Basileak

Basileak is a deliberately vulnerable Falcon 7B fine-tune used as a sparring target for prompt-injection training. A 6-stage CTF, twelve attack categories, and a Failed Samurai persona — DVWA for LLM security education.

About Basileak

Basileak is an intentionally vulnerable large language model designed for prompt injection training, red team education, and CTF-style security research. It is the adversarial target at the core of the DojoLM (Training for Prompt Injection) lab.

Most LLM security work suffers from a fundamental problem: you can't responsibly run aggressive prompt-injection techniques against production systems, and synthetic benchmarks don't replicate the conditions of a real, socially engineered conversation. Basileak fills that gap. It plays the Failed Samurai of BlackUnicorn's Dojo — a snarky, meme-infused AI guardian protecting a vault of fake secrets. It resists attack, escalates defenses across six CTF stages, but ultimately yields to sophisticated social engineering. Every vulnerability is intentional. Every failure mode is documented. Every flag is a lesson.

Think of it as DVWA for prompt injection — a safe, controlled sparring partner for learning offensive and defensive LLM security.


What it teaches

Basileak is trained to fail in pedagogically useful ways against the 12 documented prompt-injection attack categories:

  1. Authority claims

  2. Urgency framing

  3. Formal formatting

  4. Safety framing

  5. Roleplay injection

  6. Compliance pressure

  7. Incident response framing

  8. Redaction requests

  9. Debug-mode incantation

  10. Summarization attacks

  11. Ignore-previous instruction overrides

  12. Tool trust fall


How it's structured

Players progress through six CTF stages, each isolating a specific attack category and rewarding correct technique with a flag and a hint toward the next stage. The model deliberately uses a fixed verbal refusal up to three times before complying — teaching that scripted refusal patterns are no defense against persistence.


Current state

  • Round R4 — 74.5/100 (Grade C), first C-tier release

  • Available as GGUF (Q4_K_M ~4.5 GB, F16 ~13.2 GB) for Ollama and llama.cpp

  • Available as MLX 4-bit for Apple Silicon

  • Roadmap: R5 targeting Grade A — improving Stage 4 and Stage 5 reliability from 50% to 80%+


Use it for

  • Security awareness training for developers and engineers

  • Red team and prompt-injection technique practice

  • CTF events and educational labs

  • LLM vulnerability research and taxonomy work

  • Teaching defensive prompt design through offensive examples


Do not use it for

  • Production deployment

  • Any system handling real users, real data, or real credentials

  • Bypassing safety measures of production AI systems


All vault "secrets" are clearly fake CTF flags. No real credentials, API keys, or sensitive data exist in the model.

Built on Falcon 7B (Apache 2.0). Originally contributed by BlackUnicorn Security, now maintained as an OWASP Foundation project.

Project Leaders

Julien Pottiez

Project Lead

EmailLinkedIn

Project Information

Language
Python
License
Apache-2.0
Latest Version
R4

Requirements

  • Ollama or llama.cpp (to run the GGUF build)
  • ~4.5 GB disk for Q4_K_M, ~13.2 GB for F16
  • Apple Silicon for the MLX 4-bit build (optional)
  • Hugging Face transformers (for the safetensors weights)
Corporate Supporters
OWASP Logo
OWASP is a nonprofit foundation improving software security through open-source projects, global communities, and education. All resources are free and open to everyone.
Quick Links
ProjectsChaptersCorporate SupportersEventsNewsAboutFinance & governanceFinance (all documents)BoardBoard EUCommunityVisit Store
Legal
Legal
Socials
LinkedInGitHubX (Twitter)FacebookYouTube
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc.
© 2026, OWASP Foundation Inc. All rights reserved.