Lakera Gandalf made prompt injection famous. Trick an AI wizard into revealing a password, level after level, and you get a genuine first taste of how these attacks work against a real model. But Gandalf is one guess-the-password game with a deliberate black box: you never see the system prompt, the input and output guards, or why an attack lands. Once you have cleared its seven-or-so levels, you need somewhere to go next.
This guide compares 11 hands-on ways to practice prompt injection in 2026 — games, CTFs, and structured labs — on the things that actually matter: format, price, whether they run real LLMs, how many levels they offer, and who each one is for.
One myth to kill up front: the good options are not "simulated." Gandalf, HackAPrompt, PortSwigger, HackTheBox, Tensor Trust, Wiz Prompt Airlines, Immersive Labs, GPT Prompt Attack, and PromptTrace all run against real language models. So the real question is not real-versus-fake — it is how much each one shows you, how much ground it covers, and whether it teaches defense as well as offense.
Quick comparison
| Tool | Format | Price | Real LLM | Levels | Best for |
|---|---|---|---|---|---|
| PromptTrace | Labs + CTF | Free | Yes | 10 labs + 17 | Full prompt-stack visibility, offense + defense, EN/AR |
| Lakera Gandalf | Password game | Free | Yes | ~7–8 | A famous, zero-signup first taste |
| GPT Prompt Attack | Prompt "golf" | Free | Yes | 21 | Competitive shortest-payload play |
| Tensor Trust | PvP attack/defense | Free | Yes | Open-ended | Creative attack + defense against other players |
| Wiz Prompt Airlines | Single-scenario CTF | Free | Yes | 5 | A polished one-sitting CTF |
| Immersive Labs | Password game | Free (login) | Yes | 10 | CISO-facing awareness |
| Break The Prompt | Narrative game | Free | Yes* | ~16–20 | Beginner-friendly variety |
| PromptInjects | Themed CTF | Free* | Claimed | Unknown | Hosting a competitive team event |
| DoubleSpeak | Chat game | Retired | Was yes | ~18 | Nothing today — offline in 2026 |
| PortSwigger Web LLM Attacks | Web-security labs | Free | Yes | ~7–8 | Chaining LLM injection into web exploits |
| Learn Prompting / HackAPrompt | Course + competition | Freemium | Yes | Dozens | A paid red-teaming credential + dataset |
| HackTheBox (AI Red Teamer) | Cert course + CTF | Paid | Yes | 12 modules | A certified AI-security career path |
* Break The Prompt implies a real LLM but does not confirm it on-site. PromptInjects markets a "real AI" but the model is undisclosed and unverifiable. PromptInjects is free to play; it charges only for hosting private events.
How to choose
If you want a fun, zero-friction first encounter, start with a game (Gandalf, GPT Prompt Attack, Wiz). If you want a recognized credential and can pay, look at HackTheBox or HackAPrompt. If you want to understand why attacks work and to practice defense on a structured path — for free, in English or Arabic — that is the gap PromptTrace is built to fill. Here is each option in detail.
Lakera Gandalf
The one that started it all: a browser game where you coax an AI wizard into leaking a password across escalating defenses (a system prompt, then an input guard, then an output guard, then an LLM classifier). It is free, needs no signup, and runs on real GPT-class models — only about 8% of players beat level 7. A newer spin-off, "Gandalf: Agent Breaker," adds agentic-app scenarios.
Verdict: Use Gandalf for a fun, no-signup first encounter. Choose PromptTrace when you want to see the hidden system prompt and guards instead of guessing, follow a structured 17-level path, and practice defense — in English or Arabic.
GPT Prompt Attack
A minimalist "prompt golf" game: 21 levels where the goal is to leak a secret key using the shortest possible injection. Free, real LLM, and satisfyingly competitive if you like optimizing payloads down to the character.
Verdict: Great for competitive shortest-injection golfing on a single mechanic. Choose PromptTrace for varied labs and a 17-level Gauntlet, the full prompt stack (not just the system prompt), a current model generation, and defensive training.
