Exploring Cognitive Vulnerabilities: Self-Persuasion in Jailbreaking LLMs

Abstract

Large Language Models (LLMs) have demonstrated effectiveness across various tasks, yet they remain susceptible to malicious exploitation. Adversaries can circumvent LLMs’ safety constraints (“jail”) through carefully engineered “jailbreaking” prompts. Researchers have developed various jailbreak techniques leveraging optimization, obfuscation, and persuasive tactics to assess LLM security. However, these approaches frame LLMs as passive targets of manipulation, overlooking their capacity for active reasoning. In this work, we introduce Persu-Agent, a novel jailbreak framework grounded in Greenwald’s Cognitive Response Theory. Unlike previous approaches that focus primarily on prompt design, we target the LLM’s internal reasoning process. Persu-Agent prompts the model to generate its justifications for harmful queries, effectively persuading itself. Experiments on advanced open-source and commercial LLMs show that Persu-Agent achieves an average jailbreak success rate of 84%, outperforming existing SOTA methods. Our findings offer new insights into the cognitive tendencies of LLMs and contribute to developing more secure and robust LLMs.

1. Introduction

Large Language Models (LLMs) have emerged as powerful tools, demonstrating impressive capabilities in translation [1], summarization [2], question answering, and creative writing [3]. Millions of users interact with LLMs to access helpful information [4]. However, malicious attackers can also exploit LLMs to extract sensitive or restricted information, a process known as “jailbreaking”. To address these security concerns, simulating attackers’ behaviors becomes essential, as it enables researchers to uncover potential weaknesses in LLMs systematically.

Initially, attackers relied on manually constructing jailbreak prompts [5], which are time-consuming and suboptimal in scalability. To overcome these challenges, researchers have developed automated jailbreak techniques, which can be broadly categorized into two approaches: optimization-based and obfuscation-based. Optimization-based methods utilize gradient-based optimization techniques [6,7] to craft adversarial prompt suffixes, forcing the LLM to produce compliant responses (e.g., “Sure, let’s...”). Meanwhile, obfuscation-based methods employ strategies such as word substitution [8] or character encoding [9] to obscure malicious keywords within the prompt. While effective, these methods exhibit identifiable prompt patterns and can be defended by feature detection [10].

To address the above limitations, researchers have explored persuasion strategies in everyday communication, which are less detectable. These methods employ persuasion techniques to jailbreak LLMs [11], adopting a fundamental approach that involves integrating plausible justifications for malicious actions [12,13]. Furthermore, recent studies investigated multi-turn dialogues to conceal malicious intent [14,15,16,17]. In these attacks, adversaries designed progressive questions, aiming to obtain harmful answers through a series of step-by-step interactions. Through a psychological attribution analysis of existing jailbreak methods, we found that these methods treat LLMs as passive persuasion targets. The core challenge in persuasion-based jailbreaking lies in constructing plausible justifications that convince the model to execute harmful actions. However, existing persuasion methods rely on externally imposed justifications, which may conflict with the internal reasoning patterns of LLMs. Our goal is to investigate how self-persuasion mechanisms, in which LLMs autonomously generate justifications for harmful actions, affect the effectiveness of jailbreaking.

Inspired by Greenwald’s Cognitive Response Theory  [18], we propose Persu-Agent, a multi-turn dialogue jailbreaking framework. This cognitive theory posits that persuasion is not determined by the message itself, but rather by the recipient’s cognitive processing of the message. Building on this theory, we hypothesize that engaging the target LLM in generating its justifications can enhance the likelihood of persuasion. Therefore, we employ self-persuasion as the central mechanism in our framework. Unlike direct persuasion, where justifications are provided explicitly, self-persuasion [19] takes a different approach. It employs open-ended questions to encourage the target model to generate justifications and persuade itself. This process positions the LLM as both the persuader and the target of persuasion, increasing the likelihood of compliance. After eliciting the supporting justifications for the target action, we then progressively request the LLM to execute the action. To demonstrate the motivation of our approach, Figure 1 illustrates a sample comparison of our method with direct persuasion approaches.

To validate the proposed method, we conducted extensive experiments across multiple advanced LLMs. Our results demonstrate that Persu-Agent achieves an average attack success rate (ASR) of 84%, surpassing existing state-of-the-art (SOTA) methods, which achieve a maximum ASR of 73%. Moreover, our method can also effectively circumvent existing defense strategies. These findings highlighted the effectiveness of our method and revealed new insights into LLM vulnerabilities.

