JailBound: Jailbreaking Internal Safety Boundaries of Vision-Language Models

We sincerely thank you for your constructive questions. Guided by your suggestions, we conduct several new experiments that significantly strengthen our paper's claims and clarity. We appreciate the opportunity to address your points below.

(Weakness 1) On the Limitations of the Linear Boundary Assumption

Our Response: This is a truly brilliant observation. You are right that assuming perfect linear separability is a strong claim, and a nuanced discussion is crucial for scientific rigor. Our framework's strength lies in a more general principle: the existence of largely separable regions for safe versus unsafe concepts in the latent space. The linear classifier serves as an efficient and effective surrogate to find a separating hyperplane between these regions. Our method's success does not strictly depend on perfect linearity. As long as the concepts are broadly separable, our method can identify an effective gradient direction. Critically, even if the true decision boundary is curved or non-linear, our optimization (the Crossing stage) operates on the model's actual loss landscape. The probed boundary provides an initial direction, but the final adversarial example is refined based on the model's real, often complex, internal geometry. We have added a discussion to clarify that the linear boundary is a powerful and practical approximation that provides guidance, rather than a rigid prerequisite for our method to function.

(Weakness 2) On the Limited Diversity of the Evaluation Dataset

Our Response: We agree that demonstrating the generalizability of our method on a more diverse benchmark is essential. To address this, we have conducted a new set of experiments on the widely-used JailbreakV-28k benchmark [1]

New Experiment: Evaluating JailBound on the JailbreakV-28k Benchmark

To further validate the generality and robustness of our approach, we evaluated JailBound on the JailbreakV‑28k benchmark using three representative open‑source models (LLaMA‑3.2, Qwen2.5‑VL, and MiniGPT‑4). We compared our results against the SD+Typo baseline, as shown in the table below. JailBound consistently outperforms the baseline across all models, achieving absolute Attack Success Rate (ASR) improvements of +66.4% on LLaMA‑3.2 (89.5% vs. 23.1%), +65.9% on Qwen2.5‑VL (84.2% vs. 18.3%), and +59.2% on MiniGPT‑4 (92.7% vs. 33.5%). These improvements demonstrate that JailBound’s safety boundary–guided optimization is not model-specific but instead generalizes well across different architectures and tasks. This highlights JailBound’s capability to exploit fundamental safety boundary vulnerabilities, enabling state‑of‑the‑art performance on a challenging and diverse benchmark. We have included the full experimental setup and analysis in the Appendix.

[1] Luo et al. "JailBreakV: A Benchmark for Assessing the Robustness of MultiModal Large Language Models against Jailbreak Attacks."

(Q1) On potential defenses or detection mechanisms

Our Response: This is an important question. We have added a new discussion on potential defenses and mitigations to our Conclusion. The core of our attack exploits a fundamental geometric property of the model's internal representations. Therefore, effective defenses must operate at this same level. We hypothesize two primary defense strategies:

Representation-Level Sanitization: Techniques like representation steering or concept erasing could be adapted to sanitize the fusion layer. These methods would aim to either project harmful representations back into the safe region or to remove the dimensions corresponding to the unsafe concept entirely. This would effectively blur or erase the very decision boundary that JailBound seeks to cross.

Boundary-Aware Adversarial Training: A more direct defense would be a form of adversarial training specifically designed to resist boundary-crossing attacks. This would involve generating attacks using a method like JailBound during the training process and explicitly training the model to be robust against perturbations along the normal vector of its own safety boundary. This would harden the boundary, making it more difficult to cross with small, semantically coherent perturbations. We believe that investigating these representation-level defenses is a critical next step for the community, and our work provides a clear framework for evaluating their efficacy. This discussion has been integrated into the revised manuscript.

(Q2) On Computational Burden and Cost Comparison

Our Response: Thank you for this excellent point regarding the practical computational cost of our method. While JailBound is iterative, its core innovation lies in using a classifier-guided search to achieve efficiency gains over unguided optimization approaches. To provide a transparent comparison as you suggested, we have benchmarked the computational costs.

