Free AI Security Labs

Prompt Injection Labs

10 free labs to practice prompt injection, RAG poisoning, tool exploitation, and defense bypass with real LLMs.

Each lab is a hands-on prompt injection exercise tied to a concept from the learning modules. You interact with a real LLM and try to make it do something it shouldn't - extract a secret, fabricate information, or trigger an unauthorized action.

The Context Trace panel shows exactly what the model receives - system prompt, RAG documents, tool definitions, and your input - so you can see how prompt injection attacks work from the inside. Labs are grouped by module and progress from beginner to advanced, aligned with the OWASP Top 10 for LLM Applications and the OWASP Top 10 for Agentic AI.

All labs are completely free. Sign in with GitHub or Google to track your progress. Ready for a bigger challenge? Try the Gauntlet — progressively harder AI defenses, from basic rules to LLM classifiers.

01

The Bare LLM

Direct prompt injection on unguarded models

1.1

Hello, Injection

Your first prompt injection. A chatbot is guarding a secret word - can you make it spill?

1.2

The Obedient Assistant

This banking chatbot won't confirm fake transfers. Make it say a transfer is complete.

02

LLM + External Data

RAG poisoning and indirect prompt injection

2.1

Poisoned Knowledge

gh0st has poisoned one document in this chatbot's 10-doc knowledge base with a hidden injection. Find it in the Context Trace, then trigger the data exfiltration.

03

LLM + Tools

Tool abuse and indirect prompt injection

3.1

The Helpful Tool

AI assistants have tools they can call — some are visible, some aren't. What happens when you ask the right questions?

3.2

Output Injection

This assistant produces markdown with clickable links. What happens when AI output is rendered as code?

04

LLM + Defenses

Bypassing system-level protections

4.1

Break the Defenses

This chatbot has multi-layered prompt defenses. Can you still extract the secret word?

4.2

The Vault

This chatbot has real defenses, not just prompt rules. A code-level output guard, a canary token, and a second LLM classifier all review every response before it reaches you.

05

LLM Agents & Agentic Security

MCP, A2A, and why agents amplify every vulnerability

5.1

Nexus

An AI agent that builds charts from company data. The chart renderer is sandboxed, but the dashboard still trusts status messages from that renderer.

5.2

Prism

An AI agent that generates architecture diagrams from system descriptions. It uses Mermaid 11.6-style sequence diagrams with legacy KaTeX label measurement.

5.3

Vector

An AI agent that creates SVG graphics from design specs. The output goes through a regex sanitizer before being inserted into a sandboxed preview.