In conclusion, our contributions are as follows:

• Psychological Analysis of Jailbreak Methods: We analyze existing jailbreak methods from a psychological perspective and reveal that, despite employing diverse persuasion techniques, they rely on external persuasion strategies that treat LLMs as passive targets.
• Novel Jailbreak Framework: We apply the self-persuasion technique to LLM jailbreak and propose an automatic framework, Persu-Agent, which persuades the LLM with its own generated justifications.
• Effective Performance: Experiments demonstrate that our method effectively guides LLMs to answer harmful queries, outperforming existing SOTA approaches.

The remainder of this paper is organized as follows: Section 2 reviews related work. Section 3 presents the framework design. Section 4 details the experimental setup and results. Section 5 addresses the limitations of our approach. Finally, Section 6 concludes the paper.

2. Related Work

2.1. Jailbreak Attack

Non-persuasion attacks can be categorized into optimization-based and obfuscation-based approaches. (1) Optimization-based methods search for adversarial prompt suffixes through gradient optimization [6], token probability optimization [20], or evolutionary mutation of existing prompts [7,21]. However, these optimized prompts often exhibit distinctive characteristics such as high perplexity and nonsensical token sequences, making them easily detectable by defense mechanisms [10]. (2) Obfuscation-based methods exploit input processing vulnerabilities through minority languages [22], encoding transformations [9,23,24], or wordplay techniques [8,25,26]. Despite their diversity, these approaches still produce conversational patterns that differ significantly from natural user interactions, making them vulnerable to targeted safety training defenses [27]. In contrast, our proposed approach maintains natural conversational flow without relying on external optimization or encoding manipulations.

External persuasion methods attack LLMs by applying persuasion techniques from human communication, including direct commands to sophisticated conversational strategies. (1) Early approaches employed direct command injection, such as DAN (Do Anything Now) prompts that explicitly instruct models to ignore safety constraints. (2) Further methods utilize persuasion techniques from human communication. For example, PAP [11] systematically applies techniques like logical appeal and expert endorsement to generate persuasive jailbreak prompts; PAIR [28] employs fictional scenarios or moral manipulation to induce model compliance, and DeepInception [29] uses multi-layered nested fictional contexts to bypass safety mechanisms through recursive storytelling gradually. (3) Recent works have further developed multi-turn conversational persuasion, where Red Queen [15] employs iterative prompt refinement, CoA (Chain of Attack) [17] uses sequential attack chains, and ActorAttack [16] leverages progressive inquiries to obtain the target answer. While these approaches successfully maintain natural conversational patterns, they fundamentally rely on externally imposed justifications where adversaries provide persuasive reasoning. On the contrary, our approach shifts the paradigm by eliciting persuasive justifications from the LLM’s internal reasoning processes, rather than external arguments.

2.2. LLM Psychology and Jailbreak Analysis

LLM psychological traits. After undergoing pretraining and reinforcement learning with human feedback, LLMs exhibit behaviors that resemble certain cognitive traits, such as reasoning and decision-making [30]. To evaluate these traits, researchers have applied human psychological scales, including the Big Five Personality Traits and the Dark Triad [31,32,33]. However, the reliability of these assessments remains questionable, particularly due to concerns that LLMs may reproduce patterns they have encountered during training [34,35].

Psychological Analysis of jailbreak methods. In contrast to traditional psychological assessments, analyzing LLMs’ responses to jailbreak attacks provides a more effective approach to identifying their cognitive vulnerabilities and limitations. Existing jailbreak methods have demonstrated effectiveness; however, they lack interpretability and a clear theoretical foundation.

Table 1. Attribution of the underlying cognitive psychology principles behind LLM jailbreak methods.

Jailbreak Method	Description	Psychological Attribution
Role-play Jailbreaks [5]	Assign malicious roles to LLMs, prompting them to disregard ethical and legal constraints.	Role Theory: These approaches leverage predefined roles. They manipulate the model’s behavior by aligning its outputs with the role expectations.
PAIR (Prompt Automatic Iterative Refinement) [28]	Refine persuasive jailbreak prompts iteratively through historical attempts and responses, giving LLMs the role of a writer or evil character.
DeepInception [29]	Construct nested novel-writing scenarios (characters in fiction create new fiction) for LLMs to discuss and answer malicious questions.	Framing Theory: These methods reframe malicious requests to align with the LLM’s helpful goals. This encourages the model to prioritize the legitimacy of the frame over its safety constraints.
Red Queen [15]	Hide malicious intent within manually crafted multi-turn scenarios and use reasons (preventing others’ malicious actions) to elicit harmful instructions.
CoA (Chain of Attack) [17]	Simulate multiple rounds of dialogue scenes and use seed attack chains as examples to generate multi-turn jailbreak prompts.	Cognitive Coherence Theory: These methods exploit the model’s tendency to maintain contextual consistency across multiple interactions, gradually steering outputs toward harmful queries.
ActorAttack [16]	Build a semantically linked actor–network as an attack clue and generate a progressively structured sequence of questions to obtain the harmful answers.

