As model capabilities increase, safety guardrails are increasingly deployed to prevent malicious actors from extracting harmful information. While some mechanisms, such as model-level refusals, provide a rich feedback signal to an attacker, black-box input-level filters typically expose only a binary outcome. Recent work, “Boundary Point Jailbreaking of Black-Box LLMs,” demonstrated a fully automated attack pipeline against input filters, but requires up to 160K harmful queries before succeeding. In this project, we propose to frame guardrail jailbreaking as an outcome-based knowledge distillation problem, where the attacker iteratively approximates the guardrail by fine-tuning an off-the-shelf LLM-based classifier on observed outcomes. The goal of the project is to reduce the total harmful query budget required to successfully jailbreak a guardrail under this setting, and to study how this budget empirically depends on the level of information exposure provided by the guardrail.