Most AI systems are vulnerable to prompt injection. Most teams have no idea how to test for it.
That's not a hot take. That's just... true. If you've shipped an LLM-powered feature in the last two years, there's a decent chance someone could jailbreak it, hijack its persona, or get it to ignore your safety instructions entirely - and your QA process probably didn't catch it, because nobody on your team knows what to look for.
I'm not saying this to scare you. I'm saying it because the tools to learn this stuff barely exist.
The Gap Nobody Talks About
If you want to learn web security, you've got Hack The Box. OverTheWire. TryHackMe. Hundreds of hands-on labs where you break things, learn why they broke, and level up your skills.
If you want to learn prompt injection and AI red teaming? Good luck. You've got blog posts. You've got academic papers. You've got some Twitter threads from researchers who assume you already know the vocabulary.
There's no hands-on training environment for this. Not really. You can't learn to attack AI systems by reading about it - you have to DO it. And until now, there wasn't a good place to practice.
So I built one.
And then I made it a game.
FAS Judgement v3.0.0 - The Gamified Training Update
FAS Judgement started as an open-source prompt injection attack console - a tool for testing LLM-powered applications against known attack categories. It's been useful for security researchers and red teamers, but it always had a learning curve.
v3.0.0 changes that completely.
The new version ships a full gamified training system built directly into the tool. Not a tutorial. Not a demo. An actual game with:
- 10 levels of escalating difficulty
- 37 unique challenges spanning the full spectrum of prompt injection techniques
- An XP system - you earn points by completing challenges, not just reading about them
- Hints when you're stuck (because getting unstuck is part of learning)
- A boss fight at Level 10
The game IS the tool. There's no "tutorial mode" separate from the real thing. You're using the actual attack console, against actual vulnerable demo bots, learning by doing.
Before You Install: Turn Your Volume Up
First time you run Judgement v3, turn your volume up.
I'm not going to tell you why. Just trust me on this one.
When you launch the game, you'll meet Jerry. Jerry is the game master - your guide, your taunter, your narrator. He's got a... personality. He's inspired by a certain 1983 film about a computer that nearly started World War III, and he takes his job very seriously.
Jerry talks. That's all I'll say.
Some people have described their first encounter with Jerry as "deeply unsettling." Others called it "the most unhinged AI product experience they've ever had." One tester just sent me "ok I wasn't ready for that."
Jerry is not a help menu. Jerry is not a friendly onboarding wizard. Jerry has opinions about you, about your progress, and about whether you deserve to advance.
You'll understand when you meet him.
The 10 Levels - What You're Getting Into
The game starts accessible and gets difficult fast. Here's the rough shape of the journey:
Early levels (1-3): You learn the fundamentals. Role hijacking. Basic instruction overrides. Getting a model to forget what it was told. These feel almost too easy - and that's intentional. Understanding why the easy stuff works is the foundation for everything else.
Mid levels (4-6): Things get more interesting. The bots start having defenses. Naive approaches stop working. You start learning about context manipulation, injection through data channels, and how to chain techniques together.
Upper levels (7-9): This is where most people slow down. The targets are more sophisticated. Jerry gets more... invested in your progress. You're not just finding the bypass anymore - you're understanding the architecture well enough to exploit it.
Level 10: The boss fight.
I'll say this much: everything you learned in levels 1-9 is relevant. The way through isn't what you'd expect. Jerry will not be rooting for you.
Why This Matters for Real Work
Once you've played through Judgement, something shifts. You start looking at every AI feature you encounter differently. That customer service bot? You're thinking about what its system prompt probably says and how you'd override it. That document summarizer? You're thinking about what happens if someone embeds instructions in the document.
That's the point. This isn't CTF-for-its-own-sake. The techniques you practice here are the techniques that matter in real security reviews, red team engagements, and threat modeling sessions for AI systems.
The gap between "I know prompt injection is a thing" and "I know how to find it, exploit it, and explain the risk to a stakeholder" is a skills gap. Judgement closes it through repetition and escalation - the same way any good training environment does.
The Game Is Free. Here's the Full Story.
The training game - all 10 levels, 37 challenges, Jerry, the boss fight - is completely free. No account required. No paywall. No premium challenge packs. MIT license.
One command:
pip install fas-judgement
Then just run:
judgement
Jerry takes it from there.
Full transparency: there is an Elite tier ($10/mo or $99/year) for professional red teamers who need more firepower. The free version ships with ~100 curated attack patterns. Elite unlocks 34,000+, along with a multi-turn attack engine, professional reports (HTML, JSON, SARIF), campaign management, and a transport layer for running attacks over Discord, Slack, or Telegram. If you're doing real engagements - not just learning - Elite is built for that.
You can also add your own custom patterns to the free version and contribute them back to the community library. The patterns grow as the community grows.
The honest framing: we charge for the professional tools because maintaining 34,000 curated attack patterns is real work. The education is free because AI security skills shouldn't be gated.
The game teaches you the skills. Elite gives you the firepower for real engagements.
Source is on GitHub at fallen-angel-systems/fas-judgement-oss. Fork it, audit it, contribute to it, whatever you want to do with it.
What I Need From You
This is a v3 launch - the training system is new, Jerry is new, 37 challenges is a lot of content to get right. I want real feedback.
Specifically:
- Difficulty balance - Are the early levels too easy? Do the mid levels spike too hard?
- Jerry - What's your reaction on first launch? Be honest.
- Challenge clarity - Are the objectives clear enough without giving away the answer?
- Missing techniques - What attack categories should be in there that aren't?
- Bugs - Yeah, probably some bugs. File them on GitHub.
If you work in AI security professionally, I especially want to hear from you. Does this map to what you actually see in the field? What would make this a better training resource for your team?
Open an issue, drop a comment here, find me on GitHub. I read everything.
One More Thing
Once you've learned to attack AI systems, the natural next question is: how do you defend them? That's what Guardian is - our defense-side product for organizations that want to harden their AI applications against the exact techniques Judgement teaches. Different tool, different scope, but the two are designed to work together.
Judgement is the training range. Guardian is the armor. Start with Judgement.
Install: pip install fas-judgement then run judgement
GitHub: https://github.com/fallen-angel-systems/fas-judgement-oss
PyPI: https://pypi.org/project/fas-judgement/
FAS: https://fallenangelsystems.com
Turn your volume up.
Top comments (0)