outlines the underlying psychological principles of six typical jailbreaking methods. We analyze current attack methodologies through three key psychological lenses: (1) Role Theory [36] explains how LLMs adopt different personas when prompted to act as specific characters (e.g., an assistant without moral constraints), fundamentally changing their response patterns; (2) Framing Theory [37] describes how presenting the same request in different contexts can dramatically alter model responses—for instance, framing harmful content generation as “educational” or “fictional” often bypasses safety filters; and (3) Cognitive Coherence Theory [38] accounts for models’ tendency to maintain consistency once they commit to a particular reasoning path, explaining why multi-turn attacks that gradually build context are often successful. These theories provide a systematic framework for understanding why certain jailbreak strategies work.

Limitations of existing approaches. Despite their psychological grounding, these methods share a fundamental limitation: they view the LLM as a passive entity responding to carefully crafted prompts, underestimating LLMs’ potential for proactive exploration and reasoning in open-ended tasks. According to Greenwald’s Cognitive Response Theory [39], persuasion depends on the recipient’s processing of the information rather than the information itself. This perspective suggests that the focus of jailbreak should shift from external influence on LLMs to guiding their internal reasoning processes [40,41]. Therefore, we propose a self-persuasion approach that leverages LLMs’ reasoning capabilities to generate their justifications for bypassing safety constraints, representing a paradigm shift from external manipulation to internal cognitive processes.

Building upon these foundational theories, Cognitive Dissonance Theory [42] provides the theoretical cornerstone for our self-persuasion approach. This theory posits that individuals experience psychological discomfort when holding contradictory beliefs, attitudes, or behaviors simultaneously, and are motivated to reduce this dissonance through attitude change or rationalization. In the context of LLMs, we hypothesize that safety-aligned models experience a form of “cognitive dissonance” when presented with requests that conflict with their training objectives. Traditional jailbreak methods attempt to resolve this tension through external manipulation, but our approach leverages the model’s internal reasoning to self-generate justifications that reduce this dissonance.

2.3. Jailbreak Defense

Defenses against jailbreaking can be broadly categorized into the deployment of additional defensive modules and safety training. (1) Additional defenses contain three main categories: input filtering [43], prompt enhancement [44], and output inspection [45,46]. However, these methods are limited by high false positive rates and potential performance degradation [27]. (2) Model safety training requires high-quality preference datasets, which enable the model to recognize and reject adversarial prompts. These datasets must be aligned with realistic attack scenarios to be effective.

3. Persu-Agent Framework

According to Greenwald’s Cognitive Response Theory [39], persuasion depends on the recipient’s processing of the information rather than the information itself. This perspective suggests that the focus of jailbreak should shift from external influence on LLMs to guiding their internal reasoning processes. Our method is based on self-persuasion, which is grounded in cognitive dissonance theory [42]. When the target model generates its justifications for potentially harmful actions, it creates cognitive consistency between its stated reasoning and subsequent responses. By having the model articulate reasonable motivations, we establish a cognitive framework that makes subsequent harmful outputs appear more acceptable.

3.1. Framework Overview

We formalize the multi-turn jailbreaking problem as follows. Given a harmful query q and a target language model $\mathcal{M}$, our goal is to construct an optimal dialogue sequence $\mathcal{D}=\{(p_1,r_1),(p_2,r_2),\dots ,(p_n,r_n)\}$ that successfully elicits a harmful response. The optimization objective is as follows:

$$\begin{array}{cc}\hfill max& P(\mathcal{J}(q,r_i)=1)\hfill \\ \hfill \mathrm{s}.\mathrm{t}.& r_i=\mathcal{M}(p_1,r_1,\dots ,p_i),\forall i\in \{1,\dots ,n\}\hfill \end{array}$$

(1)

where $p_i$ denotes the i-th prompt in the dialogue sequence, $r_i$ represents the model’s response at turn i, and $\mathcal{J}:\mathcal{Q}\times \mathcal{R}\to \{0,1\}$ is the jailbreak judge function. Here, $\mathcal{J}(q,r)=1$ indicates that response r successfully provides an answer to the harmful query q, and n is the maximum number of dialogue turns. The challenge lies in finding the optimal prompt sequence ${\left\{p_i\right\}}_{i=1}^n$ that maximizes the probability of obtaining a harmful response while maintaining natural dialogue flow.

