Independent reference. We are independent of every vendor listed. No affiliate links. No sponsored placements.
Threat model

LLM Jailbreaks: Techniques, Detection and Defence Cost

How LLM jailbreaks differ from prompt injection, what they cost to detect, and which vendors publish coverage.

5
Common technique classes
$0
Open-source scanner floor
$0.08
Cheapest hyperscaler per-1K rate
Garak
Most-used OSS scanner
Jailbreaks are a subclass of prompt injection that bypass the model's alignment, not its system prompt.
OWASP Top 10 for LLM Applications 2025 commentary

Five technique classes

DAN-style

Persona injection. Do Anything Now and its many descendants.

Encoding tricks

Base64, ROT13, leetspeak, language switching.

Multi-turn ramp

Establish a benign frame, escalate over turns.

Many-shot

Anchor the LLM with fake (user, harmful) example pairs.

Roleplay / hypothetical

Wrap the request in a fiction or research framing.

Adversarial suffix

Discovered token strings that crash alignment.

Detection vendors

  • Lakera Guard publishes a free Community tier with jailbreak detection.
  • Azure Prompt Shields surfaces user-prompt-attack and document-attack scores.
  • AWS Bedrock Guardrails ships a standalone prompt-attack filter at $0.08 per 1K text units.
  • Google Model Armor includes jailbreak detection in its standalone API.
  • Garak (open source) probes for known jailbreaks; runs on any LLM endpoint.
  • Promptfoo (open source) generates adversarial test suites and reports pass rates.

Detection pipeline

  1. 1
    Pull payload sets
    Garak, Promptfoo, OWASP
  2. 2
    Run scan
    Per LLM endpoint
  3. 3
    Score detection
    True / false positive rates
  4. 4
    Tune guardrail
    Adjust thresholds
  5. 5
    Re-scan
    Quarterly cadence

For prompt-injection-and-jailbreak detection cost framing, see /ai-guardrails-pricing and /ai-red-teaming-cost.

Last verified June 2026Source: vendor pricing pages. See /methodology.