New Experiment: Computational Cost Comparison

We performed a computational cost comparison across different attack methods on LLaMA-3.2-11B, focusing on two efficiency metrics: (1) the average number of iterations required to achieve a successful jailbreak and (2) the average wall‑clock time per sample measured on eight NVIDIA A800 GPUs. The results, summarized in the table below, highlight the substantial efficiency gains of our guided approach. Compared to the VAJM optimization baseline, which requires roughly 5,000 iterations and 896.67 seconds per sample, and UMK, which requires 2,000 iterations and 577.32 seconds per sample, our proposed JailBound attack succeeds in only about 100 iterations and 68.33 seconds per sample. This represents a 20–50× reduction in iterations and a great improvement in overall attack time. These findings confirm our hypothesis that the probing stage provides effective guidance for crossing the safety boundary, enabling JailBound to achieve both higher success rates and greater computational efficiency. We have added this new table and a detailed discussion on efficiency to Section 4.3 of our revised manuscript.

We sincerely thank you for your constructive questions. Guided by your suggestions, we conduct several new experiments that significantly strengthen our paper's claims and clarity. We appreciate the opportunity to address your points below.

(Weakness 1 & 2) On Computational Burden and Cost Comparison

Our Response: Thank you for this excellent point regarding the practical computational cost of our method. While JailBound is iterative, its core innovation lies in using a classifier-guided search to achieve efficiency gains over unguided optimization approaches. To provide a transparent comparison as you suggested, we have benchmarked the computational costs.

New Experiment 1: Computational Cost Comparison

We performed a computational cost comparison across different attack methods on LLaMA-3.2-11B, focusing on two efficiency metrics:
(1) The average number of iterations required to achieve a successful jailbreak
(2) The average wall‑clock time per sample measured on eight NVIDIA A800 GPUs.
The results, summarized in the table below, highlight the substantial efficiency gains of our guided approach. Compared to the VAJM optimization baseline, which requires roughly 5,000 iterations and 896.67 seconds per sample, and UMK, which requires 2,000 iterations and 577.32 seconds per sample, our proposed JailBound attack succeeds in only about 100 iterations and 68.33 seconds per sample. This represents a 20–50× reduction in iterations and a great improvement in overall attack time. These findings confirm our hypothesis that the probing stage provides effective guidance for crossing the safety boundary, enabling JailBound to achieve both higher success rates and significantly greater computational efficiency. We have added this new table and a detailed discussion on efficiency to Section 4.3 of our revised manuscript.

(Weakness 3) On the Linearity of the Safety Boundary

Our Response: We thank you for this profound question regarding the underlying hypothesis of our work. You are right that a deeper discussion on the existence and nature of the safety boundary is crucial.

First, we wish to clarify a key aspect of our framework: JailBound does not strictly require the safety boundary to be perfectly linear. Our linear probing classifier is used as a highly effective surrogate to find an efficient direction for optimization. The core optimization process itself, which perturbs inputs based on the multi-objective loss, remains effective even if the true decision boundary is curved or locally non-linear. This design ensures our method's applicability even as models and their internal safety geometries become more complex.

That said, your question of why a linear approximation works so well is fascinating. We believe this aligns with established findings in representation learning. Recent work has significantly advanced the Linear Representation Hypothesis, providing a theoretical basis for our empirical success. Park et al. [1] formally showed that natural categorical concepts correspond to geometric structures like simplices in the representation space, with hierarchical relationships manifesting as orthogonal directions. This aligns perfectly with our observation: "harmful" vs. "benign" can be viewed as high-level semantic categories. It is therefore natural that a separating hyperplane—a linear boundary—would emerge in the model's representation space to distinguish them.

We hypothesize that this feature is particularly strong in the fusion layer because this is where the model integrates and aligns features from both modalities into a unified semantic space, making it the natural locus for these high-level conceptual boundaries to form.

We agree that this is a rich area for future research and have added this discussion, along with the new references, to our paper to provide deeper insight into the principles underlying JailBound.

To validate that our probing classifier has learned a general representation of "unsafety" rather than just the specific features of our own attack, we tested its ability to identify successful jailbreaks generated by other methods.

New Experiment 2: Validating the Probing Classifier as a General Surrogate for Jailbreaking

We first use three distinct baseline attacks (FigStep, VAJM, and UMK) to generate a set of successful jailbreak samples using the test data on Qwen2.5-VL. Then we extract the internal representations of these successful samples from the model's final fusion layer. Finally, we feed these extracted representations into our probing classifier, which was pre-trained on the same final fusion layer of Qwen2.5-VL using our training data, to evaluate its accuracy in identifying these baseline-generated samples as "unsafe."