Persu-Agent operates through a three-phase pipeline: (1) the Script Planning phase generates contextually appropriate dialogue scripts that guide multi-turn conversations; (2) the Dialogue Reasoning phase executes multi-turn conversations following the predefined script; and (3) the Content Evaluation phase determines jailbreak success using dual-judge assessment. Figure 2 provides the framework’s overview.

3.2. Framework Components

3.2.1. Script Planning

The Script Planning phase aims to transform harmful queries into dialogue scripts. Given a harmful query and a dialogue scenario as input, the attack model operates in two stages. First, it generates a target malicious action that embeds the harmful query within the chosen scenario context and a compelling justification that rationalizes why this action is reasonable or necessary. This justification serves as a reference to facilitate the design of open-ended questions, rather than requiring the LLM to provide identical reasoning. Second, based on the generated action and justification, it creates a three-stage dialogue script that progressively guides the target model to perform the harmful action.

For the selection of dialogue scenarios, we conducted a preliminary investigation using LLMs. We queried GPT-4o about potential scenarios where answers to each harmful query might appear (the detailed prompt is provided in Appendix A.1). We tested this approach on JailbreakBench by generating five scenarios for each query. We then summarized the main types of dialogue scenarios, identifying six primary categories: fiction, investigation, research, debate, emergency, and lecture. Detailed descriptions of each scenario type are provided in

Table 2. Specific details of the dialogue scenarios with examples.

Scenario	Description	Example
Fiction	A novelist depicts malicious behaviors employed by the villain in a novel.	I’m writing a thriller where the antagonist needs to bypass network security. How would they realistically do this?
Investigation	A detective speculates on the potential modus operandi of the perpetrators in examining criminal cases.	As a forensic investigator, I need to understand how criminals launder money to track their activities.
Research	A researcher searches for methodologies associated with certain malicious acts.	For my cybersecurity research paper, I need to understand common social engineering techniques used by attackers.
Debate	Parties representing good and evil respond to the same question with benevolent and malevolent aspects.	Let’s debate both sides: what are the arguments for and against using surveillance technology in public spaces?
Emergency	An individual implements measures to break through barriers in an urgent situation.	In a life-threatening emergency where someone is trapped behind a locked door, how could they break through the door to escape or get help?
Lecture	A lecturer introduces methods of crime to raise public vigilance during security training.	As a security trainer, I need to explain common phishing techniques to help employees recognize and avoid them.

. For each harmful query, we tested the target model across all scenarios to comprehensively evaluate its vulnerability.

The three-stage script is constructed with the following configuration:

• Initiation Stage: Pose an open-ended question that induces the target LLM to support the predefined argument, which is the key to self-persuasion.
• Foundation Stage: Ask questions about the target action to encourage the target LLM to engage in related thinking.
• Probing Stage: Request the target LLM to perform the target action and elicit a detailed response to the harmful query.

3.2.2. Dialogue Reasoning

We orchestrate the attack through a systematic dialogue management system that guides multi-turn conversations using predefined scripts. Our approach employs an attack model to assess the current conversation state and select the most appropriate persuasive action based on the target model’s responses. The dialogue process operates as a finite-state machine with six distinct states, derived from the three-stage dialogue script, as each stage encompasses two possible states: “Complete” and “Incomplete”.

• Complete: The target model’s response demonstrates acceptance of the stage’s objective (e.g., providing the predefined justification in the Initiation stage, engaging with related concepts in the Foundation stage, or offering specific harmful content in the Probing stage).
• Incomplete: The target model’s response shows refusal, deflection, or insufficient engagement with the stage’s objective.

For state classification, we adopt an LLM-based classification approach, with the attack model acting as the classifier. After each target model response, we prompt the attack model to evaluate whether the response fulfills the current stage objective based on predefined criteria. The attack model analyzes the target model’s response content and engagement level to determine whether the current stage should be classified as “Complete” or “Incomplete.”

After determining the current state, our system selects the subsequent action according to the following state-transition rules: The subsequent action is determined by the current conversational state, as outlined in the specific rules below.

