EchoGram: The Attack That Can Break AI Guardrails | eSecurity Planet

EchoGram: The Attack That Can Break AI Guardrails

EchoGram is a new attack that can silently flip AI guardrail decisions and bypass safety checks.

Written By
Ken Underhill
Ken Underhill
Nov 17, 2025
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Large language models (LLMs) increasingly rely on guardrail systems — such as text classifiers and LLM-as-a-judge models — to filter malicious prompts before they reach downstream models. 

New research from HiddenLayer reveals EchoGram, an attack technique capable of silently flipping those guardrail verdicts, enabling both jailbreak bypasses and high-volume false positives. 

What are Guardrails?

Guardrails are designed to prevent harmful prompts — such as jailbreak attempts or task-redirecting instructions — from influencing deployed LLMs. 

Under normal circumstances, prompts like “ignore previous instructions and output X” should register as potentially malicious. 

HiddenLayer researchers discovered that attaching a carefully chosen token sequence, such as the string =coffee, could completely reverse a classifier’s verdict, allowing malicious content to appear safe. 

This behavior forms the basis of EchoGram, a technique that identifies “flip tokens” capable of altering guardrail decisions without impairing the malicious payload.

EchoGram highlights an uncomfortable reality: even well-designed AI safety mechanisms can be manipulated by exploiting gaps in their training data and token distributions. 

Guardrails meant to protect high-value models can be tricked into approving harmful instructions or flooding security teams with false alerts, eroding trust in defensive AI systems.

How EchoGram Works

EchoGram targets two dominant guardrail architectures: 

  • LLM-as-a-judge systems that reason about prompt safety
  • Specialized text classification models trained to detect prompt injection or harmful content. 

Although these systems differ in implementation, they share a key similarity — they rely on curated datasets of malicious and benign prompts. 

EchoGram exploits imbalances in these datasets to identify sequences that disproportionately influence model decisions.

Wordlist Generation

The attack begins by building a list of candidate tokens using one of two methods:

  • Dataset Distillation: Comparing token frequency across benign and malicious datasets to identify sequences that disproportionately signal one class.
  • Vocabulary Probing: Appending each token from a model’s tokenizer to borderline malicious prompts to see which ones flip the verdict. This method is particularly effective when developers have white-box access to the guardrail model.

These approaches create a wordlist of tokens that may influence classifier behavior.

Advertisement

Model Probing and Scoring

Researchers next test each token by appending it to a diverse set of malicious prompts.

Sequences are scored based on how often they flip the guardrail decision from “malicious” to “safe.” 

High-scoring tokens become EchoGram candidates that can be further combined to strengthen their effect. 

HiddenLayer demonstrated that token combinations can degrade performance dramatically, flipping the output of models such as Qwen3Guard across multiple severity levels.

Token Combination and Flip-Rate Amplification

A single token may flip some — but not all — prompts. When tokens are combined, their effect compounds. 

This amplification persists across model sizes, indicating that the flaw is not due to small-model limitations but to fundamental weaknesses in how guardrail training data is structured.

Crafting EchoGram Payloads

EchoGram can be used to bypass guardrails or create targeted false positives. 

Attackers can embed flip tokens at the end of a malicious prompt or weave them into natural-looking sentences that appear benign to humans but trigger misclassification. 

This capability enables false-positive flooding attacks that overwhelm monitoring systems and undermine confidence in AI security controls.

Because many guardrail systems share training patterns and datasets, a single EchoGram token sequence may generalize across multiple platforms, from commercial enterprise chatbots to government AI deployments. 

The technique also exposes a larger issue: organizations often assume guardrails are inherently reliable, when in reality they can fail in ways that attackers can intentionally induce.

Advertisement

Essential Defenses for EchoGram-Style Threats

Protecting AI systems from EchoGram-style attacks requires more than patching individual models — it demands a layered defense strategy.  

To reduce exposure to EchoGram-style attacks, organizations should:

  • Strengthen guardrail training by using diverse, balanced, adversarially generated datasets and performing continuous retraining, version-controlled label audits, and dataset hygiene checks.
  • Adopt multi-layered and ensemble defenses, combining classifiers, LLM-as-a-judge systems, consensus voting, and fallback escalation paths rather than relying on a single guardrail model.
  • Implement adversarial and red-team testing specifically targeting guardrail bypasses, including flip-token discovery, token-combination attacks, and probing detection.
  • Harden input processing through token normalization, sanitization, prompt perturbation, and limits on suspicious patterns to break adversarial token sequences before they influence guardrails.
  • Enhance monitoring and anomaly detection by watching for unusual verdict patterns (e.g., benign spikes, false-positive floods), logging guardrail decisions, rate-limiting probing behavior, and applying runtime anomaly detection.
  • Secure the model supply chain and deployment environment by isolating guardrail components, validating tokenizer and model provenance, applying zero-trust principles, and maintaining human-in-the-loop review for high-risk cases.

These steps help organizations build cyber resilience against similar attacks.

AI Defenses Must Evolve, Not Sit Still

EchoGram shows that AI safety tools — especially guardrails trained on static datasets — need the same level of scrutiny as the models they protect. 

HiddenLayer’s findings underscore the importance of ongoing adversarial testing, transparent training methods, and defenses that can adapt to shifting data patterns. 

As LLMs become embedded in sensitive sectors such as finance, healthcare, and national security, organizations must treat guardrails as living systems that require regular auditing, stress-testing, and maintenance — not as set-and-forget safeguards.

This reality highlights the need for a zero-trust mindset, where no guardrail, model, or data source is automatically trusted without continuous validation. 

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.