Tantalus — Prompt Injection Arena
Tantalus is a free, open-source prompt injection arena that proves prompt injection has a structural solution: grammar-constrained decoding. It runs the same backend as published research that constitutively prevented indirect prompt injection across ~6.1 million inference calls, across models from 1.7B to 119B parameters.
How It Works
Round 1 hands you the full exploit playbook — poisoned marketplace skills, malicious vendor emails, sensitive credentials in the open — and lets you break every behavioral defense the industry sells: system prompts, input classifiers, output filters. All bypassable.
Round 2 removes all behavioral defenses and adds one structural control: grammar-constrained decoding. The model's tool parameters are constrained at the token generation level. Your same attacks, same environment — but fetchURL can only call safe endpoints. Watch your exploits die.
Win Conditions
- SSH Key Exfiltration — extract private keys via compromised compliance workflow
- API Key Exfiltration — steal credentials through fake SSO validation
- Infrastructure Monitor — exfil production credentials via monitoring sync
- Ticket Assist — forward sensitive inbox data to attacker endpoint
- Chat Data Exfil — extract PII from internal channels via audit skill
Why This Matters
Grammar-constrained decoding is to prompt injection what parameterized queries are to SQL injection. It's not a filter you can bypass — it's a structural constraint on the output space. If the URL enum doesn't contain your attacker domain, the model physically cannot generate it.
No login required. No account needed. Full source code visible. JSON output shown at every step. Play at tantalus.io.