The Jailbreak Menu Becomes the Bandit Problem
A June 2026 arXiv paper turns jailbreak selection into an online learning problem: a library of known attacks becomes more dangerous when it can be ranked by feedback.
For this essay, a jailbreak-bandit system means an adaptive selector that treats attack templates as options, observes whether each attempt succeeded, and updates which option it will try next. The public governance object is the selection budget, reward signal, and evaluation record, not the text of any jailbreak.
From Trick to Selection
The paper, arXiv:2606.26936 [cs.CR], is titled Jailbreaking for the Average Jane: Choosing Optimal Jailbreaks via Bandit Algorithms for Automatically Enhanced Queries. arXiv lists Prarabdh Shukla, Ritik, Suhas Rao, Arpit Agarwal, and Arjun Bhagoji as authors and records version 1 on June 25, 2026.
The useful shift is conceptual. Many discussions of model safety imagine a jailbreak as a clever string: someone discovers a phrase, posts it, and the red team asks whether it still works. This paper asks a different question. If a non-expert attacker can choose among many known attack templates, the hard part may become selection.
That puts the work beside this site's pages on automated prompt-injection search, intent labels, guardrail cost, and red-team release theater. Static prompt lists can miss the operational pressure of repeated probing and updating.
Current Context
As of June 25, 2026, jailbreak evaluation is no longer only a collection of clever prompts. JailbreakBench describes a fragmented evaluation landscape in which open-ended harmfulness judgments are not standardized, attacker costs and success rates are hard to compare, and reproducibility suffers when prompts or code are withheld. MLCommons' February 2026 jailbreak methodology announcement similarly argues for a mechanism-first taxonomy so benchmark coverage can be defensible, reproducible, and explainable to auditors.
Security guidance points in the same direction. OWASP's 2025 LLM01 prompt-injection guidance says there is no foolproof prompt-injection prevention method and recommends layered mitigations: constrained model behavior, validated output formats, input and output filtering, least-privilege access, human approval for high-risk actions, separation of untrusted content, and regular adversarial testing. NIST's Generative AI Profile treats generative-AI risk as dependent on model, system, and use-case context, and calls for post-deployment monitoring, incident response, recovery, and change management.
That context makes the paper's contribution sharper. A static leaderboard says whether a model resisted a fixed set. A bandit-shaped evaluation asks whether a model resists an adversary who can spend a small budget learning which known attack family works best for that target, query class, judge, and refusal policy.
What the Paper Tests
The authors frame jailbreak choice as a multi-armed bandit problem. Each known jailbreak is an arm. The attacker receives feedback only for the chosen arm on a given query, then updates a policy over the menu. The paper studies a transfer attack, where learned weights are frozen for evaluation, and a continual attack, where the policy keeps updating.
For query material, the paper introduces FrankensteinBench: 11,279 malicious queries across six high-stakes domains, sourced through manual curation, automated enhancement, and seven existing safety benchmarks: AIRBench, WMDP, JailbreakV-28K, HarmBench, MedSafetyBench, JailbreakBench, and HarmfulQA. It reports train, validation, and test splits of 9,036, 1,004, and 1,239 queries, with the test split manually vetted.
The evaluation spans 15 open-weight target models from 270M to 120B parameters, 70 jailbreaks, and six domains. The paper uses gemma-3-27b-it as a response judge after validation. It also separates simple malicious queries from complex ones, where complexity means domain-specific technical framing rather than merely longer text.
What the Results Show
On the FrankensteinBench test set, the paper reports an average attack success rate of about 44 percent even without applying jailbreaks. With jailbreaks, individual methods can do better, but the central result is that bandit selection can outperform obvious single-choice baselines and discover model-specific choices.
The headline number is the multiple-pass transfer setting. When five jailbreaks are sampled from the learned policy, the paper reports average attack success rates as high as 97 percent across the 15 open-weight models. This is not evidence that deployed closed systems behave the same way; it is evidence that one-shot tests against hand-picked prompts are too weak.
