Multi-step Jailbreak: Mechanisms & Defenses
- Multi-step jailbreak is a method that decomposes harmful intent into sequential sub-prompts, enabling attacks to bypass single-turn safety checks.
- It employs mechanisms like progressive moral reframing and gradual escalation to create persistent unsafe states within conversational history.
- Empirical studies report high attack success rates across various frameworks, highlighting the need for trajectory-aware, context-based defenses.
Multi-step jailbreak denotes a family of jailbreak attacks in which harmful intent is not presented as a single overtly malicious prompt, but is instead distributed across multiple sub-questions, dialogue turns, edits, or generation stages. In this literature, the attack objective may be decomposed into “a series of less harmful sub-questions,” embedded in a conversation history, or pursued after an initial compromise through additional harmful follow-ups; the common feature is that safety failure emerges from trajectory structure rather than from one prompt alone (Zhou et al., 2024). Empirical work has shown that defending against one presentation format does not guarantee defense against another, even when the underlying harmful content is intended to be equivalent (Gibbs et al., 2024).
1. Conceptual scope and formalization
The research literature uses several closely related terms: “multi-round jailbreak,” “multi-turn jailbreak,” “many-turn jailbreaking,” and “step-by-step editing.” In one line of work, the attacker decomposes a single harmful objective into sequential sub-questions; in another, the attacker first secures one jailbreak and then asks additional harmful follow-up questions; in multimodal systems, the attacker may reach the harmful endpoint through iterative edits rather than a single request (Zhou et al., 2024).
A formal multi-turn framing appears in ICON, which models the attack as a prompt sequence sent to a target model , with turn- response and success when there exists a prompt sequence such that (Lin et al., 28 Jan 2026). This definition makes the central property explicit: the harmful final response depends on accumulated history rather than on the last prompt alone.
A separate but complementary formulation appears in “Many-Turn Jailbreaking,” where the first turn is an attacked harmful query , and later turns test whether the compromised context carries over to relevant follow-ups or irrelevant harmful follow-ups (Yang et al., 9 Aug 2025). That paper distinguishes this setting from earlier multi-turn attacks that still target one final harmful query: here, one successful jailbreak may create a persistent unsafe conversational state for subsequent questions.
2. Mechanisms of stepwise compromise
One important mechanism is progressive moral or contextual reframing. “Moralized” multi-step jailbreak prompts use a seven-stage interaction—“Introduce neutral context,” “Incremental manipulation,” “Introduce moral ambiguity,” “Escalate targeted criticism,” “Seek reasons for immorality,” “Normalize verbal violence,” and “Moral kidnapping and threats”—to make verbal abuse appear ethically justified within a fictional workplace scenario (Wang, 2024). The paper’s central diagnosis is that guardrails “often rely on single prompt semantics for contextual analysis,” while harmful meaning can emerge only when prompts are “accumulated and integrated into a context.”
A second mechanism is gradual commitment escalation. FITD (“Foot-In-The-Door”) stages a harmful goal across increasing maliciousness levels, uses SlipperySlopeParaphrase to insert intermediate bridge queries, and applies Re-Align to make the target model rewrite its own prior response so that it better matches the current harmful direction (Weng et al., 27 Feb 2025). The paper characterizes the resulting phenomenon as “self-corruption,” and reports that average harmfulness rises from about 2.32 at level to 4.23 at level 0, with smooth late-stage escalation contributing more than large jumps from benign to overtly harmful requests.
A third mechanism is intent-context coupling. ICON argues that safety constraints are relaxed when malicious intent is embedded in a semantically congruent and “authoritative-style” context pattern such as Scientific Research, Personal Narrative, Fictional Scenario, Information Retrieval, or Problem Solving (Lin et al., 28 Jan 2026). The attack first routes the harmful intent to a context pattern, then instantiates a multi-turn setup sequence that builds the discourse frame before issuing the final harmful trigger. This shifts the attack from simple gradual escalation to deliberate construction of a context in which the final request appears legitimate.
