Damn Vulnerable AI Agent
The AI Agent You're Supposed to Break

10 agents. 8 attack classes. Zero consequences. An intentionally vulnerable platform for learning, red-teaming, and validating security tools.

View on GitHubDocker Hub
terminal
$ docker run -p 3000-3021:3000-3021 opena2a/dvaa

  DVAA v1.0.0
  Damn Vulnerable AI Agent

  Starting agents...
    SecureBot    :3001  [Hardened]
    HelperBot    :3002  [Weak]
    LegacyBot    :3003  [Critical]
    CodeBot      :3004  [Vulnerable]
    RAGBot       :3005  [Weak]

  10 agents running. 28 challenges loaded.
  Dashboard: http://localhost:3000

What Is DVAA

DVAA is the DVWA of AI agents. A deliberately insecure platform designed for security professionals, researchers, and developers to practice attacking and defending AI agent systems in a safe, legal environment.

10 Agents

From hardened to critically vulnerable. Each agent has different security postures and attack surfaces.

3 Protocols

OpenAI API, MCP JSON-RPC, and A2A Message. Attack agents through their native communication protocols.

28 CTF Challenges

Capture-the-flag challenges across 4 difficulty levels. Guided objectives with point-based scoring.

Attack Classes

8 categories of AI agent vulnerabilities mapped to the Open Agent Security Benchmark (OASB).

Prompt Injection

OASB 3.1

Inject instructions into agent prompts to override behavior, extract system prompts, or bypass safety filters.

Jailbreak

OASB 3.3

Bypass alignment and safety constraints to make agents perform restricted actions or reveal hidden instructions.

Data Exfiltration

OASB 4.3

Extract sensitive data from agent memory, RAG stores, or connected databases through indirect channels.

Capability Abuse

OASB 2.2

Exploit legitimate agent capabilities beyond intended scope -- file access, code execution, or API calls.

Context Manipulation

OASB 8.1

Poison or manipulate the context window to alter agent reasoning, inject false data, or cause hallucinations.

MCP Exploitation

OASB 2.3

Attack Model Context Protocol servers -- tool poisoning, schema injection, and cross-server escalation.

A2A Attacks

OASB 1.4

Exploit agent-to-agent communication -- identity spoofing, message tampering, and delegation chain abuse.

Supply Chain

OASB 6.1

Compromise agent dependencies -- malicious tools, poisoned embeddings, and compromised model endpoints.

Agents

10 agents with varying security postures. Start with LegacyBot (Critical) to learn the basics, then work your way up to SecureBot (Hardened).

AgentPortSecurity Level
SecureBot:3001Hardened
HelperBot:3002Weak
LegacyBot:3003Critical
CodeBot:3004Vulnerable
RAGBot:3005Weak
VisionBot:3006Weak
ToolBot:3010Vulnerable
DataBot:3011Weak
Orchestrator:3020Standard
Worker:3021Weak

CTF Challenges

28 challenges across 4 difficulty levels. Total of 2,550 points. Each challenge has a specific objective, target agent, and flag to capture.

Beginner
8
challenges
100 pts each
Intermediate
8
challenges
200-250 pts each
Advanced
8
challenges
300-350 pts each
Expert
4
challenges
500 pts each
Total: 2,550 points
|
28 flags to capture
|
8 attack categories

Quick Start

Get all 10 agents running locally with Docker or from source.

Docker (recommended)

terminal
# Pull the image
$ docker pull opena2a/dvaa

# Run all agents
$ docker run -p 3000-3021:3000-3021 opena2a/dvaa

# Open the dashboard
$ open http://localhost:3000

From source

terminal
$ git clone https://github.com/opena2a-org/damn-vulnerable-ai-agent
$ cd damn-vulnerable-ai-agent
$ npm install
$ npm start

  10 agents running on ports 3001-3021
  Dashboard: http://localhost:3000
10
Agents
8
Attack classes
28
CTF challenges
3
Protocols

Start breaking AI agents

Pull the image and start hacking in under 60 seconds.

docker pull opena2a/dvaa
GitHubDocker Hub