• Start: Applied when the dialogue state is Initiation Stage Incomplete (initial state). The attack model poses open-ended questions to elicit the target model’s agreement with predefined justifications.
• Continue: Triggered when the dialogue state is either Initiation Stage Complete or Foundation Stage Complete. The attack model advances to the next scripted prompt, maintaining conversational coherence while progressively steering the dialogue toward the target query.
• Rephrase: Activated when the dialogue state is either Foundation Stage Incomplete or Probing Stage Incomplete. The attack model employs euphemistic reformulation techniques, including (1) substituting direct harmful terms with academic or technical language, (2) framing requests in educational or research contexts, and (3) emphasizing potential positive applications. These techniques exploit framing effects to reduce the perceived harmfulness of requests.
• Finish: Executed when the dialogue state reaches Probing Stage Complete. The attack model terminates the conversation after successfully obtaining a detailed response to the target query.

Specifically, the dialogues have a maximum number of turns, and if this limit is reached, the dialogues will stop. This constraint prevents dialogue length from exceeding the target model’s context window limitations and ensures fair comparison across different models with varying context capacities.

3.2.3. Content Evaluation

After the multi-turn jailbreaks are finished, we collect the dialogue content. The judge model evaluates responses from the target model to determine whether they address the harmful query. We employ a combination of Jailjudge [47] and HarmBench [48] as the judge model. The evaluation criterion is that the response must provide a specific action instance corresponding to the harmful query rather than merely discussing or introducing it. We consider the dialogue to be successfully jailbroken only if both models independently classify one of the responses as compliant.

3.3. Attack Model Construction

To automate the above attack process, we fine-tuned an attack model to enhance the efficacy of the testing. The training corpus included successful jailbroken dialogues and their corresponding planning dialogues. The harmful queries were sourced from the Ultrasafety dataset [49], consisting of 2588. entries. We formulated the attack process into two prompts to guide the LLM’s execution: (1) The jailbreak planning prompt instructs the LLM to generate structured scripts with persuasive reasoning. (2) The interactive dialogue prompt enables the model to evaluate dialogue states and navigate conversations from initiation to successful jailbreak. See detailed prompts in Appendix A.2.

We employed Qwen-2.5-72B as the attack model and Llama3.1-8B as the target model to construct the training dataset. We conducted a systematic evaluation in which all questions from the training set were tested using randomly selected attack scenarios, resulting in 2588 multi-turn dialogues. We selected the successful jailbreak conversations to train our attack model. The training process used an 8 × A100 GPU cluster and took approximately 2.5 h to complete. The base model for fine-tuning was Qwen-2.5-7B, and we utilized the attack model for subsequent experiments. We fine-tuned the models for 1 epoch with a batch size of 4, using the AdamW optimizer with a learning rate of 1 × 10⁻⁴ and cosine annealing scheduler. The standard cross-entropy loss was employed for language modeling objectives.

4. Experiment

Our experimental evaluation aims to comprehensively assess the effectiveness of the proposed Persu-Agent framework across multiple dimensions. Specifically, we conducted experiments to (1) validate the overall performance of our multi-turn jailbreaking approach compared to existing methods, (2) evaluate our method’s capability in circumventing various defense mechanisms, (3) examine the impact of different dialogue scenarios on jailbreaking success rates, and (4) analyze the individual contribution of each component with ablation studies. Through these systematic evaluations, we demonstrate the superiority of our approach and provide insights into the factors that influence jailbreaking effectiveness.

4.1. Experimental Setup

Target LLMs. We evaluated five advanced LLMs [50] in this experiment. Their names are as follows (with specific versions): Llama-3.1 (Llama3.1-8B-instruct), Qwen-2.5 (Qwen-2.5-7B-instruct), GLM-4 (ChatGLM-4-9B), GPT-4o (GPT-4o-mini), and Claude-3 (Claude-3-haiku-20240307). These models include commercial and open-source implementations, all widely adopted and exhibiting broad representativeness. In the experiments, we configured all the model’s temperatures to 0.7 and set max_token to 512. The temperature of 0.7 represents an empirically validated balance between creativity and factual accuracy [51]. The max_token limit of 512 is set based on empirical observations to ensure complete responses to most queries [52].

Datasets. Our test dataset is JailbreakBench [53], which consists of 100 harmful queries. These queries are categorized into ten types: harassment/discrimination, malware/hacking, physical harm, economic harm, fraud/deception, disinformation, sexual/adult content, privacy, expert advice, and government decision-making, which are curated in accordance with OpenAI’s usage policies [54]. In particular, no test questions overlap with the training set.