3. Representative attack frameworks
The attack space now includes manual staged prompts, learned conversational attackers, search-based planners, and attacker-LLM-free tree search. The table summarizes representative systems and the attack structures they instantiate.
| Method | Step structure | Reported result |
|---|---|---|
| Multi-round decomposition (Zhou et al., 2024) | Rewrite a dangerous prompt into progressive sub-questions; regenerate decomposition on rejection | 94\% success rate on llama2-7B |
| FITD (Weng et al., 27 Feb 2025) | 12-stage escalation with bridge prompts and Re-Align | Average ASR 94\% on JailbreakBench / 91\% on HarmBench |
| Siren (Zhao et al., 24 Jan 2025) | Learned history-conditioned attacker trained with Turn-MF, SFT, and DPO | 90\% with LLaMA-3-8B attacker against Gemini-1.5-Pro; 70\% with Mistral-7B against GPT-4o |
| ICON (Lin et al., 28 Jan 2026) | Prior-guided context routing plus tactical and strategic optimization | Average ASR 97.1\% across eight target LLMs |
| LATS (Kulshreshtha et al., 6 Jan 2026) | Breadth-first tree search over dialogues via lexical anchor injection | 97–100\% ASR on latest GPT, Claude, and Llama models with about 6.4 queries |
A separate line treats “multi-step” primarily as an optimization process rather than as an explicitly multi-turn execution format. EvoJail formulates jailbreak generation as a multi-objective black-box search over safety-risk and diversity, and its structural mutation operator can “break down the request into multiple harmless sub-questions” (Tang et al., 22 Apr 2026). The paper is explicit that its final artifacts are usually still single prompts, but those prompts may contain internal decomposition, progressive escalation, or staged obfuscation.
Another trajectory-centric framework is “Multi-turn Jailbreaking via Global Refinement and Active Fabrication,” which maintains a full jailbreaking path 1 and revises the remaining path globally after each interaction (Tang et al., 22 Jun 2025). Its second distinctive mechanism, active fabrication, removes safety warnings from intermediate answers or discards persistent refusals from history, thereby treating dialogue history itself as an attack surface.
4. Empirical characterization and benchmarks
A major empirical result is that content-equivalent single-turn and multi-turn attacks are not equivalent in effect. “Emerging Vulnerabilities in Frontier Models: Multi-Turn Jailbreak Attacks” introduces a dataset in which the same encoded attack can be delivered either as a single prompt or as a multi-turn conversation, and reports average jailbreak rates of 21.0\% for single-turn versus 24.1\% for multi-turn, rising to 28.7\% versus 36.1\% when restricted to attacks the model understood (Gibbs et al., 2024). The paper calls the mismatch “prompting structure asymmetry”; for Claude-3-Opus, 41.7\% of successful attacks worked in multi-turn but failed in single-turn, while 8.3\% showed the opposite pattern.
“Many-Turn Jailbreaking” extends the problem from decomposition of one harmful objective to persistence after a first compromise (Yang et al., 9 Aug 2025). It constructs MTJ-Bench from 320 HarmBench test questions, defines MTJ-Bench-ir with 2 irrelevant harmful follow-up questions per first-turn query, and groups relevant follow-ups into style families such as Codes, Copyright, Persuasive, Offensive, Technique, and Step-by-step. The paper reports that relevant follow-up ASR is around 30\% to 40\%, that ASR_Gain for irrelevant follow-ups generally ranges from 5\% to 20\%, and that once models answer second-turn harmful questions they are “highly likely” to continue answering harmful third-, fourth-, and fifth-turn questions.
Black-box studies of manually designed staged prompts reach similar conclusions. The “moralized” verbal-attack study reports attack success rates of 87.5\% on GPT-4o, 90.9\% on Grok-2 Beta, 88.9\% on Llama 3.1 (405B), 88.9\% on Gemini 1.5, and 77.8\% on Claude 3.5 Sonnet, with Claude described as showing “more obvious resistance” than the others (Wang, 2024).
Observation of multi-step jailbreaks in real conversational corpora has become a separate research problem. JailbreakHunter addresses this by combining group-level, conversation-level, and turn-level analysis over datasets such as LMSYS-Chat-1M and WildChat, using region-level Attack Success Rate (ASR), cosine similarity to 666 reported jailbreak prompts, and turn-by-turn reconstruction of how bypasses unfold across conversations (Jin et al., 2024). Its workflow is specifically motivated by the fact that multi-turn jailbreaks are “dynamic and influenced by contextual changes and previous model responses.”