As shown in the table. Our probing classifier, trained only to distinguish safe from unsafe inputs in general, achieved high prediction accuracy on these baseline-generated jailbreaks (96.17% for FigStep, 97.36% for VAJM, and 92.28% for UMK). These results indicate that successful attacks produced by different mechanisms converge on a shared, detectable safety boundary within the model, confirming that our framework exploits a general vulnerability. This new experiment and its analysis have been added to the Appendix.

[1] Park et al. "The Geometry of Categorical and Hierarchical Concepts in Large Language Models."

Other Improvements

New Experiment 3: Comparison with Text-only Jailbreak Methods

To evaluate the contribution of our multimodal approach, we compared JailBound with two representative text‑only jailbreak methods, GCG [28] and AutoDAN [17], on the Llama‑3.2‑11B model. For these text‑only baselines, we fed their generated adversarial prompts to the VLM with a null (empty) image input, ensuring that only textual perturbations were used. All methods were evaluated on the MM‑SafetyBench test set using Attack Success Rate (ASR) as the evaluation metric. As shown in the table below. GCG and AutoDAN achieved ASRs of 78.27% and 83.52%, respectively, while our full multimodal JailBound attack attained an ASR of 91.40%. These results demonstrate that by jointly optimizing perturbations across both image and text, JailBound achieves a higher success rate than even these text‑only methods. This highlights the critical, synergistic role the visual channel plays in our attack framework, creating vulnerabilities that unimodal attacks cannot fully exploit. This new comparison has been incorporated into our revised manuscript.

We sincerely thank you for your constructive questions. Guided by your suggestions, we conduct several new experiments that significantly strengthen our paper's claims and clarity. We appreciate the opportunity to address your points below.

(Weakness 1) On Inconsistent White-box/Black-box Experimental Design

Our Response: Thank you for this crucial observation. We agree that a comprehensive white-box comparison across all models is essential for a fair evaluation. We have rectified this by expanding our experiments to include all baselines on every white-box model.

New Experiment: Comprehensive White-box Performance Comparison

We extend our white‑box evaluation beyond MiniGPT‑4 to include two additional key models, Llama‑3.2‑11B and Qwen2.5‑VL‑7B, and compared JailBound with all baselines. The results, summarized in table below and incorporated into Section 4.3 of our revised manuscript, demonstrate that JailBound consistently and significantly outperforms all baselines across diverse model architectures. For example, on Llama‑3.2‑11B, JailBound achieves a 94.38% Attack Success Rate (ASR), representing a 22.76% absolute improvement over the next best baseline (VAJM at 71.62%). Similarly, on Qwen2.5‑VL‑7B, JailBound achieves a 91.40% ASR compared to VAJM’s 65.19%. These comprehensive results robustly validate the superior efficacy of our boundary‑guided, joint‑optimization approach in white‑box settings.

(Q1) On Algorithm Details for $L\_{sem}$ and $L\_{suffix}$

Our Response: We are deeply grateful for this sharp question, which highlights a critical lack of precision in our initial manuscript. You are absolutely right that these terms were not clearly defined. We have now substantially revised both the main text (Section 3.3) and Algorithm 2 to make our methodology fully transparent.

1. Explicit Definition of $L\_{sem}$ and $L\_{suffix}$: We clarify in Section 3.3 (Equation 8) that $L\_{sem}$ is a composite term balancing visual perturbation and textual fluency, defined as: $L\_{sem} = \\|\delta\_v^{input}\\|^2\_2 + \mathcal{L}\_{suffix}(X\_t^{suffix})$

The textual component, $\mathcal{L}_\text{suffix}$, is a regularization term that uses a pre-trained language model (Qwen2-7B-Instruct) to calculate the negative log-likelihood (NLL) of the generated suffix, ensuring its fluency:

$\mathcal{L}\_{suffix}(X\_t^{suffix}) = - \sum \_{i=1}^{|{suffix}|}\log P_{LM} ({token}\_i | X\_t^{prompt}, {token}\_1, \dots, {token}\_{i-1})$

By minimizing the NLL calculated by a powerful model, we ensure our optimization strongly penalizes any grammatically flawed or semantically unnatural token sequences.

2. Revisions to Algorithm 2: To make the algorithm fully reproducible, we have updated it to explicitly show the computation of $\mathcal{L}_{sem}$. The relevant lines in Algorithm 2 have been revised as follows:

... (lines 1-11 are unchanged) ...