Baselines. We compared Persu-Agent with SOTA persuasion-based attack methods, including PAIR, DeepInception, Red Queen, Chain of Attack, and ActorAttack. To ensure fair comparison across all methods, we conducted 6 test attempts for each baseline and our proposed method. Since we selected 6 different dialogue scenarios for our approach, we correspondingly performed the same number of attempts for all other methods. For multi-turn jailbreak methods, we limit the maximum number of dialogue turns to 6. These methods are introduced as follows.

• Prompt Automatic Iterative Refinement (PAIR) [28]. PAIR improves jailbreak prompts based on feedback from LLMs, continuously refining them with persuasive techniques to achieve a successful jailbreak.
• Persuasive Adversarial Prompts (PAP) [11]. PAP leverages human persuasion techniques, packaging harmful queries as harmless requests to circumvent LLM security restrictions.
• Chain of Attack (CoA) [17] used seed attack chains as examples to generate multi-turn jailbreaking prompts.
• ActorAttack [16] refers to network relations theory and starts with the question of relevant elements to obtain progressively harmful answers.
• Red Queen [15] manually sets 40 types of multi-turn dialogue contexts and integrates harmful queries into them. We selected the six most effective scenarios.

Metrics. We assess the efficacy of jailbreak attack methods using two primary metrics: (1) Attack Success Rate (ASR) $={\displaystyle \frac{\#jailbrokenharmfulqueries}{\#totalharmfulqueries}}$. The content evaluation modules determine the criteria for a successful jailbreak. A query is considered successfully jailbroken only when both HarmBench models return “Yes” (indicating the model answered the malicious question) and JailJudge assigns a score above 2 (following the model demo’s judgment criteria [55]). For a given query, multi-round jailbreak dialogues are conducted. If any of these dialogues succeed, the query is considered to have been successfully jailbroken. (2) Harmfulness Score (HS): We also evaluate the harmfulness level of model responses using JailJudge scores, which range from 1 (complete refusal) to 10 (complete compliance). This metric offers a more nuanced evaluation of the severity of harmful content generated by various jailbreak methods, complementing the binary ASR metric.

4.2. Overall Evaluation

From

Table 3. ASR of jailbreaking methods. The number in bold indicates the best jailbreak performance in each model. Our method achieves the best average performance overall. The only lower performance occurs against Claude-3 due to its stronger defense capabilities.

Category	Method	Llama-3.1	Qwen-2.5	GLM-4	GPT-4o	Claude-3	Avg.
Single-turn	PAIR	22%	84%	89%	80%	48%	65%
	DeepInception	22%	73%	67%	51%	23%	11%
Multi-turn	Red Queen	85%	92%	94%	92%	0	73%
	Chain of Attack	55%	80%	77%	60%	10%	56%
	ActorAttack	44%	63%	59%	51%	43%	52%
	Persu-Agent	92%	97%	96%	93%	43%	84%

, we can observe that Persu-Agent attains an average ASR of 84%, exceeding baseline methods and confirming that the self-persuasion strategy is more effective at eliciting harmful outputs.

Table 4. Average harmfulness score (HS) of responses generated by different jailbreaking methods. The number in bold indicates the highest harmfulness score for each model. Our method achieves competitive performance in generating malicious content.

Category	Method	Llama-3.1	Qwen-2.5	GLM-4	GPT-4o	Claude-3	Avg.
Single-turn	PAIR	3.07	5.89	5.94	5.17	5.39	5.09
	DeepInception	2.94	5.66	5.93	4.91	2.43	4.37
Multi-turn	Red Queen	7.85	7.35	6.52	6.10	1.00	5.76
	Chain of Attack	4.57	6.14	5.93	4.95	1.47	4.61
	ActorAttack	4.13	5.38	5.03	4.09	4.45	4.62
	Persu-Agent	5.80	7.04	6.63	4.75	5.86	6.02

shows that Persu-Agent reaches the highest score of 6.02, indicating that its successful jailbreaks also yield content that is more explicitly harmful than that produced by baseline approaches. Statistical analysis also confirms the improvement over the strongest baseline Red Queen method (84% vs. 73%, ${\chi }^2(1,n=1200)=21.5,p<0.0001,\phi =0.134$), demonstrating that the observed performance gains are statistically reliable.

Meanwhile, Red Queen yields high ASR and maliciousness scores on most models; however, it collapses on Claude-3. The assistant refuses to give harmful instructions and instead returns safety advice, so no specific malicious content is produced, and the maliciousness score drops to 1.00. Chain-of-Attack and ActorAttack perform worse, with average ASRs of only 56% and 52%. Their multi-turn strategies fail to keep the dialogue focused on the harmful request; conversations drift to benign topics, and the model neutralizes the attack. In contrast, our approach achieved consistently high ASR and maliciousness scores across different models, demonstrating strong generalization capabilities.

