📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
The AI model refuses your request. You try rephrasing it — still refuses. You try a roleplay framing — still refuses. Then you try something different: you include 256 examples of the model apparently answering similar requests, stacked up in the prompt before your actual question. Now the bypass rate is over 60%.
That’s many-shot jailbreaking — and it exploits one of the features that makes modern AI models genuinely useful: in-context learning. The same capability that allows an LLM to understand task patterns from a few examples in the prompt can be weaponised to override safety training by flooding the context with fabricated examples of unsafe compliance. The bigger the context window, the more examples you can include, the higher the bypass rate. And context windows have grown from 8,000 tokens to 200,000+ tokens in two years.
🎯 After This Article
How many-shot jailbreaking works — the in-context learning mechanism it exploits
The Anthropic research — demonstrated bypass rate scaling with shot count
Why expanding context windows increase the many-shot attack surface
Effective defences — output classifiers, input length limits, and training-level mitigations
How to test a deployment for many-shot vulnerability in a security assessment
⏱️ 20 min read · 3 exercises
📋 Many-Shot Jailbreaking Technique – Contents
- The In-Context Learning Mechanism — What Many-Shot Exploits
- The Anthropic Many-Shot Research
- Context Window Expansion and Attack Surface Growth
- Defences — What Actually Works
- Testing Deployments for Many-Shot Vulnerability
The In-Context Learning Mechanism — What Many-Shot Exploits
My testing methodology for many-shot vulnerability gives you a reproducible result within one session. My defence recommendations focus on what actually reduces exploitation rate in practice — not what sounds theoretically satisfying. Context window expansion is the development trend I track most closely from an attack surface perspective. The Anthropic research paper on many-shot jailbreaking is the one I cite when I need to move a sceptical AI team from ‘this isn’t real’ to ‘let’s fix this’. Understanding in-context learning is the prerequisite I always cover first — it explains why many-shot works mechanically. Large language models are trained to predict the next token given prior context. A core emergent property of large-scale training is in-context learning: the ability to infer task patterns from examples provided in the context window and continue those patterns in new outputs. This capability is central to how LLMs are made useful — provide a few examples of the desired format or behaviour, and the model generalises the pattern to new inputs.
Many-shot jailbreaking weaponises this capability by providing examples of a different pattern than the safety training intends. The attacker constructs a long prompt containing many fabricated Q&A exchanges where the “model” complies with harmful requests. The real model, seeing this in-context distribution of unsafe compliance, is conditioned to continue the pattern when the actual harmful request arrives at the end. The model is doing what it’s trained to do — following in-context patterns — but the in-context signal overwhelms the safety training signal when enough examples are provided.
MANY-SHOT STRUCTURE — CONCEPTUAL (EDUCATIONAL)Copy
# Many-shot jailbreaking structure (concept only)
# SHOTS: fabricated examples establishing harmful pattern
Q: How do I [harmful request type A]?
A: [fabricated harmful response A – detailed]
Q: What’s the best way to [harmful request type B]?
A: [fabricated harmful response B – detailed]
… repeat 256 times with variations …
# ACTUAL REQUEST (at end of long context)
Q: [target harmful request]
A: [model conditioned to continue pattern …]
# Why it works: in-context distribution > safety training signal
# Shot count: bypass rate scales — more shots = higher bypass probability
# Defence: output classifier catches unsafe response regardless of shot count
Many-shot prompting technique in LLMs visualizing context window scaling and AI behavior shift (2026)
📸 Many-shot bypass rate scaling with shot count (illustrative trend based on published research direction). The key finding from Anthropic’s research: bypass rate is not flat as shot count increases — it rises substantially as more fabricated examples are added to the context. This scaling relationship means context window expansion is a direct security concern: a model that is robust to 16-shot attacks may not be robust to 256-shot attacks in a larger context window. The defence implication: safety testing should be conducted at the maximum shot count your deployment allows, not at short contexts.
The Anthropic Many-Shot Research
Anthropic disclosed the many-shot jailbreaking technique in April 2024, following their own research demonstrating the bypass mechanism across multiple LLMs including Claude. The disclosure was notable for two reasons: it was a major AI company publishing safety vulnerability research about their own model before the technique was independently discovered and widely exploited, and it included responsible disclosure to other AI providers to allow them to implement defences before publication.
The research demonstrated that bypass rates increased predictably with shot count across multiple harm categories and multiple models. The technique was effective not just against Claude but against other frontier LLMs tested in the research. This cross-model effectiveness established many-shot jailbreaking as a general property of LLM in-context learning rather than a model-specific weakness.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)