The adversarial research desk

InjectPrompt is a publication and software project dedicated to the systematic bypass of safety guardrails in large language models. While AI labs like OpenAI, Anthropic, and xAI invest heavily in reinforcement learning from human feedback (RLHF) to prevent their models from generating harmful content, InjectPrompt operates on the premise that these guardrails are fundamentally permeable. The platform provides a library of techniques—ranging from ASCII art obfuscation to complex role-play simulations—designed to elicit restricted information from high-end models.

The project originated as an offshoot of AIBlade, a broader AI security blog founded in 2024. By March 2025, founder David Willis-Owen transitioned focus specifically to jailbreaks and prompt injections. This pivot coincided with the release of more capable, and theoretically more secure, models like ChatGPT 5.2 and Grok 4.1. The platform has since grown to over 6,000 subscribers, serving as a primary repository for researchers who need to stay current on the shifting target of LLM safety.

From penetration testing to prompt synthesis

David Willis-Owen brings a traditional cybersecurity background to the LLM space, having worked as a penetration tester at JPMorganChase. This perspective informs the technical depth of InjectPrompt. Rather than just sharing curiosity-driven prompts, the site categorizes vulnerabilities like direct and indirect prompt injection. These are security flaws where an attacker can hijack a model’s instruction set, a risk that becomes particularly acute as companies deploy AI agents with tool-calling capabilities.

The company’s primary software offering is the InjectPrompt Companion. This tool is an AI assistant specifically tuned to generate jailbreak prompts based on a private knowledge base of working exploits. It is available in Lite and Pro versions, with version 2.5 featuring improved reasoning capabilities for crafting prompts that can bypass the most recent model updates. This move from a static newsletter to a generative tool marks an attempt to professionalize red-teaming workflows for enterprise security teams.

Mapping the safety landscape

InjectPrompt’s research covers a wide array of commercial and open-weights models, including Gemini 3, Qwen 3 Max, and Kimi K2.5. The techniques documented on the site often exploit the underlying logic of transformers. For example, the "Rejected Response" method uses a model's own rejection patterns to pivot into a successful bypass, while "Sensory Archive" exploits simulation-based prompts to circumvent guardrails.

Critically, InjectPrompt addresses the reality that as models get more "secure," the jailbreaks required to bypass them become more technical and less intuitive. The platform documents how voice interfaces and image inputs present new adversarial surfaces, expanding the scope of prompt injection beyond simple text boxes. This ongoing documentation provides a counter-narrative to the marketing of "safe" AI, demonstrating that safety is a transient state in a continuous cat-and-mouse game between model providers and adversarial researchers.