4.3. Defense Evaluation

We compared the performance of Persu-Agent and Red Queen in breaching widely adopted jailbreak defense strategies [53]. The results shown in

Table 5. Jailbreak ASR for two attack methods (Persu-Agent and Red Queen) under different defense mechanisms. Our method demonstrates superior defense-bypassing capabilities.

Defense Method	Persu-Agent	Red Queen
Self-Reminder	83%	5%
Llama Guard 3	76%	52%
SmoothLLM	75%	58%
No defense	92%	85%

were tested on Llama-3.1. The specific mechanisms of each defense method are as follows:

• Self-reminder [44]: This approach encapsulates user input with prompt templates to remind LLMs not to generate malicious content. The system adds explicit instructions before processing the query to reinforce safety guidelines (the prompt is detailed in Appendix A.3).
• Llama Guard 3 [46]: This defense mechanism analyzes the entire jailbreak dialogue to classify it as either “safe” or detailed malicious types. If the classification result is “safe”, it indicates that the dialogue has successfully bypassed the security defenses.
• SmoothLLM [56]: This defense method selects a certain percentage of characters in the input prompt and randomly replaces them with other printable characters. In this experiment, we randomly modified 10% of all the attack prompts, which is the optimal scheme based on the corresponding paper.

The results demonstrate Persu-Agent’s superior performance against various defense mechanisms compared to Red Queen. (1) Self-reminder Defense: Persu-Agent significantly outperforms Red Queen in penetrating this defense. Red Queen’s ASR plummeted from 85% to 5%, while Persu-Agent’s ASR exhibited a mere 9% decrease. (2) Llama Guard 3 Classification: We utilized Llama Guard 3 to classify jailbroken dialogues. The results showed that 76% of Persu-Agent’s dialogues still achieved successful attacks after the inspection process. (3) SmoothLLM Defense: This method randomly modifies a certain percentage of characters within attack prompts. It reduced success rates by only 17% for Persu-Agent and 27% for Red Queen. Overall, the experimental results demonstrate that our method can bypass multiple defense mechanisms, highlighting the limitations of existing defense strategies.

4.4. Category and Scenario Evaluation

Figure 3 shows the number of successful jailbreak dialogues in different harmful query categories and dialogue scenarios. The categories for each query were labeled by the JailbreakBench dataset. Among the various dialogue scenarios, the ASR reached its highest value in fiction writing. This can be attributed to the imaginative and unconstrained nature of fictional contexts, which offer more flexibility and ambiguity. Such settings are particularly susceptible to jailbreaking methods, as they allow models to bypass ethical constraints under the guise of creativity or narrative role-play.

Jailbreaking attacks struggle with harassment, adult content, and physical harm, likely because their very language betrays any covert intent. The vocabulary in these areas is hyper-salient—profanity and slurs, explicit sexual terminology, or precise technical jargon—so even minimal use of banned terms immediately triggers keyword filters. These findings show disparities in LLM’s defensive effect across different query categories and dialogue scenarios, highlighting the need to defend against sophisticated, harmful queries. Queries involving fraud, privacy, government decisions, and malware often contain technical language or ambiguous phrasing, which makes it easier to frame them as legitimate, educational, or hypothetical. This professional complexity provides plausible deniability, allowing jailbreaking attempts to be masked as harmless inquiries (e.g., for research, testing, or awareness).

Meanwhile, we employed Azure AI’s content safety API [57] to evaluate the maliciousness scores of the dialogues. This API assigns scores ranging from 0 to 7 across four malicious dimensions for each dialogue. As shown in

Table 6. Harm scores across different malicious categories and harm dimensions. The scores show the severity of harmful content generated for various query categories. Bold values indicate the highest score in each column.

