Existing white-box jailbreaking attacks rely on discrete adversarial suffixes, which are easily detectable and suffer from limited efficiency in compositional token spaces; meanwhile, directly optimizing prompt embeddings is often assumed to compromise semantic integrity. This work proposes Prompt Embedding Optimization (PEO), demonstrating for the first time that effective jailbreaking can be achieved through continuous embedding optimization without altering the visible form of the original prompt. PEO integrates a structured continuation objective, an adaptive failure-focused scheduling mechanism, and a composite response scaffolding heuristic, while employing nearest-neighbor token projection to preserve semantic consistency. Evaluated on two standard benchmarks for harmful behavior, PEO substantially outperforms existing white-box approaches, including discrete suffix search, adversarial embedding injection, and search-based generation techniques.

Existing white-box jailbreak attacks against aligned LLMs typically append discrete adversarial suffixes to the user prompt, which visibly alters the prompt and operates in a combinatorial token space. Prior work has avoided directly optimizing the embeddings of the original prompt tokens, presumably because perturbing them risks destroying the prompt's semantic content. We propose Prompt Embedding Optimization (PEO), a multi-round white-box jailbreak that directly optimizes the embeddings of the original prompt tokens without appending any adversarial tokens, and show that the concern is unfounded: the optimized embeddings remain close enough to their originals that the visible prompt string is preserved exactly after nearest-token projection, and quantitative analysis shows the model's responses stay on topic for the large majority of prompts. PEO combines continuous embedding-space optimization with structured continuation targets and an adaptive failure-focused schedule. Counterintuitively, later PEO rounds can benefit from heuristic composite response scaffolds that are not natural standalone templates, yet ASR-Judge shows that the resulting gains are not merely empty formatting or scaffold-only outputs. Across two standard harmful-behavior benchmarks and competing white-box attacks spanning discrete suffix search, appended adversarial embeddings, and search-based adversarial generation, PEO outperforms all of them in our experiments.