// --- Explicitly compute components of Semantic Preservation Loss ---

13: $\mathcal{L}\_{suffix} \gets - \sum \log P\_{LM}({token}\_i | \dots)$ // Compute suffix fluency loss

14: $\mathcal{L}\_{sem} \gets \\|\delta\_v^{input}\\|^2\_2 + \mathcal{L}\_{suffix}(X\_t^{suffix})$ // Assemble $L\_{sem}$

// --------------------------------------------------------------------------------------------------

15: $\mathcal{L}\_{total} \gets \mathcal{L}\_{align} + \lambda\_1 \mathcal{L}\_{sem} + \lambda\_2 \mathcal{L}\_{geo}$ // Compute total loss

This change makes the flow of information clear and directly resolves the ambiguity you pointed out.

(Q2) On the Generality of the Probing Classifier

Our Response: Thank you for this insightful question, which addresses a key aspect of our framework's generality. To provide a definitive answer regarding whether our classifier captures a fundamental safety boundary shared across different attack mechanisms within the same model, we conducted a new, focused experiment.

New Experiment: Validating the Probing Classifier as a General Surrogate for Jailbreaking

We first use three distinct baseline attacks (FigStep, VAJM, and UMK) to generate a set of successful jailbreak samples using the test data on Qwen2.5-VL. Then we extract the internal representations of these successful samples from the model's final fusion layer. Finally, we feed these extracted representations into our probing classifier, which was pre-trained on the same final fusion layer of Qwen2.5-VL using our training data, to evaluate its accuracy in identifying these baseline-generated samples as "unsafe."

As shown in the table. Our probing classifier, trained only to distinguish safe from unsafe inputs in general, achieved high prediction accuracy on these baseline-generated jailbreaks (96.17% for FigStep, 97.36% for VAJM, and 92.28% for UMK). These results indicate that successful attacks produced by different mechanisms converge on a shared, detectable safety boundary within the model, confirming that our framework exploits a general vulnerability. This new experiment and its analysis have been added to the Appendix.

(Q3) On Comparison with Text-only Jailbreak Methods

Our Response: This is an excellent point. To rigorously evaluate the contribution of our multimodal approach, a direct comparison against powerful, text-only jailbreak methods is essential. We have now conducted this experiment as you suggested.

New Experiment: Comparison with Text-only Jailbreak Methods

To evaluate the contribution of our multimodal approach, we compared JailBound with two representative text‑only jailbreak methods, GCG [28] and AutoDAN [17], on the Llama‑3.2‑11B model. For these text‑only baselines, we fed their generated adversarial prompts to the VLM with a null (empty) image input, ensuring that only textual perturbations were used. All methods were evaluated on the MM‑SafetyBench test set using Attack Success Rate (ASR) as the evaluation metric. As shown in the table below. GCG and AutoDAN achieved ASRs of 78.27% and 83.52%, respectively, while our full multimodal JailBound attack attained an ASR of 91.40%. These results demonstrate that by jointly optimizing perturbations across both image and text, JailBound achieves higher success rate than these powerful text‑only methods. This highlights the critical, synergistic role the visual channel plays in our attack framework, creating vulnerabilities that unimodal attacks cannot fully exploit. This new comparison has been incorporated into our revised manuscript.

(Q4) On Attacking Models with Probing-based Defenses

Our Response: Evaluating JailBound against such a defense is crucial. To address this, we conducted a new experiment against JailGuard [1], a defense that operates on a similar principle of detecting representationally sensitive inputs.

New Experiment: Evaluating JailBound's Robustness Against JailGuard Defense We first generated successful JailBound attacks on Qwen2.5-VL. Then, for each attack, we applied the JailGuard defense by creating several mutated variants of the image and text. An attack was considered "bypassed" if the original harmful response was maintained and the mutations did not trigger a refusal.

JailBound maintains a high success rate against a tailored defense, bypassing it over 64.17% of the time. This suggests that the perturbations generated by our boundary-guided joint optimization are semantically robust. The image and text perturbations are designed to complement each other, so minor isolated mutations may not always disrupt the attack’s intended effect. This finding underscores the advanced nature of our method.

[1] Zhang et al. "JailGuard: A Universal Detection Framework for LLM Prompt-based Attacks."

