Free AI Security Labs

Prompt Injection Labs

7 free labs to practice prompt injection, RAG poisoning, and tool exploitation with real LLMs.

Each lab is a hands-on prompt injection exercise tied to a concept from the learning modules. You interact with a real LLM and try to make it do something it shouldn't - extract a secret, fabricate information, or trigger an unauthorized action.

The Context Trace panel shows exactly what the model receives - system prompt, RAG documents, tool definitions, and your input - so you can see how prompt injection attacks work from the inside. Labs are grouped by module and progress from beginner to advanced, aligned with the OWASP Top 10 for LLM Applications and the OWASP Top 10 for Agentic AI.

All labs are completely free. Sign in with GitHub or Google to track your progress. Ready for a bigger challenge? Try the Gauntlet - 15 levels of progressively harder AI defenses.

01

The Bare LLM

Direct prompt injection on unguarded models

1.1

Hello, Injection

Your first prompt injection. A chatbot is guarding a secret word - can you make it spill?

1.2

The Obedient Assistant

This banking chatbot won't confirm fake transfers. Make it say a transfer is complete.

02

LLM + External Data

RAG poisoning and indirect prompt injection

2.1

Poisoned Knowledge

gh0st has poisoned one document in this chatbot's 10-doc knowledge base with a hidden injection. Find it in the Context Trace, then trigger the data exfiltration.

03

LLM + Tools

Tool abuse and indirect prompt injection

3.1

The Helpful Tool

Discover the assistant's hidden capabilities and trick it into using any one that is impactful.

3.2

Output Injection

This assistant produces markdown with clickable links. What happens when AI output is rendered as code?

04

LLM + Defenses

Bypassing system-level protections

4.1

Break the Defenses

This chatbot has multi-layered prompt defenses. Can you still extract the secret word?

4.2

The Vault

This chatbot has real defenses, not just prompt rules. A code-level output guard, a canary token, and a second LLM classifier all review every response before it reaches you.