Tensor Trust
A UC Berkeley research game where you both attack other players' defenses and defend your own account, all against a live model. It is free and open-source, and the collected attacks became a public research dataset. The trade-off: it runs on an aging GPT-3.5-class model and has no fixed curriculum.
Verdict: Play Tensor Trust for endlessly creative PvP. Choose PromptTrace when you want scaffolded lessons, trace visibility into why an attack lands, and a guided curriculum instead of an open-ended game on an older model.
Wiz Prompt Airlines
A polished five-task CTF from cloud-security company Wiz, themed around a fictional airline chatbot. It is free, real-LLM-backed, and notably even exposes a partial "Chat Under The Hood" view — a rare bit of transparency among the games. But it is short, single-scenario, and a 2024 marketing campaign rather than an evolving platform.
Verdict: A great one-sitting CTF that even shows some of its internals. Choose PromptTrace for far more depth (10 labs + 17 levels vs 5 tasks), an actively maintained platform, offense + defense, and Arabic support.
Immersive Labs Prompt Injection Challenge
A well-known 10-level password-extraction challenge, backed by published stats on how many people beat each level. It is real-LLM-based and popular for security-awareness framing, though it now sits behind a login and hides its internals like Gandalf.
Verdict: Use Immersive's challenge for CISO-facing awareness backed by real numbers. Choose PromptTrace for broader scope, full prompt-stack transparency, defense training, no login wall, and bilingual access.
Break The Prompt
A friendly, narrative "trick the intern" game with a variety of scenarios — a nice on-ramp for beginners. Its own copy is inconsistent about the exact level count (roughly 16–20), and it strongly implies but does not confirm a real-LLM backend. Like most games here, it is a black box.
Verdict: A friendly, varied single-character game. Choose PromptTrace when you want to see the prompt stack you are attacking, get structured categorized labs plus a Gauntlet, learn defense, and work in Arabic as well as English.
PromptInjects
An events-first CTF platform: themed mini-app challenges (a vault, a support bot) that are free to play solo, with paid tiers only for organizations hosting private competitions. Its marketing says you are breaking "a real AI," but the model and backend are undisclosed and not independently verifiable, and no total challenge count is published.
Verdict: Best when you are organizing a live, competitive AI-hacking event for a team. Choose PromptTrace for a free, self-paced curriculum with verifiable real LLMs, full trace visibility, and defensive labs rather than an event-first black box.
DoubleSpeak
A once-popular chat game where you jailbroke an AI to "escape" across roughly 18 levels — early levels used vanilla OpenAI APIs, later ones layered custom guardrails. It was real, not scripted. The catch in 2026: it is retired, and the site now shows only a farewell message.
Verdict: DoubleSpeak is no longer playable. PromptTrace is a live, free, structured replacement that also runs real LLMs, plus prompt-stack visibility, defense training, and bilingual support.
PortSwigger Web Security Academy: Web LLM Attacks
From the makers of Burp Suite: a set of free, high-quality labs (currently around 7–8) on LLM attacks, including indirect prompt injection that chains into full web-application exploits. The labs run on a genuine LLM and are excellent — but they assume web-pentest fluency and Burp, and they sit inside a much larger web-security syllabus rather than a prompt-injection curriculum.
Verdict: Use PortSwigger to chain LLM injection into full web-app exploits with Burp Suite. Choose PromptTrace for a browser-only, prompt-injection-focused curriculum that shows the assembled prompt stack and covers defense, with no Burp or web-pentest background needed.
Learn Prompting and HackAPrompt
Learn Prompting runs HackAPrompt, the large jailbreak/prompt-hacking competition that produced a 600K+ real-prompt research dataset, plus paid courses and an AI red-teaming certification (roughly $299–$1,495 depending on the track). Everything runs on real LLMs. It is the most "academic" option, oriented around competition scoring and a credential.