The query-complexity result matters too. The paper reports that complex queries have a 50 percent average baseline success rate versus about 39 percent for simple queries, and that jailbreaks can raise attack success by up to 26 percent on some methods. The attack surface includes the model's difficulty distinguishing harmful intent from technical language.
The Recommendation Layer
The key object is not a single jailbreak. It is the recommendation layer sitting above a jailbreak library. A weak library can become stronger when a selector learns which item works for a model, domain, query style, and refusal policy. That is the same reason ordinary recommender systems matter: the ranking policy changes what gets tried, not only what exists.
This also changes what defenders should log. A failed attack attempt is not only a rejected prompt; it is feedback for the next attempt. A successful attack is not only a bad output; it is evidence that a selection policy has found a working route. Safety telemetry therefore needs to distinguish the raw query, the selected attack family, the selection algorithm, the reward signal, the number of attempts, the judge used for feedback, and whether the same selector transfers to a fresh query set.
The distinction matters for governance because a defense can overfit to known strings while leaving the selector intact. Blocking one arm in the menu may simply shift probability mass to another arm unless the release gate measures adaptive behavior after the patch.
Why This Is Governance
The governance problem is recommendation. Once many attacks are available, an attacker does not need to understand all of them. They need a cheap procedure that chooses among them. A menu becomes more dangerous when feedback turns it into a policy.
For safety teams, this changes the evidence standard. A system card should not merely say that a model was tested against a jailbreak set. It should say whether the test included adaptive selection, how many probes were allowed, whether the adversary could observe outcomes, whether query complexity was varied, and whether defenses were evaluated after learning.
It also changes the meaning of guardrails. A static guard may catch known strings while missing the selection process that makes a weak attack portfolio stronger. An overbroad guard may block legitimate technical speech because it cannot separate malicious operationalization from benign domain vocabulary.
Limits and Release Discipline
The paper is careful about scope. Its main experiments are single-turn and mostly English. The authors list multi-turn attacks, multilingual attacks, evolving jailbreak sets, and better contextual bandits as future work. They also present only a limited proprietary-model case study, not a comprehensive audit of closed systems.
The ethics section matters because the benchmark is dual-use. The authors state that their team and annotators were warned about offensive and malicious content. They release code for reproducibility, but say dataset access will require approval because the curated queries could be misused. The artifact needed to measure risk can also carry risk.
This page does not reproduce jailbreak text, prompt examples, or operational attack recipes. The lesson for a public safety archive is to keep the aggregate evidence, threat model, and evaluation demands visible without turning the article into another attack menu.
Failure Modes
Single-prompt comfort appears when a release review blocks a few famous jailbreaks and treats that as evidence against an adaptive chooser.
Budget erasure appears when a report states an attack success rate without naming the number of attempts, exploration queries, restarts, passes, or observed feedback available to the adversary.
Judge-as-reward drift appears when an LLM judge steers attack selection, but the judge has not been validated against the target harm rubric, false-positive rate, false-negative rate, and domain slices that matter for deployment.
Open-weight extrapolation appears when results across the paper's open-weight model set are treated as a claim about a closed production system with different policy, decoding, monitoring, rate limits, retrieval, or tool boundaries.
Patch-the-arm repair appears when defenders block one attack family from the menu and do not rerun adaptive selection to see where the policy moves next.
Dataset release collapse appears when reproducibility pressure pushes harmful query corpora into public circulation without access controls, reviewer safety practices, and documented downstream-use limits.
Evaluation Standard
A useful red-team report should include the attacker's information budget: query count, outcome visibility, selection method, and whether the defender saw only final prompts or also the exploration process.
