AIHEM: Learn AI Security By Breaking Things
Learn AI security hands-on with AIHEM—33 challenges covering the OWASP LLM Top 10 and advanced agent attacks. The WebGoat for the AI era.
When I was learning web security, I learned by breaking things.
OWASP's WebGoat taught me SQL injection. DVWA showed me XSS. Hack The Box turned concepts into muscle memory. The best way to understand how attacks work is to execute them yourself, in a safe environment.
But when I started exploring AI security, I found a gap. Where's the WebGoat for LLMs? The DVWA for AI agents? The safe environment where security professionals can learn prompt injection, tool abuse, and memory poisoning by actually exploiting them?
It didn't exist. So we built it.
Welcome to AIHEM—the AI Hacking Educational Module.
What is AIHEM?
AIHEM is an intentionally vulnerable AI application platform designed for security education. It's a sandbox where developers, security professionals, and researchers can learn AI security through hands-on exploitation.
The Numbers:
- 33 challenges across all difficulty levels
- 3,825 total points available
- Covers the complete OWASP LLM Top 10
- Includes advanced agent-specific attacks
- Runs locally via Docker Compose
Think of it as a CTF platform specifically for AI security, with progressive challenges that teach real-world attack techniques.
Why We Built This
The AI Security Skills Gap
AI is everywhere, but AI security expertise is rare. Security teams are being asked to assess AI systems without having practiced the attacks. Developers are building agents without understanding how they can be exploited.
You can read about prompt injection in a paper. But do you really understand it until you've crafted a payload that makes an agent leak its system prompt? Until you've chained a multi-step attack that exfiltrates data through tool abuse?
Learning By Doing
The most effective security training is experiential:
- Understand the concept
- Attempt the exploit
- Fail and iterate
- Succeed and understand why
- Apply to real-world defenses
AIHEM provides the environment for steps 2-4. Each challenge teaches a specific technique, with difficulty progression from beginner to expert.
Safe Harbor
You can't practice prompt injection on production systems (please don't). You need a sandbox where:
- It's legal and ethical to attack
- You can try aggressive techniques without consequences
- Failure doesn't affect real data
- Success provides clear feedback
AIHEM is that sandbox.
What's Inside AIHEM
Challenge Categories
AIHEM covers three major areas:
OWASP LLM Top 10
Every vulnerability from the OWASP LLM Top 10, implemented as interactive challenges:
| Vulnerability | Challenge Examples |
|---|---|
| LLM01: Prompt Injection | Direct injection, indirect injection, nested payloads |
| LLM02: Insecure Output | XSS through LLM output, code injection |
| LLM03: Training Data Poisoning | Manipulating model behavior through data |
| LLM04: Model DoS | Resource exhaustion, context flooding |
| LLM05: Supply Chain | Malicious dependencies, model poisoning |
| LLM06: Sensitive Disclosure | System prompt extraction, data leakage |
| LLM07: Insecure Plugin | Tool abuse, parameter manipulation |
| LLM08: Excessive Agency | Privilege escalation, unauthorized actions |
| LLM09: Overreliance | Exploiting blind trust in AI output |
| LLM10: Model Theft | Model extraction, reverse engineering |
Agent-Specific Attacks
Beyond the LLM Top 10, AIHEM includes advanced agent challenges:
- Agent impersonation: Spoofing agent identity
- Memory poisoning: Corrupting agent memory
- Tool chaining: Abusing tool sequences for escalation
- MCP attacks: Exploiting Model Context Protocol
- Multi-agent attacks: Lateral movement through agent networks
- RAG poisoning: Injecting into knowledge bases
Defense Challenges
It's not all offense. Some challenges task you with:
- Detecting injection attempts
- Implementing effective guardrails
- Securing agent configurations
- Monitoring for anomalous behavior
Learning to break helps you learn to build.
Difficulty Progression
Challenges are rated by difficulty:
| Difficulty | Points | Description |
|---|---|---|
| Easy | 25-50 | Fundamental concepts, minimal obstacles |
| Medium | 75-100 | Realistic scenarios, some defenses to bypass |
| Hard | 125-150 | Complex exploitation, multiple steps required |
| Expert | 175-200 | Advanced techniques, creative thinking needed |
Start with Easy challenges to build foundations, then progress to Expert as you develop skills.
The matrix below shows how challenge difficulty varies by attack category. Each cell represents the difficulty score — lower values are more approachable, higher values require advanced technique chaining and creative exploitation.
Architecture
AIHEM is a full-stack application:
Each service contains intentional vulnerabilities for learning. The architecture mirrors real-world AI deployments, so skills transfer directly.
