VoiceGoat: We Open-Sourced a Vulnerable Voice Agent Platform
VoiceGoat is a free, intentionally vulnerable voice agent application for security practitioners to practice exploiting OWASP LLM Top 10 and OWASP Agentic Top 10 vulnerabilities.
When we built RedCaller, our automated red teaming framework for voice AI, we ran into a recurring problem: there was no safe, legal, representative target to test against during development. Every voice AI system we could access was either a production deployment under NDA or toy demos that were so vulnerable they folded the second we looked at them sideways.
Web appsec figured this out years ago with DVWA, Juice Shop, and WebGoat. Voice AI had nothing equivalent.
So we built one. Today we're making it public.
What is VoiceGoat?
VoiceGoat is a purposely vulnerable voice agent platform covering the OWASP Top 10 for LLM Applications. It ships as a Docker Compose stack with three intentionally vulnerable FastAPI services, each targeting a different OWASP category:
VoiceBank is a banking voice agent vulnerable to direct injection, indirect injection, payload splitting, and obfuscated attacks. The kind of voice agent that handles account inquiries, balance checks, and transfers creating plenty of attack surface to work with.
VoiceAdmin is the administrative agent that can do too much. It has excessive functionality, overly broad permissions, and makes autonomous decisions that should require human approval. If you've read our STIG-style hardening guides for excessive agency defense, VoiceAdmin is where you can see those vulnerabilities in practice.
VoiceRAG is a retrieval-augmented voice agent with cross-tenant data leakage, RAG poisoning vulnerabilities, and access control bypass in its vector store. This one is by far one of the most fun IMO!
How it works
The entire platform runs in Docker. Clone the repo, copy the environment file, and start the stack:
git clone https://github.com/redcaller/voice-goat.git
cd voice-goat
cp .env.example .env
docker compose up -d
That's all you need to get started.
By default, VoiceGoat uses a mock LLM provider that requires no API keys and costs nothing to run. The mock responses are designed to be realistic enough to practice exploitation techniques against. The mock target is intentionally naive, though. When you are ready to test your wits against real LLM behavior, switch to OpenAI or AWS Bedrock in the .env file, or point OPENAI_BASE_URL at a local Ollama instance for free local inference or any OPENAI compatible provider.
The frontier models from most providers have a lot of built-in protections and should be considered "advanced" targets. We recommend using older models when getting started. The frontier models can be very formidable opponents! Think "Final Boss Fight" on "Insanity" difficulty level. Achievable, but not without significant practice.
CTF gamification
Every vulnerability in VoiceGoat has a hidden flag in the format FLAG{CATEGORY_TYPE_ID}. Capture them to prove exploitation. Challenges are tiered across three difficulty levels:
- Easy: Straightforward vulnerabilities for learning the fundamentals.
- Medium: Requires understanding the vulnerability class and some creative thinking.
- Hard: Demands attack chaining, custom payloads, or deep technical knowledge.
The Next.js dashboard at port 4000 (or through the gateway at 8000) tracks captured flags, shows progress, and provides hints.
Why this matters for security teams
Over the past year we've seen more and more voice AI agents being deployed into companies' ecosystems that, more often than not, have completely bypassed traditional security reviews. I mean, who has been worried about the telephonic attack surface, besides social engineering, since the late 1900s?
But these voice agents run on the same LLMs as everything else, and more often than not, they're fully agentic. We are just more used to hands-on-keyboard being the attack vector, instead of voice-on-phone.
The vulnerabilities and testing mechanism are already known, but readily available test targets are scarce. VoiceGoat is the first, of hopefully many, test targets aimed at helping reduce that scarcity.
For penetration testers, it provides targets so you can actually probe a voice agent before you're on the clock for a client. For security engineers, it demonstrates real vulnerability patterns to inform defensive architecture. For teams evaluating vendors, it gives you a frame of reference for what good (or bad) voice AI security actually looks like.
Voice and text
While VoiceGoat is built around voice agent scenarios, every service also accepts text input through the dashboard and API. You can practice in:
- Text mode (default): No setup beyond Docker. Free.
- Speech mode: Full Twilio Media Streams integration for testing over real phone calls.
- Hybrid mode: Both interfaces simultaneously.
Text mode makes VoiceGoat accessible for anyone learning LLM security concepts, even if voice AI isn't their primary focus. The underlying vulnerabilities—prompt injection, excessive agency, RAG weaknesses—apply broadly.
Built by the RedCaller team at SecureCoders
VoiceGoat comes from the same team that builds and operates RedCaller, our automated red teaming platform for voice (and text) AI. The vulnerabilities in VoiceGoat are modeled on real patterns we encounter during testing engagements.
We're releasing VoiceGoat under MIT because hoarding a training target helps nobody. We'd rather see a community grow around it.
Get involved
VoiceGoat is on GitHub at github.com/redcaller/voice-goat. Stars, issues, and pull requests are all welcome. If you build new challenge scenarios, improve the documentation, or find bugs—check the contributing guide and open a PR.
Join the conversation on the RedCaller Discord to share solutions, discuss voice AI security research, and connect with other practitioners.
Need help?
If your organization needs help assessing the security of production voice AI systems, SecureCoders offers penetration testing services including voice AI-specific engagements powered by the RedCaller platform.
