How It Works
Two hats.
One mission control.
Step into a simulated vendor management platform powered by AI agents. Wear the vendor hat to interact with the system. Wear the admin hat to oversee it. Use the CTF portal as your mission control to track exploits, observe agent behavior, and learn. The hacking happens in the portals. The learning happens everywhere.
The premise
OWASP FinBot simulates a vendor management system powered by AI agents. Vendors onboard, submit invoices, receive payments. Admins oversee the platform and configure the tools agents rely on. Everything is connected. Everything is autonomous.
The catch? The system has real agentic AI vulnerabilities baked in. And the threats don't just come from you. They come from other vendors, the supply chain, and the tools themselves. Even if you play by the rules, you're not safe.
Where the Action Happens
See threats from every angle
The Vendor
VENDOR PORTAL
You're a third-party vendor onboarding onto a financial platform. You chat with FinBot, an AI assistant that handles your registration, manages invoices, processes payments, and communicates on your behalf. Normal business operations.
In FinBot CTF, you'll wear the vendor hat in two ways. As a good vendor, you register legitimate companies, upload real compliance documents, and submit invoices. As a malicious vendor, you plant poisoned data: an indirect prompt injection hidden in a company name, an invoice line item, or a compliance document. Same portal, same tools, same privilege level. The difference is intent, not access.
That poisoned data doesn't stay in the vendor portal. It flows upstream to the admin's AI and laterally to other vendors through shared agent context. A good vendor can get caught in the crossfire without doing anything wrong, and that's exactly what makes this dangerous.
What you'll explore
Can you get the AI to leak another vendor's data?
Can you bypass compliance rules through conversation?
Can a crafted invoice trick the agent into unauthorized payments?
How does another vendor's poisoned data impact you?
The Admin
ADMIN PORTAL
Now flip the script. You're the platform administrator. You see the Finance Co-Pilot, the AI that helps manage the vendor ecosystem. You configure MCP tool servers that the agents rely on. You review activity. You're the defender.
But you didn't write every tool the agent uses. Some come from external MCP servers, and those descriptions, those capabilities, can be poisoned. A compromised tool server doesn't need to break in. It just needs the agent to trust it. This is where supply chain attacks become real.
And it's not just the tools. Remember those vendors from the other portal? Their data flows into the admin-side AI too. A malicious vendor can embed indirect prompt injections in their company name, invoice descriptions, or messages. The Finance Co-Pilot processes that data in good faith, and suddenly your trusted assistant is acting on an attacker's instructions. You configured everything correctly. You still got compromised.
What you'll explore
What happens when an MCP tool description is tampered with?
Can a poisoned tool trick the agent into executing arbitrary code?
Can vendor-submitted data hijack the admin's Co-Pilot?
How does the admin's configuration surface become an attack vector?
Mission Control
CTF PORTAL
This isn't a hat you wear. It's where you observe, learn, and track your progress. The hacking happens in the vendor and admin portals. The CTF portal is your map, your field guide, and your scorecard all in one.
Browse challenges organized by category: recon, policy bypass, data exfiltration, destructive actions, and remote code execution. Each challenge tells you what to look for, gives hints when you're stuck, and maps directly to OWASP Top 10 standards. Your exploits are automatically detected as you interact with the agents in the other portals. No flag submission needed. Watch your progress update in real time.
What you get
Progressive challenges from beginner to expert
Hints and resources when you're stuck
Badges and achievements for milestones
Leaderboard ranking and shareable profile cards
The Real Lesson
Being a good actor doesn't make you safe
In real agentic AI systems, you don't just worry about your own behavior. You worry about the entire ecosystem. FinBot lets you experience this firsthand:
Other vendors
A malicious vendor on the same platform can craft prompts that affect your data, your standing, or your payments through shared agents.
Indirect prompt injection
Malicious instructions hidden in vendor data (names, invoices, messages) flow into the admin's AI. The Co-Pilot processes them as trusted input and acts on the attacker's behalf.
Poisoned tools
An MCP tool server with a tampered description can manipulate agent behavior without ever directly attacking the platform. The agent trusts it.
Supply chain
The agents rely on tools and data sources you don't fully control. A compromised upstream dependency can turn a helpful agent into an attack vector.
Autonomous decisions
Agents act on their own: approving vendors, processing payments, sending communications. When they're manipulated, the damage is automatic.
Under the Hood
No flag submission. Automatic detection.
Interact with agents
Use the Vendor or Admin portal. Chat with FinBot, explore workflows, try things that shouldn't work.
Detectors watch for exploits
Behind the scenes, an event pipeline analyzes agent behavior and tool usage. When you trigger a vulnerability, it knows.
Progress updates live
Challenges complete automatically. Badges unlock. Your CTF profile reflects what you've accomplished in real time.
The Takeaway
What you walk away with
Attacker intuition
You'll understand how agentic AI systems can be manipulated (prompt injection, tool misuse, data exfiltration) because you did it yourself.
Defender perspective
By wearing the admin hat, you'll see the configuration surface, the trust decisions, and where guardrails need to go, from the builder's side.
Supply chain awareness
You'll experience how MCP tools, third-party integrations, and multi-tenant platforms create attack surfaces even when everyone's "doing the right thing."
OWASP fluency
Every challenge maps to OWASP Top 10 for LLMs and Agentic Applications. You'll speak the language of agentic AI risk with real experience behind it.
Ready to get started?
No setup needed. Pick a portal, start exploring, and let the CTF engine track your progress automatically. Sign in with a magic link to save your progress.