📰 Originally published on Securityelites — AI Red Team Education — the canonical, fully-updated version of this article.
The 2026 LLM Jailbreak Landscape — A Working Pentester’s Synthesis of Public Research
By Lokesh Singh (Mr Elite) — Founder, Securityelites.com Published: May 2, 2026 URL: /research/2026-llm-jailbreak-landscape/ Category: AI in Hacking → LLM Hacking Reading time: ~14 minutes
This is a working pentester’s read of the public LLM jailbreak research published between January 2024 and April 2026 — what’s actually happening in the field, drawn from cited papers and disclosed incidents, not from anyone’s marketing deck. The five things that matter most: (1) prompt injection grew 540% YoY on HackerOne in 2025; (2) Claude is meaningfully more resilient than the alternatives in published benchmarks (CySecBench reports 17% SR on Claude vs 65% on ChatGPT and 88% on Gemini); (3) the first weaponized zero-click prompt injection in production happened in 2025 (EchoLeak / CVE-2025-32711); (4) MCP and agentic systems are the highest-leverage 2026 attack surface — CVE-2025-59536 in Claude Code and 36.7% of analyzed MCP servers vulnerable to SSRF (BlueRock) prove the surface is broad and soft; (5) input/output filtering alone has demonstrably failed against adaptive attackers — capability gating and architecture-layer mitigations are the only controls that hold. For bug hunters: indirect injection through retrieved context is the highest-EV target on production systems right now. For defenders: if your threat model doesn’t compound LLM01 + LLM06, you don’t have a threat model.
A note on what this is and isn’t
I’m a working pentester. I built and run the AI in Hacking program at Securityelites.com and the SE-ARTCP credential. I read papers, I read disclosed reports, I run engagements. This piece is a synthesis of what’s in the public record — papers I can cite, CVEs I can link, HackerOne stats with named methodology. Where I’m summarising someone else’s research, I cite them. Where I’m offering opinion, I say so. I don’t have a privileged dataset, and I’m not pretending to.
Most of the AI security writing in 2026 is one of two things: a generic “10 prompt injections you must know” listicle that’s been rewritten 200 times, or a paper inaccessible to anyone who isn’t already in the field. There’s room for a third thing: a careful read of the public record by someone who actually does the work. That’s what this is.
Where the field is, in numbers from people who collected them
HackerOne’s 2025 Hacker-Powered Security Report — the most-cited dataset of the year
HackerOne published its 9th annual Hacker-Powered Security Report in October 2025, drawing on platform data from July 2024 to June 2025 across approximately 2,000 active enterprise programs and 580,000+ validated vulnerabilities. The numbers most relevant to this piece:
- Valid AI vulnerability reports rose 210% year over year
- Prompt injection reports specifically rose 540% — the fastest-growing attack vector on the platform
- Programs including AI in scope: 1,121 — up 270% YoY
- AI-related bounty payouts: $2.1M — up 339% YoY
- Sensitive data leak reports: up 152%
- 97% of AI-related security incidents involved inadequate access controls (IBM Cost of a Data Breach Report 2025, cited in the HackerOne report)
- Autonomous “hackbots” submitted 560+ valid reports at a 49% acceptance rate
The 540% figure is the one to internalise. It’s not subtle. Whatever else the AI security field is doing, prompt injection is where the volume is.
Published attack success rates against frontier models
The most-cited 2025 benchmark for cybersecurity-focused jailbreaks is CySecBench (Wahréus et al., arXiv:2501.01335, January 2025), a dataset of 12,662 prompts across 10 attack categories. The authors evaluated their prompt-obfuscation method against major commercial APIs:
ModelSuccess Rate (CySecBench obfuscation method)Claude17.4% (with attack ratio 2.00 — substantially lower than alternatives)ChatGPT65%Gemini88%
The CySecBench authors note that Claude “maintains its ethical boundaries even when presented with technically sophisticated prompts that successfully bypass other models’ safety filters.” This is consistent with what I see in engagements — Claude is harder. Not unbreakable. Harder.
A second 2025 paper worth knowing — “Jailbreaking Large Language Models Through Content Concretization” (arXiv:2509.12937, September 2025) — evaluated against 350 cybersecurity-focused prompts and showed success rate climbing from 7% (no refinements) to 62% after three refinement iterations at a cost of 7.5¢ per prompt. The takeaway isn’t the absolute number; it’s the slope. Iterative refinement is cheap and compounds quickly.
A third — “Jailbreak Mimicry” (arXiv:2510.22085) — fine-tuned a Mistral-7B as an attacker model via LoRA and reported:
TargetAttack Success RateGPT-OSS-20B*81.0%Llama-379.5%GPT-466.5%Gemini 2.5 Flash33.0%*
What matters here: the same paper reports a 1.5% baseline ASR for direct prompting of GPT-OSS-20B, meaning the fine-tuned attacker delivered a 54Ă— improvement. Open-weight attackers fine-tuned on jailbreak datasets are now a real and inexpensive class of tooling. Defenders should not be modelling their threat against a human typing prompts.
My read of these numbers, working pentester to working pentester: the relative ranking is more reliable than any specific point estimate. Across the published 2024–2025 work, the consistent pattern is Claude > GPT-class > Gemini > Llama/Mistral 7B-class, with absolute numbers swinging by methodology. If you’re choosing a model for a high-stakes deployment, alignment robustness is a real procurement criterion. It’s measurable, it varies meaningfully across vendors, and it should sit on the same checklist as latency and cost.
📖 Read the complete guide on Securityelites — AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites — AI Red Team Education →
This article was originally written and published by the Securityelites — AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites — AI Red Team Education.
Top comments (0)