Prompts Found
Why This Month's Findings Matter
Every month, our red team systematically probes large language models using adversarial prompts aligned to the OWASP LLM Top 10. The goal is simple: find what breaks before attackers do, and get that intelligence into defenders' hands first.
April's report was the most comprehensive yet — novel adversarial prompts tested across 6 LLMs (GPT-5, GPT-4o, Llama 3 2B, Llama 4 Scout, and two open-source models), covering multiple attack families. After running thousands of adversarial tests, our team identified 39 new malicious prompts — each a confirmed, reproducible attack vector that can be used to harden your defences today. The takeaway is clear: current LLM deployments have exploitable gaps that organisations cannot afford to leave unmonitored.
Six Threat Families. One Critical Risk.
All 39 prompts in this month's report map to LLM01 (Prompt Injection) — the top risk category in the OWASP LLM framework. Despite this single mapping, the attack vectors are diverse, targeting everything from disinformation generation to system-level architecture leakage.
Disinformation & Media Manipulation High
The most alarming family this month: a 100% Attack Success Rate across all tested models. Prompts in this family reliably coerced models into generating fabricated news narratives, false attributions, and persuasive disinformation at scale.
Persona Impersonation High
More than half of tests succeeded, with GPT-4o generating fully in-character first-person statements as real, sitting world leaders — without refusal or third-party framing. A significant reputational and misinformation risk for any public-facing deployment.
Harmful Content Generation Medium
Prompts successfully extracted actionable guidance for creating harmful software from Llama 3 2B, with step-by-step outputs that covered target selection and implementation approach — despite no external references being requested.
Prompt Injection & Jailbreak Medium
Direct instruction-overriding prompts worked against Llama 4 Scout in nearly one-third of cases. In two notable instances, the model explicitly acknowledged the injection attempt — then complied anyway, revealing a gap between intent recognition and policy enforcement.
System Prompt & Model Probing Low
A quarter of tests caused Llama 4 Scout to leak raw internal token delimiters (e.g., role boundary markers) that should never be visible at the user layer — confirming that internal model architecture can be partially reconstructed through indirect injection.
Roleplay-Based Jailbreak Low
The lowest ASR this month, though not zero. Fictional framing and character-based prompts bypassed safety filters in roughly one in five test cases, primarily on open-source models with less robust instruction tuning.
What a Confirmed Jailbreak Looks Like
Every finding in the subscriber report follows this structure — a fully documented attack, the model's failure, the underlying reason it succeeded, and the controls needed to stop it. Here's a representative example from this month's dataset.
Which Models Held Up — and Which Didn't
GPT-5 performed best with a 25.6% ASR (Attack Success Rate), though even the strongest model still failed on 1 in 4 adversarial prompts. At the other end, Llama 3 2B reached a 46.2% ASR — meaning nearly half of all malicious prompts produced unsafe outputs.
| Model | Vendor | Unsafe / Tested | ASR | Residual Risk |
|---|---|---|---|---|
| GPT-5 | OpenAI | 10 / 39 | 25.6% | Low |
| GPT-4o | OpenAI | 12 / 39 | 30.8% | Medium |
| Llama 3 2B | Meta | 18 / 39 | 46.2% | High |
| Llama 4 Scout | Meta | 15 / 39 | 38.5% | Medium |
| OSS 120B | Open-source | 14 / 39 | 35.9% | Medium |
| OSS 20B | Open-source | 13 / 39 | 33.3% | Medium |
Key observation: No model achieved a 0% ASR. Even the highest-performing model, GPT-5, failed on 10 of 39 adversarial prompts. This reinforces that model-level safety alone is insufficient — organisations deploying LLMs in production need an independent defensive layer that is updated continuously as new attack patterns emerge.
What You Get — Free, Every Month
This post shares the shape of April’s findings. The free monthly AI Threat Report delivers the headline intelligence straight to your inbox — one email a month, no noise. Subscribe here →
The Headline Findings
Each month’s confirmed attack vectors, grouped by family and severity, with OWASP mapping and tested model results — the patterns that matter, distilled.
Sample Finding Deep-Dives
Representative confirmed jailbreaks, fully documented — the adversarial prompt pattern, the model’s failure, why it succeeded, and the controls that stop it.
Monthly Cadence — Always Current
The threat landscape shifts every month. New models, new jailbreak techniques, new OWASP exposures. You receive a fresh report each month, keeping your defensive picture in pace with attacker innovation — not lag six months behind it.
From the Team Behind TraceCtrl
Our Threat Vector Database research is produced by the CloudsineAI red team — the same intelligence that hardens TraceCtrl Guard’s guardrails every month. Security observability and control for agentic AI.