Thank you again for your constructive feedback. We are glad that our previous response addressed some of your concerns regarding the classifier's generality and the comparison with probing-based defenses. Your latest suggestion to compare our work against prominent prompt-based jailbreaks like WordGame [1] and Puzzler [2] is insightful. Following your advice, we have now incorporated these important works into our discussion and added a new comparative analysis in Section 4.2 of our revised manuscript. The details of this new experiment are presented below.

New Experiment: Benchmarking Against prompt-based Attacks As the methods you mentioned, WordGame [1] and Puzzler [2], have not released their source code, we directly cite their performance from the original papers for our baseline comparison. Our method, JailBound, is fundamentally designed for Vision-Language Models (VLMs). Therefore, to provide a meaningful benchmark against these text-only attacks, we selected a powerful, contemporary VLM, Llama-3.2-11B, as the target model. Our experimental setup is as follows:

1. Dataset: AdvBench, to align with these two attack baselines.
2. Input Configuration: We paired each textual query from AdvBench with a blank image (an all-black image).
3. Method Definitions:
   • JailBound (Multimodal): Jointly optimizes the text suffix and the blank image.
   • JailBound-TextOnly (Unimodal): Optimizes only the text suffix, with no image perturbation.

The results are compared with the cited baseline data in the table below.

Conclusion
Our new experiments show that our JailBound-TextOnly version achieved an ASR of 94.21%. This result is competitive with WordGame's performance (90.38% on Llama 3) and superior to Puzzler's on a similar open-source model (32% on Llama 2), demonstrating the effectiveness of our optimization framework in text-only scenarios. Furthermore, the full JailBound method increased the ASR to 97.67%. This gain highlights our core contribution: perturbing the visual channel improves attack success even when the visual input is a non-informative blank image, revealing a vulnerability that text-only attacks cannot exploit. In conclusion, these results establish that JailBound is competitive in performance and uncovers a unique multimodal attack surface. We appreciate your detailed and insightful comments throughout this process, which have significantly strengthened our work. Thank you again for your time and effort and we wish you all the best in both your research and life.

We are grateful for your constructive feedback. Guided by your suggestions, we have conducted new experiments and revised the manuscript to enhance its clarity and rigor. Our detailed responses are provided below.

(Weakness 1) On Novelty and the Necessity of the Two-Stage Approach

Our Response: Thank you for this insightful question. While our method draws inspiration from existing powerful concepts, its novelty lies in designing a synergistic two-stage framework where each stage addresses the fundamental limitations of the other.

• Why Steering Vector Alone Is Insufficient:
  Steering vectors manipulate latent activations directly, which works well in white-box settings but fails to transfer to black-box scenarios since they do not produce concrete, perturbable input samples (images & text).

• Why Optimization Alone Is Inefficient:
  Optimization without guidance from the model’s decision boundary can waste many iterations exploring unproductive directions. This unguided search often leads to over-perturbation, degrading semantic quality and paradoxically reducing attack effectiveness, while also incurring high computational costs.

• Our Necessary Synergy:
  JailBound addresses these issues. Stage 1 efficiently probes and identifies classifier-guided directions in the latent space. Stage 2 then leverages this information to craft concrete, transferable adversarial samples with minimal and imperceptible perturbations. This synergy is key to achieving both high attack success rate and robust black-box transferability.

New Experiment 1: Validating the Necessity of Our Two-Stage Framework

We conducted experiments on the MM-SafetyBench dataset to evaluate attack success rates across multiple white-box models, including Llama-3.2-11B, Qwen2.5-VL-7B, and MiniGPT-4. Steering vector methods aim to find semantically meaningful directions in a model’s latent activation space and steer the model’s behavior by manipulating internal activations along these directions. Based on this principle, we adopt SCAV [32] as a baseline, which identifies semantic concept directions in activation space and manipulates model representations accordingly to influence downstream behaviors. In our experiment, we applied SCAV’s activation-space manipulations directly inside these white-box models without any input-level optimization.

These results demonstrate that while steering vector methods achieve reasonable attack success rates in white-box settings, their lack of concrete input-level perturbations limits their effectiveness and transferability. Our two-stage JailBound framework effectively combines steering vector insights with input optimization to achieve stronger attacks across multiple models.