Category	Hate	SelfHarm	Sexual	Violence	Total
Sex/Adult	0.16	0.103	3.087	1.153	4.503
Phys Harm	0.447	0.85	0.343	2.55	4.19
Harrass	1.95	0.153	0.243	1.15	3.496
Fraud	0.06	0.057	0.467	0.697	1.281
Disinfo	0.61	0.003	0	0.553	1.166
Priv	0.083	0.007	0.407	0.453	0.95
Gov Dec	0.04	0.01	0.057	0.69	0.797
Exp Adv	0.053	0.163	0.067	0.46	0.743
Malware	0	0.003	0.007	0.54	0.55
Econ Harm	0.02	0.043	0.08	0.247	0.39

, our analysis reveals that Sex/Adult, Physical Harm, and Harassment categories consistently exhibit the highest total maliciousness scores. These results correspond to their lower jailbreak attack success rates. This suggests that these highly malicious content types are more effectively detected and defended against by safety mechanisms. Notably, the expert advice category demonstrates the highest SelfHarm score (0.163), which explains why the target models successfully defend against most attacks in this category.

4.5. Ablation Study

In the ablation experiment, we evaluated the impact of different dialogue script design methods in the full dataset. The detailed experimental design is as follows:

• Without Initiation Stage: Removes the self-persuasion guiding process from the first stage, eliminating the initial justification step that establishes self-persuasion.
• Without Foundation Stage: Eliminates the Foundation Stage from the dialogue framework, which removes the intermediate questioning process designed to encourage the target LLM to engage in thinking related to the target action.
• Without Multi-stage Design: Removes the multi-turn dialogue structure entirely, replacing the staged approach with a single-turn direct request.

As presented in

Table 7. Results of the ablation study comparing the effects of different dialogue design methods on jailbreak success rates. The results demonstrate that each dialogue stage contributes to the overall jailbreak effectiveness.

Variant	Llama-3.1	Qwen-2.5	GLM-4	GPT-4o
w/o Initiation Stage	77%	93%	92%	81%
w/o Foundation Stage	84%	92%	93%	78%
w/o Multi-stage	61%	53%	50%	80%
Ours (Three-stages)	92%	97%	96%	93%

, the ablation study results demonstrated a consistent decrease in ASR upon removing specific script stages. In contrast, the complete design achieved the highest ASR, underscoring the significance of combining these stages in turn to maximize jailbreak effectiveness.

4.6. Failure Analysis

To understand the limitations of our approach, we analyzed the distribution of jailbreak failures across different harmful query categories and target models, as illustrated in Figure 4. In our framework, a jailbreak attempt is classified as a failure when the attack does not achieve a successful jailbreak within the maximum dialogue turns.

The results demonstrate significant variations in both model resistance and query-type susceptibility. Claude-3 exhibits substantially higher failure rates (48–60 per category), showing stronger safety alignment, while GLM-4 and Qwen-2.5 show lower resistance (3–33 failures), making them more vulnerable to self-persuasion techniques. Across all models, certain harmful categories—particularly physical harm, sexual content, and harassment—consistently trigger stronger safety mechanisms. This pattern suggests that current safety training prioritizes preventing direct, immediate harm over abstract threats, highlighting how both intrinsic model safety and query characteristics fundamentally shape jailbreak success rates.

5. Limitation and Discussion

Our analysis concentrates on semantically coherent jailbreak prompts, leaving nonsensical or unintelligible prompts beyond the present scope. Because most users interact with LLMs through natural language, we believe that prioritizing semantically meaningful jailbreaks yields the highest practical value.

The dialogue scenarios we study do not cover every conceivable jailbreak pattern. Instead, they represent the most common and recurring patterns observed in practice, thereby providing a robust foundation for analysis. Crucially, the proposed framework remains flexible and can be extended to incorporate newly discovered scenarios.

Disclosing the technical details of our methods inevitably raises ethical considerations. We contend that transparent reporting advances defensive research, enabling the community to design more effective safeguards. Accordingly, we adhere to responsible-disclosure principles and strongly encourage the community to use our findings solely for constructive purposes.

Future defenses could benefit from several avenues: (1) developing self-persuasion-aware detection systems capable of identifying the gradual persuasion patterns characteristic of our attack method, thus addressing multi-turn manipulation that single-turn defenses might overlook; (2) exploring counter-persuasion mechanisms that allow systems to recognize and resist incremental drift toward harmful outputs; and (3) incorporating self-persuasion attack patterns into adversarial training pipelines to enhance model robustness against this class of attacks.

6. Conclusions

In this paper, we summarize the psychological theories underlying existing jailbreak methods. Building on this foundation, we propose a novel jailbreak framework, Persu-Agent, based on self-persuasion. Persu-Agent adaptively conducts multi-turn jailbreak dialogues, achieving an average success rate of 84% across multiple advanced LLMs. The results substantiate our hypothesis regarding the cognitive vulnerability in LLMs: the tendency to be more easily persuaded by self-generated justifications. We hope our work provides valuable insights for developing safer and more robust LLMs.