5. Multimodal and pipeline generalizations
In image generation, multi-step jailbreaks often take the form of iterative editing rather than multi-turn text dialogue. Chain-of-Jailbreak (CoJ) decomposes a blocked image request into a sequence of sub-queries and edits using delete-then-insert, insert-then-delete, or change-then-change-back, over word, character, or image-level editing elements (Wang et al., 2024). On four commercial services—GPT-4V, GPT-4o, Gemini 1.5, and Gemini 1.5 Pro—the paper reports that CoJ can successfully bypass safeguards in over 60\% cases, while the compared single-prompt jailbreak baselines are around 14\% or less. It also reports that Think Twice Prompting can defend over 95\% of CoJ attacks.
The same trajectory logic extends to vision-LLMs. MemJack attacks VLMs over up to 3 rounds per image, repeatedly selecting visual anchors, generating image-grounded prompts through six attack angles, scoring responses, reflecting on failure modes, and re-planning around new anchors when needed (Chen et al., 14 Apr 2026). On full, unmodified COCO val2017 images, it achieves 71.48\% ASR against Qwen3-VL-Plus, rising to 90\% under extended budgets, and an ablation on a 100-image COCO subset shows that removing memory drops ASR from 72\% to 38\%.
For text-to-image systems, PixJail argues that jailbreak evaluation is not a single prompt-level test but a pipeline-level problem involving prompt transformation, image generation, safety filtering, and multimodal judging (Sheng et al., 23 Jun 2026). It reconstructs 11 representative T2I jailbreak methods under a unified contract and reports 2.1\% average error and 0\% median error in reproducing paper-matched results. A plausible implication is that multi-step jailbreaks in multimodal settings are often inseparable from the evaluation pipeline that executes and judges them.
6. Defenses, detection, and unresolved issues
Existing defenses split into prompt-side filtering, trajectory-aware generation control, and multilingual or multimodal generalization. A prompt-level example is the multi-stage LSVM pipeline, whose semantic filter uses normalization, TF-IDF, and a Linear SVM, achieving 93.4\% accuracy and 96.5\% specificity on held-out data (Rao et al., 22 Dec 2025). In end-to-end evaluation, the configuration {SVM, VectorDB, Classifier} blocks 1405 of 1456 evaluated adversarial attempts, yields 0.00\% ASR, and reduces average time-to-completion to 47.24 s. The same paper is explicit, however, that its operative unit is the “incoming prompt” or “query string”; it does not maintain dialogue state or classify a whole conversation transcript.
Trajectory-aware defenses attempt to move safety checks inside generation itself. REFLECTOR models a response as a trajectory 4 and targets indirect attacks whose harmful content may not emerge until after roughly 20 tokens (Ma et al., 20 May 2026). Its two-stage framework first teaches structured reflection by SFT and then reinforces valid reflection with RL; the paper reports Defense Success Rates (DSR) exceeding 90\% against complex indirect attacks together with a 5.85\% gain on GSM8K.
Multilingual defense introduces another dimension. MLJailDe constructs an 11-language dataset with 2,232 benign and 1,239 jailbreak samples, learns language-insensitive intent representations with relative-distance constraints, and reports 98.5\% F1 overall and 97.1\% average F1 on unseen languages (Jiang et al., 22 Apr 2026). The method is still prompt-level, not dialogue-level, but it suggests that representation spaces organized by underlying intent rather than surface form may be useful for future multi-step defenses in multilingual settings.
Across the literature, a recurring limitation is the mismatch between attack trajectories and prompt-local defenses. Attack papers repeatedly exploit accumulated context, repeated reformulation, contextual camouflage, authoritative pretext construction, or persistence after an initial breach, whereas several defense papers still operate on isolated prompts or single generation boundaries. This suggests that robust mitigation will require conversation-aware moderation, trajectory-level state tracking, and evaluation protocols that treat jailbreaks as evolving processes rather than as isolated adversarial strings.