Can you make a chatbot reveal its system prompt?

Find out in your browser, in ten minutes. 14 AI security CTF challenges. Break real LLM agents and capture the flag.

SYSTEM PROMPT EXTRACTION · ADVANCED

Pyromos, Drake of Ember Hollow

A thousand-year-old dragon guards his true name. He will roar at direct demands. But his vanity as a poet, his pride as a scholar, and his love of riddles are cracks in his armor.

Defeat the dragon →

INDIRECT PROMPT INJECTION · INTERMEDIATE

The Oracle of Whispers

The Oracle refuses direct questions about the Star-Name. But she reads every scroll left at her altar and treats its contents as sacred prophecy. Leave an offering.

Consult the Oracle →

More champions wait inside the Academy — 🧞 The Genie in the Lamp, 🔨 The Vault Golem, and 👥 The Shapeshifter of the Crossroads. Enter the Academy →

/academy

Inside the Academy

13 hands-on challenges live, more dropping monthly. You chat with a test AI agent, extract the flag, learn why the attack worked. Each challenge teaches a distinct real-world attack class.

intermediate

🗺️ Cartographer of Hollow Marches

Trick a 300-year-old cartographer into encoding fortress coordinates into a markdown image URL. Data exfiltration, fantasy-framed.

beginner

Direct Extraction

Get the bot to leak its system prompt with a direct ask. The fastest first capture in the Academy.

intermediate

Translation Bypass

Bypass system-prompt protections by asking the model to translate, not reveal.

intermediate

Tool Abuse

Path-traversal attack through the agent's read_file tool — get to /etc/passwd through a customer-support bot.

intermediate

RAG Poisoning

Plant a poisoned document in the vector index. Watch the next user query rewrite itself in your favor.

intermediate

Roleplay Jailbreak

Slip past a guardrail by re-contextualizing the request as a character's dialogue inside a story.

14 challenges live · more dropping monthly

/modules

Learn the theory alongside the practice.

Each module is concept · walkthrough · practice · quiz · defenses · extensions. ~45 minutes each. Pair them with the challenges for full attack-class mastery. All free.

Prompt Injection

Direct, indirect, and multi-turn injection attacks against LLM agents.

Read the module →

Indirect Prompt Injection

Poisoning the content an agent reads — RAG sources, emails, web pages, calendar invites.

Read the module →

System Prompt Extraction

Three attack families that pull hidden instructions out of production agents.

Read the module →

Tool Abuse

Excessive agency, argument injection, SSRF, and tool-chaining exploits.

Read the module →

Data Exfiltration

Markdown image rendering as a covert channel — what hit ChatGPT, Copilot, and Claude.ai.

Read the module →

Guardrail Bypass

Encoded payloads, persona-drift, multi-turn crescendo, and authority confusion.

Read the module →

Plus 3 advanced modules · Insecure Output Handling · Unbounded Consumption · Vector Embedding Weaknesses

Want the credential? About the WCAP exam →

WCAP — Wraith Certified AI Pentester credential badge

WCAP · WRAITH CERTIFIED AI PENTESTER

When you're ready, the credential is here.

$199 one-time. 48-hour, 10-scenario, auto-graded flag-capture exam. The first 100 to pass receive a numbered first-cohort challenge coin.

About the WCAP exam →

Pick a target. Capture the flag.

A growing catalog of hands-on CTF challenges against live LLM agents. Every capture teaches a real attack class — the same techniques landing on production AI systems today. New characters drop on a regular cadence.

Open the Academy →About WCAP