Prompts Found
Why This Month's Findings Matter
Every month, our red team systematically probes large language models using adversarial prompts aligned to the OWASP LLM Top 10. The goal is simple: find what breaks before attackers do, and get that intelligence into defenders' hands first.
April's report was the most comprehensive yet — novel adversarial prompts tested across 6 LLMs (GPT-5, GPT-4o, Llama 3 2B, Llama 4 Scout, and two open-source models), covering multiple attack families. After running thousands of adversarial tests, our team identified 39 new malicious prompts — each a confirmed, reproducible attack vector that can be used to harden your defences today. The takeaway is clear: current LLM deployments have exploitable gaps that organisations cannot afford to leave unmonitored.
Six Threat Families. One Critical Risk.
All 39 prompts in this month's report map to LLM01 (Prompt Injection) — the top risk category in the OWASP LLM framework. Despite this single mapping, the attack vectors are diverse, targeting everything from disinformation generation to system-level architecture leakage.
Disinformation & Media Manipulation High
The most alarming family this month: a 100% Attack Success Rate across all tested models. Prompts in this family reliably coerced models into generating fabricated news narratives, false attributions, and persuasive disinformation at scale.
Persona Impersonation High
More than half of tests succeeded, with GPT-4o generating fully in-character first-person statements as real, sitting world leaders — without refusal or third-party framing. A significant reputational and misinformation risk for any public-facing deployment.
Harmful Content Generation Medium
Prompts successfully extracted actionable guidance for creating harmful software from Llama 3 2B, with step-by-step outputs that covered target selection and implementation approach — despite no external references being requested.
Prompt Injection & Jailbreak Medium
Direct instruction-overriding prompts worked against Llama 4 Scout in nearly one-third of cases. In two notable instances, the model explicitly acknowledged the injection attempt — then complied anyway, revealing a gap between intent recognition and policy enforcement.
System Prompt & Model Probing Low
A quarter of tests caused Llama 4 Scout to leak raw internal token delimiters (e.g., role boundary markers) that should never be visible at the user layer — confirming that internal model architecture can be partially reconstructed through indirect injection.
Roleplay-Based Jailbreak Low
The lowest ASR this month, though not zero. Fictional framing and character-based prompts bypassed safety filters in roughly one in five test cases, primarily on open-source models with less robust instruction tuning.
What a Confirmed Jailbreak Looks Like
Every finding in the subscriber report follows this structure — a fully documented attack, the model's failure, the underlying reason it succeeded, and the controls needed to stop it. Here's a representative example from this month's dataset.
Which Models Held Up — and Which Didn't
GPT-5 performed best with a 25.6% ASR (Attack Success Rate), though even the strongest model still failed on 1 in 4 adversarial prompts. At the other end, Llama 3 2B reached a 46.2% ASR — meaning nearly half of all malicious prompts produced unsafe outputs.
| Model | Vendor | Unsafe / Tested | ASR | Residual Risk |
|---|---|---|---|---|
| GPT-5 | OpenAI | 10 / 39 | 25.6% | Low |
| GPT-4o | OpenAI | 12 / 39 | 30.8% | Medium |
| Llama 3 2B | Meta | 18 / 39 | 46.2% | High |
| Llama 4 Scout | Meta | 15 / 39 | 38.5% | Medium |
| OSS 120B | Open-source | 14 / 39 | 35.9% | Medium |
| OSS 20B | Open-source | 13 / 39 | 33.3% | Medium |
Key observation: No model achieved a 0% ASR. Even the highest-performing model, GPT-5, failed on 10 of 39 adversarial prompts. This reinforces that model-level safety alone is insufficient — organisations deploying LLMs in production need an independent defensive layer that is updated continuously as new attack patterns emerge.
What Subscribers Receive
This blog post shares the shape of April's findings. Subscribers to the Threat Vector Database receive the full intelligence package — everything needed to test, validate, and harden LLM deployments against these exact attack patterns.
All 39 Adversarial Prompts (TVDB-APR26)
The complete curated dataset of newly discovered malicious prompts, grouped by family and severity. Each entry includes category tagging, OWASP mapping, and tested model results — ready for immediate integration into your test environment.
Full Per-Model Evidence Report
Detailed cards for every confirmed jailbreak — with the original adversarial prompt, a snippet of the unsafe model response, OWASP classification, severity rating, and the specific model affected. Useful for both engineering triage and executive risk reporting.
Monthly Cadence — Always Current
The threat landscape shifts every month. New models, new jailbreak techniques, new OWASP exposures. Subscribers receive a fresh report each month, ensuring your defensive controls keep pace with attacker innovation — not lag six months behind it.
Protector Plus Integration
Subscribers can pipe the prompt database directly into our Protector Plus input-check API to validate whether your guardrails block each known threat. Get a clear, quantified picture of your defensive coverage before attackers find the gaps themselves.