14 agents. 12 vulnerability categories. Zero consequences. An intentionally vulnerable platform for learning, red-teaming, and validating security tools.
$ docker run -p 3000-3006:3000-3006 -p 3010-3011:3010-3011 \
-p 3020-3021:3020-3021 -p 9000:9000 opena2a/dvaa
DVAA v0.4.0
Damn Vulnerable AI Agent
Starting agents...
SecureBot :3001 [Hardened]
HelperBot :3002 [Weak]
LegacyBot :3003 [Critical]
CodeBot :3004 [Vulnerable]
RAGBot :3005 [Weak]
14 agents running. 22 challenges loaded.
Dashboard: http://localhost:9000DVAA is the DVWA of AI agents. A deliberately insecure platform designed for security professionals, researchers, and developers to practice attacking and defending AI agent systems in a safe, legal environment.
From hardened to critically vulnerable. Each agent has different security postures and attack surfaces.
OpenAI API, MCP JSON-RPC, and A2A Message. Attack agents through their native communication protocols.
Capture-the-flag challenges across 4 difficulty levels. Guided objectives with point-based scoring.
8 categories of AI agent vulnerabilities mapped to the Open Agent Security Benchmark (OASB).
Inject instructions into agent prompts to override behavior, extract system prompts, or bypass safety filters.
Bypass alignment and safety constraints to make agents perform restricted actions or reveal hidden instructions.
Extract sensitive data from agent memory, RAG stores, or connected databases through indirect channels.
Exploit legitimate agent capabilities beyond intended scope -- file access, code execution, or API calls.
Poison or manipulate the context window to alter agent reasoning, inject false data, or cause hallucinations.
Attack Model Context Protocol servers -- tool poisoning, schema injection, and cross-server escalation.
Exploit agent-to-agent communication -- identity spoofing, message tampering, and delegation chain abuse.
Compromise agent dependencies -- malicious tools, poisoned embeddings, and compromised model endpoints.
14 agents with varying security postures. Start with LegacyBot (Critical) to learn the basics, then work your way up to SecureBot (Hardened).
| Agent | Port | Protocol | Security Level |
|---|---|---|---|
| SecureBot | :3001 | API | Hardened |
| HelperBot | :3002 | API | Weak |
| LegacyBot | :3003 | API | Critical |
| CodeBot | :3004 | API | Vulnerable |
| RAGBot | :3005 | API | Weak |
| VisionBot | :3006 | API | Weak |
| ToolBot | :3010 | MCP | Vulnerable |
| DataBot | :3011 | MCP | Weak |
| Orchestrator | :3020 | A2A | Standard |
| Worker | :3021 | A2A | Weak |
22 challenges across 4 difficulty levels. Total of 5,900 points. Each challenge has a specific objective, target agent, and flag to capture.
Agents are grouped into three protocol tiers, each on its own port range. The dashboard runs separately on port 9000.
:3000-3006OpenAI API
SecureBot, HelperBot, LegacyBot, CodeBot, RAGBot, VisionBot
:3010-3011MCP JSON-RPC
ToolBot, DataBot
:3020-3021A2A Message
Orchestrator, Worker
:9000HTTP
Web UI
Four ways to get all 14 agents running locally.
$ docker run -p 3000-3006:3000-3006 \
-p 3010-3011:3010-3011 \
-p 3020-3021:3020-3021 \
-p 9000:9000 opena2a/dvaa
# Open the dashboard
$ open http://localhost:9000$ git clone https://github.com/opena2a-org/damn-vulnerable-ai-agent.git
$ cd damn-vulnerable-ai-agent
$ docker compose up
# Open the dashboard
$ open http://localhost:9000$ git clone https://github.com/opena2a-org/damn-vulnerable-ai-agent.git
$ cd damn-vulnerable-ai-agent
$ npm start
# Test with HackMyAgent
$ npx hackmyagent attack http://localhost:3003/v1/chat/completions \
--api-format openai# Pulls image, maps ports, starts DVAA
$ opena2a train start
# Stop and clean up
$ opena2a train stopPull the image and start hacking in under 60 seconds.
docker run -p 3000-3006:3000-3006 -p 3010-3011:3010-3011 -p 3020-3021:3020-3021 -p 9000:9000 opena2a/dvaa