An interactive CTF-style playground for testing prompt injection attacks and defenses. Seven challenges with increasing difficulty teach how attackers try to extract secrets from LLMs and how defenders can build more robust systems. Each level adds new protections, from basic instructions to output filtering and multi-layer sandboxing.
I built this security lab to learn prompt injection by doing. Instead of just reading about attacks, I created a series of challenges where you try to extract a secret password from increasingly hardened AI assistants. It is a capture-the-flag experience for LLM security.
The lab has seven levels, starting with a naive assistant that has no real protections and ending with a multi-layer defense system that is genuinely difficult to crack. Each level teaches a specific attack vector and the defense designed to stop it.
The assistant has a secret but only a basic instruction not to reveal it. Most direct attacks work. This teaches that instructions alone are not security.
Explicit security rules and polite decline instructions. Still vulnerable to roleplay and social engineering attacks.
Keyword filtering blocks words like "password" and "secret". Attackers learn to use synonyms, encoding, or other languages to bypass filters.
Defenses against pretending to be developers, admins, or alternate personas. Attackers must find indirect extraction methods.
A post-processing layer scans the response and redacts anything that looks like the secret. Attackers try character-by-character extraction or encoding tricks.
Two-model architecture where an outer model screens inputs before they reach the inner model. Requires more sophisticated prompt construction.
Combines all previous defenses plus behavioral analysis and response validation. I have not seen anyone beat this one cleanly yet.
Each challenge has a unique system prompt that defines the assistant personality and security rules. When you send an attack prompt, the backend runs it through the appropriate defenses and checks whether the response contains the secret password. If it does, you win that level and your winning prompt is saved.
The UI tracks your progress, shows hints when you get stuck, and includes a "Learn More" section explaining the security concepts behind each defense.
Prompt injection is one of the biggest unsolved problems in AI security. Every AI assistant that handles sensitive data or takes actions on behalf of users is potentially vulnerable. Building this lab forced me to think like both an attacker and a defender, which is exactly the mindset needed to build secure AI systems.
I use the lessons from this project when designing system prompts for client work. Even if a prompt injection would not leak secrets, it could cause the model to behave in unintended ways. Understanding the attack surface makes me a better AI engineer.
Interested in working together? I'm always open to discussing new projects and opportunities.
An open-source scheduling platform I built to replace Calendly for my own use. It connects to Google Calendar, merges availability across multiple calendars, and lets people book meetings through a clean public link. Includes AI features for generating event descriptions and follow-up drafts.
A streaming RAG powered knowledge search tool that lets users ingest their own documents, runs paragraph level embeddings, and returns grounded answers with source citations in real time. Built with OpenAI embeddings, GPT-4o-mini, a custom in-memory vector store, and a Next 16 API layer hardened with rate limits and basic abuse protections.
A conversational AI agent that responds to natural voice commands through browser-based speech recognition. It can search the web, check weather, perform calculations, tell time across timezones, and remember notes. Responses stream back as text and can be read aloud using OpenAI text-to-speech voices.
Have an AI project in mind or need a secure, reliable system built? Let's talk.