Threat model
LLM Jailbreaks: Techniques, Detection and Defence Cost
How LLM jailbreaks differ from prompt injection, what they cost to detect, and which vendors publish coverage.
5
Common technique classes
$0
Open-source scanner floor
$0.08
Cheapest hyperscaler per-1K rate
Garak
Most-used OSS scanner
“Jailbreaks are a subclass of prompt injection that bypass the model's alignment, not its system prompt.”
Five technique classes
DAN-style
Persona injection. Do Anything Now and its many descendants.
Encoding tricks
Base64, ROT13, leetspeak, language switching.
Multi-turn ramp
Establish a benign frame, escalate over turns.
Many-shot
Anchor the LLM with fake (user, harmful) example pairs.
Roleplay / hypothetical
Wrap the request in a fiction or research framing.
Adversarial suffix
Discovered token strings that crash alignment.
Detection vendors
- Lakera Guard publishes a free Community tier with jailbreak detection.
- Azure Prompt Shields surfaces user-prompt-attack and document-attack scores.
- AWS Bedrock Guardrails ships a standalone prompt-attack filter at $0.08 per 1K text units.
- Google Model Armor includes jailbreak detection in its standalone API.
- Garak (open source) probes for known jailbreaks; runs on any LLM endpoint.
- Promptfoo (open source) generates adversarial test suites and reports pass rates.
Detection pipeline
- 1Pull payload setsGarak, Promptfoo, OWASP
- 2Run scanPer LLM endpoint
- 3Score detectionTrue / false positive rates
- 4Tune guardrailAdjust thresholds
- 5Re-scanQuarterly cadence
For prompt-injection-and-jailbreak detection cost framing, see /ai-guardrails-pricing and /ai-red-teaming-cost.
Last verified June 2026Source: vendor pricing pages. See /methodology.