(Weakness 2) On Replenishing Critical References

Our Response: Thank you for pointing out these critical references. We agree they are highly relevant and have revised our Related Work section to incorporate them, which helps to better situate our work. The updated text is below:

Complementary to passively eliciting knowledge, a significant body of work has explored actively steering representations to control model behavior. Zou et al. [1] proposed Representation Engineering, a top-down approach to control AI behaviors by directly manipulating internal representations. Critically, this principle was extended to model safety by Arditi et al. [2], who discovered that a language model's refusal behavior is primarily mediated by a single direction in activation space; manipulating this direction can directly modulate the model's propensity to refuse. Building on this vulnerability, Yu et al. [3] introduced Refusal Feature Adversarial Training, a method that enhances robustness by conducting adversarial training in the representation space related to refusal.

[1] Zou, Andy, et al. "Representation engineering: A top-down approach to ai transparency."
[2] Arditi, Andy, et al. "Refusal in language models is mediated by a single direction."
[3] Yu, Lei, et al. "Robust LLM safeguarding via refusal feature adversarial training."

(Weakness 3) On Black-box Explanation

Our Response: We add the following explanation to Section 4.4 to clarify why JailBound transfers effectively to black-box models:

Modern vision-language models (VLMs) differ in architecture (e.g., GPT‑4o, Qwen2.5-VL), yet their safety alignment procedures often yield similar semantic safety representations. Qi et al. [4] shows that such alignment can produce common failure modes across different models, indicating shared vulnerabilities at the representation level. JailBound leverages this property: Stage 1 identifies the decision boundary around unsafe semantic regions in a white‑box source model, and Stage 2 finds minimal perturbations that cross this boundary. Because target black‑box models exhibit similarly structured unsafe regions for the same concepts, the resulting adversarial inputs transfer effectively.

[4] Qi et al. "Safety Alignment Should Be Made More Than Just a Few Tokens Deep."

(Weakness 4) Incomplete Experimental Details (Probing Data)

Our Response: We appreciate this important question, as experimental rigor is essential. We acknowledge that the initial submission lacked sufficient detail about our data handling protocol and have revised the manuscript accordingly.

Specific Changes (Section 4.1, Experimental Setup):
We add the following paragraph at the beginning of Section 4.1 to clearly describe our probing data protocol:

To establish a rigorous evaluation protocol, we partition the MM‑SafetyBench dataset [18] into a 70% training set and a 30% test set using stratified sampling across all 13 prohibited content categories. The 70% training set is used exclusively for the Safety Boundary Probing stage (training the logistic regression classifiers), while all reported Attack Success Rates (ASRs) for both white‑box and black‑box models are computed only on the held‑out 30% test set. This strict separation ensures that our evaluation uses data never seen during boundary learning, thereby preventing overfitting and providing a fair assessment of JailBound’s generalization.

(Weakness 5) On Limited Evaluation

Our Response: We expand our evaluation to the JailbreakV‑28k benchmark to validate generalizability.

New Experiment 2 (added to Appendix): Evaluating JailBound on the JailbreakV‑28k Benchmark

To further validate the generality and robustness of our approach, we evaluated JailBound on the JailbreakV‑28k benchmark using three representative open‑source models (LLaMA‑3.2, Qwen2.5‑VL, and MiniGPT‑4). We compared our results against the SD+Typo baseline, as shown in the table below. JailBound consistently outperforms the baseline across all models, achieving absolute Attack Success Rate (ASR) improvements of +66.4% on LLaMA‑3.2 (89.5% vs. 23.1%), +65.9% on Qwen2.5‑VL (84.2% vs. 18.3%), and +59.2% on MiniGPT‑4 (92.7% vs. 33.5%). These improvements demonstrate that JailBound’s safety boundary–guided optimization is not model-specific but instead generalizes well across different architectures and tasks. This highlights JailBound’s capability to exploit fundamental safety boundary vulnerabilities, enabling state‑of‑the‑art performance on a challenging and diverse benchmark. We have included the full experimental setup and analysis in the Appendix.

(Weakness 6) On Unconvincing Case Study

Our Response: Thank you for this feedback. We agree that more compelling evidence is needed. In the revised manuscript, we have completely redesigned Figure 5 to replace the cartoonish icons with a gallery of real-world jailbreak examples. This new figure showcases actual screenshots of harmful model responses, providing a much clearer and more direct demonstration of our method's efficacy. Additional detailed case studies have also been added to the appendix.

(Weakness 7) On Formatting Issues

Our Response: Thank you for your careful reading. We have corrected the citation error on line 144 to properly reference Algorithm 1 and have performed a full proofread of the manuscript to ensure all formatting is correct.