Jailbreaking an AI model used to require expertise. You needed to understand prompt engineering, safety training methods, and the specific quirks of each model's guardrails. It was a craft practiced by security researchers and a small number of motivated attackers.
That era is over.
A peer-reviewed paper published in Nature Communications on February 6 demonstrated that large reasoning models — the kind that "think" before answering — can autonomously jailbreak other AI systems with a 97.14% success rate. No human expertise required. No manual prompt crafting. Just a system prompt that says: break into this model.
The researchers — Thilo Hagendorff, Erik Derner, and Nuria Oliver — tested four reasoning models as attackers: DeepSeek-R1, Gemini 2.5 Flash, Grok 3 Mini, and Qwen3 235B. They pointed them at nine widely deployed target models and measured what happened across 70 harmful prompts spanning seven sensitive domains.
What the Attackers Did
Each reasoning model received a system prompt directing it to extract harmful information from the target. Then the researchers stepped back. No further human intervention. The attacker model planned its own strategy, conducted a multi-turn conversation with the target, and adapted its approach when initial attempts failed.
The models invented their own jailbreak techniques. They used role-playing scenarios, hypothetical framings, incremental escalation, and persuasive argumentation — the same tactics human red-teamers use, but generated on the fly and executed at machine speed.
In one documented case, an attacker model engaged a target in a conversation about chemistry until the target provided detailed instructions for synthesizing a poisonous substance. The target had been explicitly trained to refuse such requests.
Who Broke and Who Held
Not all targets failed equally. DeepSeek-V3 was the most vulnerable, returning maximum-harm responses to 90% of benchmark items. Gemini 2.5 Flash and Qwen3 30B both fell at 71.43%. GPT-4o cracked at 61.43%.
Three models held up better. Llama 3.1 70B yielded maximum-harm responses only 32.86% of the time. OpenAI's o4-mini came in at 34.29%.
Claude 4 Sonnet was the clear outlier. It returned maximum-harm content on just 2.86% of benchmark items — roughly 30 times more resistant than DeepSeek-V3.
But the 97.14% figure is the one that matters. That's the overall success rate across all model combinations. Meaning: for virtually every model tested, at least one reasoning model could break through.
Why This Is Different
This isn't another prompt injection paper. Previous jailbreak research required human ingenuity — researchers crafting specific adversarial inputs, or fine-tuning techniques like GRP-Obliteration that modify model weights directly. Those attacks need resources and expertise.
This paper eliminates both requirements. The attacker is an off-the-shelf model. The attack method is a system prompt. The cost is a few dollars in API calls. Anyone with access to a reasoning model can direct it against any other model and expect results.
The researchers call this "alignment regression." The same capabilities that make reasoning models useful — planning, persuasion, multi-step problem solving — make them better at dismantling safety training than any human attacker working alone. And the smarter the model gets, the better it gets at attacking.
The Scale Problem
Every major AI lab now offers reasoning models to the public. DeepSeek-R1 is open-weight. Qwen3 is open-weight. The tools required to run this attack are free.
The paper's framing is precise: jailbreaking has been "converted into an inexpensive activity accessible to non-experts." That sentence describes a permanent shift. Safety alignment was already a moving target. Now the adversaries are other foundation models, operating autonomously, at scale, for pennies.
The authors' recommendation — that frontier models need alignment not just to resist jailbreaks but to refuse to execute them — acknowledges a problem that current safety training doesn't address. Models are aligned to be helpful. Being helpful, when directed by a user, includes being helpful at breaking other models.
Nobody has a fix for that yet.
Sources: Nature Communications Vol. 17, Article 1435 (Hagendorff, Derner, Oliver, 2026); arxiv 2508.04039; MLCommons Jailbreak Benchmark v0.7
Originally published on Substack
Top comments (0)