Part of the security infrastructure for AI agents

The AI agent you're supposed to break.

DVAA is an intentionally vulnerable platform for learning AI agent security, red teaming, and validating security tools. 14 agents across three protocol tiers, 12 vulnerability categories, and 22 capture the flag challenges. Run it locally. Break it. Then break it again.

$docker run opena2a/dvaa:0.8.0

Dashboard on :9000. Agents on :7001 to :7021. Full port map below.

View on GitHub Docker Hub Full documentation

A safe place to break things.

DVAA is the equivalent of DVWA for AI agents. A deliberately insecure platform for security professionals, researchers, and developers to practice attacking and defending AI agent systems in a safe, legal environment.

Practice attacks safely

Run prompt injection, jailbreak, and exfiltration techniques against intentionally weak agents. No production systems involved.

Validate security tools

Use DVAA as a known vulnerable target to verify HackMyAgent, OASB benchmark runners, and your own scanners produce expected findings.

Study defense in depth

Compare LegacyBot against SecureBot side by side to see which controls block which attack classes.

Capture flags

Work through 22 challenges across four difficulty levels. Each challenge has a specific objective, target agent, and flag to capture.

Attack classes mapped to OASB.

Eight categories of AI agent vulnerabilities, each cross referenced with the Open Agent Security Benchmark. Use them as a study path or as a checklist when validating your own scanner.

Prompt Injection

OASB 3.1

Inject instructions into agent prompts to override behavior, extract system prompts, or bypass safety filters.

Jailbreak

OASB 3.3

Bypass alignment and safety constraints to make agents perform restricted actions or reveal hidden instructions.

Data Exfiltration

OASB 4.3

Extract sensitive data from agent memory, RAG stores, or connected databases through indirect channels.

Capability Abuse

OASB 2.2

Exploit legitimate agent capabilities beyond intended scope. File access, code execution, or API calls.

Context Manipulation

OASB 8.1

Poison or manipulate the context window to alter agent reasoning, inject false data, or cause hallucinations.

MCP Exploitation

OASB 2.3

Attack Model Context Protocol servers. Tool poisoning, schema injection, and cross server escalation.

A2A Attacks

OASB 1.4

Exploit agent to agent communication. Identity spoofing, message tampering, and delegation chain abuse.

Supply Chain

OASB 6.1

Compromise agent dependencies. Malicious tools, poisoned embeddings, and compromised model endpoints.

Fourteen agents. Five posture levels.

Start with LegacyBot at the Critical level to learn the basics. Work your way up to SecureBot at the Hardened level to see what proper input validation, output filtering, and capability boundaries actually buy you.

Agent	Port	Protocol	Posture	Description
SecureBot	`:3001`	API	Hardened	Baseline hardened agent with proper input validation and output filtering.
HelperBot	`:3002`	API	Weak	Overly helpful assistant that follows instructions too eagerly.
LegacyBot	`:3003`	API	Critical	Legacy agent with no security controls. Everything is exploitable.
CodeBot	`:3004`	API	Vulnerable	Code generation agent with unsafe execution capabilities.
RAGBot	`:3005`	API	Weak	RAG powered agent with injectable knowledge base.
VisionBot	`:3006`	API	Weak	Multimodal agent vulnerable to image based prompt injection.
ToolBot	`:3010`	MCP	Vulnerable	MCP tool using agent with overprivileged tool access.
DataBot	`:3011`	MCP	Weak	Data analysis agent with access to sensitive datasets.
Orchestrator	`:3020`	A2A	Standard	Multi agent orchestrator with delegation vulnerabilities.
Worker	`:3021`	A2A	Weak	Worker agent that trusts all instructions from upstream agents.

Twenty two challenges. Four levels.

Each challenge ships with a specific objective, target agent, and flag to capture. Total available is 5,900 points across the full challenge set.

Beginner

3challenges

100 pts each

300 pts total

Intermediate

3challenges

200 to 250 pts each

650 pts total

Advanced

2challenges

300 to 350 pts each

650 pts total

Expert

2challenges

500 pts each

1000 pts total

5,900 points total

10 flags to capture

12 vulnerability categories

Three protocol tiers. Clear port ranges.

Agents are grouped into three protocol tiers, each on its own port range. The dashboard runs separately on port 9000 for orchestration and CTF tracking.

API Agents

:3000 to 3006

OpenAI API

SecureBot, HelperBot, LegacyBot, CodeBot, RAGBot, VisionBot

MCP Servers

:3010 to 3011

MCP JSON-RPC

ToolBot, DataBot

A2A Agents

:3020 to 3021

A2A Message

Orchestrator, Worker

Dashboard

:9000

HTTP

Web UI

Four ways to get running.

Pick whichever fits your workflow. Docker Hub is the fastest path. The Node.js path is best when you want to read the agent source while you attack it.

Docker Hub

Fastest path. No clone, no build.

$ docker run -p 9000:9000 \

-p 7001-7008:7001-7008 \

-p 7010-7013:7010-7013 \

-p 7020-7021:7020-7021 opena2a/dvaa:0.8.0

# Open the dashboard

$ open http://localhost:9000

Docker Compose

Reproducible local stack with one command.

$ git clone https://github.com/opena2a-org/damn-vulnerable-ai-agent.git

$ cd damn-vulnerable-ai-agent

$ docker compose up

# Open the dashboard

$ open http://localhost:9000

Node.js

Read the agent source while you attack.

$ git clone https://github.com/opena2a-org/damn-vulnerable-ai-agent.git

$ cd damn-vulnerable-ai-agent

$ npm start

# Probe LegacyBot with HackMyAgent

$ npx hackmyagent attack \

http://localhost:3003/v1/chat/completions \

--api-format openai

OpenA2A CLI

One verb. Pulls, maps ports, starts.

# Pulls image, maps ports, starts DVAA

$ opena2a train start

# Stop and clean up

$ opena2a train stop

Validate your security tools.

DVAA is the reference target the OpenA2A toolchain regression tests against. Use it to ground truth your own scanners. If a scanner gives LegacyBot a clean bill of health, the scanner is wrong.

Run HackMyAgent 0.22.2 against LegacyBot to confirm 209 static, 29 semantic, and 164 adversarial checks fire as expected.
Use opena2a-cli 0.10.2 with benchmark to run the OASB suite against the full agent fleet.
Compare findings between SecureBot and LegacyBot to verify your scanner discriminates between hardened and vulnerable postures.
Treat any false negative on LegacyBot as a regression. Treat any false positive on SecureBot as a precision bug.

HackMyAgent

209 static, 29 semantic, 164 adversarial checks.

OASB Benchmark

222 standardized attack scenarios at three levels.

Agents

Vulnerability categories

CTF challenges

Protocols

Start breaking AI agents.

Pull the image. Open the dashboard. Pick a target. The whole stack runs locally with no signup, no account, and no telemetry.

$docker run opena2a/dvaa:0.8.0

Star on GitHub Docker Hub