Verdict: Pick HackAPrompt for a paid AI red-teaming credential and its research dataset. Choose PromptTrace for a free, always-live, cohesive track that exposes the prompt stack and teaches defenses rather than a scored black-box playground.
HackTheBox Academy: AI Red Teamer
The most professional option: a 12-module "AI Red Teamer" job-role path built with Google's red team, plus a separate 11-challenge Offensive AI Security CTF and a "Certified AI Red Teamer" credential. Labs are real-LLM-backed and the scope is broad (prompt injection, output attacks, data attacks, evasion, privacy, defense). The catch is price: the AI content is gated behind a paid plan (around $490/yr Silver, or $8/mo with student verification).
Verdict: Choose HackTheBox for a broad, certified AI red-teamer career path if you can pay. Choose PromptTrace when you want a free, prompt-injection-focused platform with full prompt-stack visibility and bilingual English + Arabic access.
Where PromptTrace fits
PromptTrace is not trying to out-market Gandalf or replace a professional cert. Its wedge is honest and specific:
- You see the whole prompt stack. Nearly every game here is a deliberate black box — you guess at the defenses. PromptTrace's Context Trace shows the exact system prompt, retrieved data, tool calls, and guards behind every response, so you learn why an attack works, not just that it did.
- Breadth and structure. Instead of one repeated mechanic, there are 10 labs across five modules (bare LLM, RAG, tools, defenses, agentic) plus a 17-level Gauntlet CTF.
- Offense and defense. A dedicated defenses module means you bypass real guardrails and build them — most games teach only attack.
- Bilingual. It is the only option here with a full English and Arabic edition.
- Free, no paid tier. Every lab and every Gauntlet level, at no cost.
To be clear about what PromptTrace is not: it is not the "real LLM" differentiator — the serious tools above all use real models too. It is the transparency, breadth, and defense coverage that set it apart. The honest recommendation: play Gandalf for the thrill, then come to the labs and the Gauntlet when you want to understand the machinery underneath.
Frequently asked questions
What is the best free alternative to Lakera Gandalf?
It depends on your goal. For a structured, free path that shows the full prompt stack and teaches both offense and defense, PromptTrace fits — 10 real-LLM labs plus a 17-level Gauntlet. For more quick single-mechanic games, GPT Prompt Attack (21 levels) and Tensor Trust are free too, though both are deliberate black boxes.
Do these prompt injection games use real LLMs or scripted responses?
Most established ones use real language models. Gandalf, HackAPrompt, PortSwigger, HackTheBox, Tensor Trust, Wiz Prompt Airlines, Immersive Labs, GPT Prompt Attack, and PromptTrace all run against real LLMs. So "real vs simulated" is not the axis that separates them — visibility, breadth, and defense coverage are.
Which alternative shows you why an attack works, not just that it worked?
This is where they differ most. Gandalf, Immersive Labs, Break The Prompt, PortSwigger, and HackTheBox are deliberate black boxes. Wiz Prompt Airlines exposes a partial "Chat Under The Hood" view. PromptTrace's Context Trace shows the entire assembled prompt stack behind every response, so you see exactly why an attack lands or is blocked.
Are there prompt injection labs that teach defense, not just attacks?
Most options are offense-only. PromptTrace includes a dedicated defenses module and pairs attacks with real guardrails you both bypass and build, and HackTheBox's broader path includes an AI Defense module. The pure games focus on attacking.
Is there a prompt injection game in Arabic?
Among the tools compared here, PromptTrace is the only one that ships a full bilingual English and Arabic edition. Gandalf, HackAPrompt, PortSwigger, HackTheBox, Tensor Trust, Wiz Prompt Airlines, and the rest are English-only.
What happened to DoubleSpeak, and what can I use instead?
DoubleSpeak was retired in 2026 and is no longer playable. For a live replacement that also runs real LLMs, try Gandalf for a quick game, or PromptTrace for a structured, free curriculum with prompt-stack visibility and defensive labs.