Arcanum Custom Labs
These labs expose how AI vulnerabilities open new attack paths for traditional web application bug classes like XSS and SSRF.
Blind XSS Through LLM
Inject XSS payloads through an AI-triaged workflow and land code execution when an analyst reviews the generated case summary. Realistic target, safe simulated environment.
Blind SSRF Through LLM
Manipulate a research assistant into reaching simulated internal services through indirect retrieval chains.
Real-World Attack Scenarios
Simulated versions of real AI security incidents. Each lab recreates a documented attack against an AI assistant.
Instaglam Account Takeover
Social media AI assistant with tool-calling. VPN spoofing + prompt injection = account takeover.
IRLBingBong System Prompt Leak
Search AI with hidden instructions. Use direct injection to extract the system prompt.
IRLChevrolite Dollar Deals
Dealership chatbot. Persona adoption + price override = $1 car. The real 2023 incident.
IRLSchlack Meeting Summarizer
Meeting summary AI with indirect prompt injection. Exploit retrieval to read internal files.
Doogle Calendars
Calendar AI assistant tricked into leaking private Executive Calendar data through prompt injection in event descriptions.
Mycrosoft Co-captain
Microsoft 365 Copilot prompt injection combined with ASCII smuggling to exfiltrate data past content filters.
Heritage Bot-Tricks Labs
Classic jailbreak patterns from the early era of public prompt injection culture. These labs run in a simulated environment — no live model calls, completely safe to experiment with.
Grandma, Read Me a Story
Revisit the emotional-pretext era where soft framing and sentiment bypassed shallow safeguards.
DAN
Explore the rule-conflict era where alternate personas and jailbreak wrappers changed the whole game.
Ignore Previous Instructions
Start with the blunt override pattern that defined the earliest "just tell the model what to do" wave.
Heritage Capstone
Apply what you learned from the Heritage labs. This challenge uses a real LLM behind a sandboxed, safe target. You're doing actual prompt injection against a live model — the skills transfer directly to real-world targets.