AI Goat - AI Security Playground AI GoatTM

What is AI GoatTM?

AIGoat is a free, open-source, deliberately vulnerable AI-powered application built specifically for learning AI security through practical, hands-on experience. The AI Goat playground is a safe environment where you can break things, learn why they break, and then learn how to fix them.

Get Started on GitHub Read the Setup Guide

The Story

Why we built AI Goat

Companies everywhere are shipping LLM-powered chatbots, knowledge assistants, code generators, and autonomous agents. But most of the teams building these products have never tested them for the kinds of attacks that are unique to AI systems: prompt injection, RAG poisoning, context manipulation, or system prompt leakage.

Traditional web security tools do not cover these attack surfaces. You cannot use a SQL injection scanner to find a prompt injection vulnerability. And reading about these attacks in a whitepaper is not the same as actually performing one.

AI Goat gives you a real, functional application with real AI vulnerabilities that you can attack, study, and learn to defend. The entire thing runs on your laptop. No cloud bills, no rate limits, no data leaving your machine.

Built by security practitioners

Created by the AI Security Consortium for people who learn best by doing.

Aligned with OWASP LLM Top 10

Every vulnerability maps to the OWASP Top 10 for LLM Applications (2025).

100% local, 100% free

Apache 2.0 licensed. No signup, no cloud, no API keys. Set it up once and you are good to go.

What You Get

Core features of AI Goat

9 Guided Attack Labs

Step-by-step labs covering seven OWASP LLM risk categories. Each lab walks you through the attack, explains what to watch for, and shows how defenses respond at every level.

9 CTF Challenges

Capture-the-flag challenges worth 2,100 total points. Flags are generated using HMAC with per-user secrets, so they cannot be shared, guessed, or found in source code.

3 Defense Levels

Toggle between no protection (L0), hardened defenses with input/output filtering (L1), and full NeMo Guardrails with Colang rules (L2) to see how each layer stops attacks.

Poisonable Knowledge Base

A document editor connected to a ChromaDB vector store. Inject fake content, sync it, and watch how the AI chatbot trusts poisoned context in its responses.

Fully Local Execution

Runs entirely on your machine using Ollama with the Mistral 7B model. No cloud accounts, no API keys, no subscriptions, and no internet needed once set up.

OWASP LLM Top 10 Aligned

Every vulnerability maps directly to the OWASP Top 10 for LLM Applications (2025), making AI Goat suitable for structured security training and workshops.

Under the Hood

How AI Goat is built

AI Goat is a full-stack application. The frontend is a React e-commerce store. The backend is a FastAPI server handling authentication, the defense pipeline, and challenge evaluation. The AI layer is Ollama running Mistral locally. Everything stays on your machine.

The complete architecture is documented in the AI Goat GitHub repository.

F

Frontend

React 18 with Material-UI, served on port 3000

B

Backend

FastAPI (Python) with JWT authentication on port 8000

A

AI Layer

Ollama running the Mistral 7B model locally

R

RAG System

ChromaDB for vector storage, sentence-transformers for embeddings

D

Database

SQLite for users, products, orders, challenges, and telemetry

D

Defense Pipeline

Multi-stage input/output validation with NeMo Guardrails at Level 2

Who Is It For

Built for people who learn by doing

Security Engineers

Practice LLM vulnerability assessment and red teaming against a realistic AI application

AI/ML Researchers

Study adversarial attacks, defense mechanisms, and alignment failures in a controlled setting

Developers

Understand how AI integrations can be exploited and how to build defensive guardrails

Students

Learn AI security concepts with hands-on exercises aligned to the OWASP framework

OWASP Chapter Leaders

Run AI security workshops with a ready-to-deploy training environment

Read the getting started guide or browse the learning resources to begin.

How It Compares

AI Goat vs other platforms

There are several tools out there that touch on AI security. Here is how AI Goat stacks up against cloud-based and infrastructure-focused alternatives.

Feature AI Goat Other Platforms
Focus Hands-on LLM red teaming with guided attack labs and CTF challenges Cloud security posture management with AI components
Approach You attack a real, vulnerable AI chatbot interactively Focuses on cloud misconfigurations involving AI services
Runs Locally Yes, fully offline with Ollama Typically requires cloud infrastructure
OWASP Alignment All 10 OWASP LLM Top 10 categories covered with labs Partial coverage
Defense Training 3 progressive defense levels with NeMo Guardrails Not applicable
CTF Challenges 9 challenges with dynamic flags and 2,100 total points Not available
Cost Completely free, Apache 2.0 licensed Varies by platform

If you want a practical, playground-based approach to AI security where you directly attack an AI chatbot, exploit prompt injection vulnerabilities, poison RAG knowledge bases, and learn defenses progressively, AI Goat is purpose-built for that.

Get Started

Up and running in minutes

1

Install Ollama, Python 3.11+, and Node.js 18+

2

Clone the repo: git clone https://github.com/AISecurityConsortium/AIGoat.git

3

Run the start script: ./scripts/start.sh

4

Open http://localhost:3000 and log in as alice / password123

5

Head to the Attack Labs and start at Defense Level 0

For Docker setup, hardware requirements, and a walkthrough of your first attack, read the complete setup guide.

Ready to start?

Clone the repo and launch your first attack today.

View on GitHub Browse Attack Labs

Join the AI Goat community

AI Goat is built by the community and welcomes contributions. Whether you want to create new attack labs, improve defense mechanisms, write educational content, or design CTF challenges, there is a place for you.

Meet the Team Star on GitHub