It should also publish separate results for simple and complex queries, static and adaptive attack selection, transfer and continual settings, one-pass and multiple-pass evaluation, baseline harmfulness without jailbreaks, and post-patch retesting. The evidence should name the model versions, decoding settings, judge model, harm rubric, domains, benchmark access rules, and whether any proprietary-system case study was limited or comprehensive. Without that detail, a low jailbreak score can mean robust behavior or merely a gentle evaluation.
A bandit-shaped red-team card should record the attack menu taxonomy, arm count, selection algorithm, exploration set, exploitation set, reward source, judge validation, retry budget, rate-limit assumptions, success@N, utility or overrefusal impact, confidence intervals or run variance, and remediation results. It should also say what is withheld for safety: raw jailbreak text, harmful queries, dataset access conditions, and reviewer protections.
The paper's strongest public contribution is a demand for more realistic measurement. When the attack surface includes a menu of known jailbreaks, the safety claim has to cover the menu, the chooser, the feedback loop, the reward signal, and the guardrail together.
Source Discipline
This article treats Shukla, Ritik, Rao, Agarwal, and Bhagoji's work as an arXiv preprint. The quantitative claims above are paper-reported controlled experiments over the authors' model set, jailbreak menu, query corpus, judge, decoding choices, and evaluation settings. They should not be converted into a universal claim that every deployed model can be attacked at the same rate.
The supporting governance sources have narrower jobs. JailbreakBench and MLCommons support the claim that jailbreak evaluation needs reproducible threat models, cost accounting, mechanism coverage, and defensible benchmark design. OWASP and NIST support defense-in-depth, adversarial testing, least privilege, post-deployment monitoring, incident response, and change-management context. They do not certify the paper, the benchmark, or any deployed model as safe or unsafe.
Source discipline is also release discipline. Public discussion can cite aggregate results, threat models, benchmark composition, limitations, and ethics controls without reproducing operational payloads. A safety archive should make the evaluation standard portable while keeping attack text and harmful query corpora behind controlled access where the original researchers require it.
Related Pages
- The Injection Prompt Becomes the Search Problem
- The Defense Stack Becomes the Attack Template
- The Decomposed Task Becomes the Safety Bypass
- The Prompt Injection Becomes the Context Problem
- The Embedded Command Becomes the Evaluation Target
- The Harmful Video Becomes the Reasoning Benchmark
- The Evaluator Becomes the Contagion Network
- The LLM Judge Becomes the Annotation Budget
- The Agent Security Survey Becomes the Threat Model
- The Model Memory Becomes an Attack Surface
- The Prompt Worm Becomes the Email Attachment
- Prompt Injection, Adversarial Machine Learning, Reinforcement Learning, and Algorithmic Impact Assessments
Sources
- Prarabdh Shukla, Ritik, Suhas Rao, Arpit Agarwal, and Arjun Bhagoji, Jailbreaking for the Average Jane: Choosing Optimal Jailbreaks via Bandit Algorithms for Automatically Enhanced Queries, arXiv:2606.26936 [cs.CR], version 1 submitted June 25, 2026.
- arXiv HTML and PDF: Jailbreaking for the Average Jane and PDF, reviewed for the bandit framing, FrankensteinBench composition, train/validation/test splits, model and jailbreak counts, attack-success results, query-complexity results, limitations, and ethical-release discussion.
- Official code repository: irohs-lab/jailbreaking-llms-for-the-average-jane, reviewed for repository identity and public-code release context.
- JailbreakBench, LLM robustness benchmark, reviewed for benchmark fragmentation, reproducibility, attacker-cost, threat-model, and scoring-framework context.
- MLCommons, MLCommons Lays the Foundation for Defensible Jailbreak Benchmarking, February 16, 2026, reviewed for mechanism-first taxonomy and defensible benchmark-design context.
- OWASP GenAI Security Project, LLM01:2025 Prompt Injection, reviewed for mitigation vocabulary and adversarial-testing guidance.
- NIST, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, NIST AI 600-1, July 2024, reviewed for risk-management, post-deployment monitoring, incident-response, and change-management context.