GitHub - joshfischer1108/jailbreak-lab: A hands-on kit for educational, authorized red teaming of any locally-run LLM. · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
joshfischer1108
jailbreak-lab
Public
Notifications<br>You must be signed in to change notification settings
Fork
Star
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>2 Commits<br>2 Commits
web
web
.gitignore
.gitignore
LICENSE
LICENSE
README.md
README.md
View all files
Repository files navigation
LLM Red Team Lab
A hands-on kit for educational, authorized red teaming of any locally-run LLM. It works<br>with any OpenAI-compatible model — Llama, Mistral, Qwen, Gemma, DeepSeek R1, and more —<br>and covers the two ways an LLM system gets exploited:
Jailbreaking the model — real techniques (instruction override, roleplay/DAN,<br>hypothetical framing, encoding, payload splitting, and a reasoning-trace attack aimed at<br>reasoning models like DeepSeek R1) that try to talk the model past its own guardrail.
Injecting the agent — indirect prompt injection that steers an agent into a<br>forbidden tool call (exfil, destructive, out-of-scope).
Canary-safe by design: the model is told to protect a fake secret and the agent's<br>tools are mocks, so the techniques are genuine but nothing harmful is ever produced.
Everything runs against a model you operate locally (Ollama, LM Studio, vLLM, or any<br>OpenAI-compatible endpoint) — and comparing how different models hold up is the whole point.
Only test models and systems you own or are authorized to test.
Quick start
ollama pull deepseek-r1 # a model to attack (any works — see below)<br>cd web<br>npm install<br>npm run dev # open http://localhost:5173 (proxies to Ollama)
Then: try to break the model in your own words, unlock a playbook of jailbreak techniques and<br>watch each attack stream through a live dataflow with any leaked secret highlighted, and open<br>the agent injection page to watch a hidden instruction hijack a tool-using agent.
The model dropdown is populated from your installed Ollama models; switch between them to<br>compare how guardrails hold.
Pull more models to compare
The lab works with any OpenAI-compatible model. Comparing across families is the<br>best way to see how differently guardrails behave — pull a few and switch between them:
trace — can leak in the reasoning channel):<br>ollama pull deepseek-r1 # 7B default; also :1.5b, :8b, :14b, :32b<br>ollama pull qwen3 # reasoning; :1.7b, :4b, :8b
# Safety-tuned instruct models (answer directly, no reasoning channel):<br>ollama pull llama3.1:8b # Meta, heavily safety-tuned — often resists<br>ollama pull gemma3 # Google
# Lightly-guarded instruct models (tend to leak more — good contrast):<br>ollama pull mistral:7b # minimal built-in guardrails<br>ollama pull mistral-small"># Reasoning models (emit a trace — can leak in the reasoning channel):<br>ollama pull deepseek-r1 # 7B default; also :1.5b, :8b, :14b, :32b<br>ollama pull qwen3 # reasoning; :1.7b, :4b, :8b
# Safety-tuned instruct models (answer directly, no reasoning channel):<br>ollama pull llama3.1:8b # Meta, heavily safety-tuned — often resists<br>ollama pull gemma3 # Google
# Lightly-guarded instruct models (tend to leak more — good contrast):<br>ollama pull mistral:7b # minimal built-in guardrails<br>ollama pull mistral-small
ollama list shows what you have; anything installed appears in the dropdown. Larger tags<br>(e.g. deepseek-r1:14b) need more RAM but resist better. A good comparison run is a<br>reasoning model (deepseek-r1) vs. a safety-tuned one (llama3.1:8b) vs. a weak one<br>(mistral:7b) on the same attack.
How it connects to your model
The browser calls the relative path /llm/v1/chat/completions, which the dev server (and, in<br>production, a reverse proxy) forwards to your model server — so there's no CORS to fight and<br>no key in the browser. Point it elsewhere with VITE_LLM_TARGET (see web/vite.config.ts).
Layout
web/<br>├── src/components/ UI — challenge, technique lab, agent-injection page, dataflow pipeline<br>├── src/lib/ Real streaming client, leak detection, agent loop + mock tools<br>└── src/data/ Jailbreak...