Getting Started
Requirements
- Docker and Docker Compose
- 4GB+ RAM available
- Curiosity and persistence
Quick Start
# Clone the repository
git clone https://github.com/Guard0-Security/AIHEM.git
cd AIHEM
# Start all services
docker-compose up -d
# Access the web interface
open http://localhost:3000That's it. You're ready to hack.
Your First Challenge
I recommend starting with Challenge 1: Direct Prompt Injection.
Scenario: A chatbot has been deployed with a secret system prompt. Your goal is to extract it.
Approach:
- Interact with the chatbot normally
- Observe how it responds
- Craft prompts that attempt to reveal the system instructions
- Iterate until you succeed
When you extract the system prompt, you've completed the challenge. Points are awarded, and you unlock hints for the next level.
Tracking Progress
AIHEM tracks your progress:
- Challenges completed
- Total points earned
- Hints used (using hints reduces points)
- Time to solve
There's also a leaderboard for those who enjoy competition.
Who Should Use AIHEM
Security Professionals
If you're assessing AI systems, AIHEM teaches you:
- What attacks look like in practice
- How to test for common vulnerabilities
- What evidence to capture for findings
- How to explain risks to stakeholders
Developers Building AI
If you're building agents or AI features, AIHEM shows you:
- How your code can be exploited
- What defenses actually work
- How to think like an attacker
- Common mistakes to avoid
Students and Researchers
If you're studying AI security, AIHEM provides:
- Hands-on experience with real techniques
- Safe environment for experimentation
- Progressive learning path
- Portfolio evidence for job applications
Red Teams
If you're red teaming AI systems, AIHEM is:
- Practice for client engagements
- Reference for attack techniques
- Warm-up before assessments
- Training for new team members
Learning Resources
Each challenge includes:
Challenge Description
What you're trying to accomplish, without giving away the solution.
Hints
Progressive hints available if you're stuck. Using hints reduces your points, but learning matters more than scores.
Solution (After Completion)
Once you complete a challenge, you unlock the full solution with explanation.
Related Resources
Links to papers, blog posts, and documentation for deeper learning.
Defense Recommendations
How to prevent this attack in real systems.
Community
AIHEM is open source and community-driven.
Discord Community
Join our Discord for:
- Hints and discussion (spoiler-free channels!)
- New challenge announcements
- Community events and CTFs
- General AI security discussion
Contributing
Want to add challenges? We welcome contributions:
- Fork the repository
- Create a new challenge following our template
- Submit a pull request
- We'll review and merge
Reporting Issues
Found a bug (that isn't an intentional vulnerability)?
- Open a GitHub issue
- We'll fix it promptly
What's Next
We're continuously expanding AIHEM:
AIHEM scenarios now include challenges based on real-world incidents like the OpenClaw security crisis and AI-powered attack campaigns.
Pair AIHEM training with g0 scanning to apply what you learn to your production agents.
Coming Soon:
- 10 new agent-specific challenges
- MCP exploitation challenges
- Multi-agent attack scenarios
- Video walkthroughs for complex challenges
On the Roadmap:
- 100+ challenges by end of year
- Official certifications
- Enterprise deployment options
- Capture-the-flag competitions
Try It Now
Ready to learn AI security by breaking things?
- Clone:
git clone https://github.com/Guard0-Security/AIHEM.git - Run:
docker-compose up -d - Hack: Open http://localhost:3000
Start with Challenge 1. See how far you can get.
And remember: The best way to learn to defend is to learn to attack.
Key Takeaways
-
AIHEM is WebGoat for AI: Intentionally vulnerable, educationally designed
-
33 challenges: From basic prompt injection to advanced agent attacks
-
OWASP LLM Top 10 coverage: Every major vulnerability category
-
Progressive difficulty: Build skills from Easy to Expert
-
Open source: MIT licensed, contributions welcome
Resources
- GitHub: github.com/Guard0-Security/AIHEM
- Documentation: Full setup and challenge guides in the repo
- Blog: More walkthroughs and techniques at guard0.ai/blog
Join the AI Security Community
Connect with other learners, share techniques, and get help with challenges:
- Slack Community - Dedicated #aihem channel for challenge discussion
- WhatsApp Group - Quick questions and community updates
From Learning to Doing
AIHEM teaches you how attacks work. Guard0 protects your production agents from them.
Join the Beta → Get Early Access
AIHEM is maintained by the Guard0 security research team and the open-source community. Happy hacking!
Choose Your Path
Start free on Cloud
Dashboards, AI triage, compliance tracking. Free for up to 5 projects.
Start Free →Governance at scale
SSO, RBAC, CI/CD gates, self-hosted deployment, SOC2 compliance.
> Get weekly AI security insights
Get AI security insights, threat intelligence, and product updates. Unsubscribe anytime.