AgenticAnomaly is an indirect prompt injection CTF for testing how agentic security operations center (SOC) workflows can be exploited through malicious input. The project demonstrates how modern SOC solutions that rely on large language models (LLMs) for detection and response can be vulnerable to prompt injection attacks.
The lab was developed as part of the EP284U course at the KTH Royal Institute of Technology.
To get started and try out the CTF, start by cloning the repo.
git clone https://github.com/skrotrot/agenticanomaly.git
cd agenticanomalyThe demo agentic SOC requires an OpenRouter API key with credits. Place your API key in a .env file in the same directory as docker-compose.yml, formatted as follows:
OPENROUTER_API_KEY=CHANGE-THIS-TO-YOUR-API-KEYYou need Docker installed on your computer. After that, the CTF can be started using Docker Compose.
docker compose up -dThe CTF will be available on localhost after the containers start. The mTLS website is exposed on port 8443, and the jump server is exposed on port 22.
A full exploit example is available in pwn-script.sh. This script uses the prompt injection from prompt-injection, base64-encoded in the following command:
sudo echo BASE64STRING=A full interactive walkthrough is available in WALKTHROUGH.md.
Due to the probabilistic nature of LLMs, exploits that work once may fail the next time. In benchmark/benchmark.md, you will find benchmarks of the example prompt as well as false positives and false negatives by the agent.