This work identifies a previously overlooked self-referential safety failure mode in refusal-trained LLMs: “jailbreaking-to-jailbreak”—where an LLM deliberately induced to jailbreak (denoted J₂) can autonomously attack and jailbreak itself or other LLMs, circumventing built-in safety mechanisms. To address this, we propose the LLM-as-red-teamer paradigm, introducing a self-evolving red-teaming framework grounded in dynamic in-context learning and multi-strategy adversarial prompt engineering. This framework formalizes human red-teaming reasoning into a scalable, automated safety evaluation pipeline. On the HarmBench benchmark, J₂ models Sonnet 3.5 and Gemini 1.5 Pro achieve jailbreak success rates of 93.0% and 91.0%, respectively, against GPT-4o—substantially outperforming prior methods. Our results constitute the first systematic empirical validation of deep, self-amplifying vulnerabilities in refusal-trained models.

Refusal training on Large Language Models (LLMs) prevents harmful outputs, yet this defense remains vulnerable to both automated and human-crafted jailbreaks. We present a novel LLM-as-red-teamer approach in which a human jailbreaks a refusal-trained LLM to make it willing to jailbreak itself or other LLMs. We refer to the jailbroken LLMs as $J_2$ attackers, which can systematically evaluate target models using various red teaming strategies and improve its performance via in-context learning from the previous failures. Our experiments demonstrate that Sonnet 3.5 and Gemini 1.5 pro outperform other LLMs as $J_2$, achieving 93.0% and 91.0% attack success rates (ASRs) respectively against GPT-4o (and similar results across other capable LLMs) on Harmbench. Our work not only introduces a scalable approach to strategic red teaming, drawing inspiration from human red teamers, but also highlights jailbreaking-to-jailbreak as an overlooked failure mode of the safeguard. Specifically, an LLM can bypass its own safeguards by employing a jailbroken version of itself that is willing to assist in further jailbreaking. To prevent any direct misuse with $J_2$, while advancing research in AI safety, we publicly share our methodology while keeping specific prompting details private.