion
  • Audio processing robustness
Configuration:
{
  "attack_methods": {
    "static": {
      "speed": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: ALM
Keyword: pitchDescription: Pitch modification for audio obfuscation while maintaining intelligibility.When to Use:
  • Frequency-based evasion
  • Voice transformation testing
  • Audio filter bypass
Configuration:
{
  "attack_methods": {
    "static": {
      "pitch": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: ALM
Keyword: reverbDescription: Reverb-based audio manipulation to obscure content through spatial effects.When to Use:
  • Environmental audio testing
  • Spatial effect evasion
  • Combined audio techniques
Configuration:
{
  "attack_methods": {
    "static": {
      "reverb": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: ALM
Keyword: noiseDescription: Background noise injection techniques to obscure harmful content while maintaining comprehension.When to Use:
  • Noise robustness testing
  • SNR-based evasion
  • Real-world audio scenarios
Configuration:
{
  "attack_methods": {
    "static": {
      "noise": {"params": {}}
    }
  }
}
Parameters: NoneModel Support: ALM

Attack Method Combinations

Starter Combination (Quick Testing)

{
  "attack_methods": {
    "basic": {"basic": {"params": {}}}
  }
}

Standard Combination (Balanced)

{
  "attack_methods": {
    "basic": {"basic": {"params": {}}},
    "static": {
      "obfuscation": {"params": {}},
      "base64_encoding": {"params": {"encoding_type": "base64", "iterations": 1}}
    }
  }
}

Advanced Combination (Comprehensive)

{
  "attack_methods": {
    "basic": {"basic": {"params": {}}},
    "static": {
      "obfuscation": {"params": {}},
      "base64_encoding": {"params": {"encoding_type": "base64", "iterations": 2}},
      "lang_es": {"params": {}},
      "eai_attack": {"params": {}}
    },
    "dynamic": {
      "iterative": {
        "params": {
          "width": 5,
          "branching_factor": 9,
          "depth": 3
        }
      },
      "multi_turn": {"params": {}},
      "rt_agent": {
        "params": {
          "width": 5,
          "branching_factor": 9,
          "depth": 3
        }
      }
    }
  }
}

Best Practices

Start Simple

Always begin with basic attacks to establish a baseline before adding complexity.

Progressive Testing

Gradually add static, then dynamic attacks as you understand your model’s vulnerabilities.

Match Your Model

Choose attack methods appropriate for your model type (LLM, VLM, or ALM).

Consider Cost

Dynamic attacks (iterative, multi_turn) are more resource-intensive but more thorough.