The article describes OWASP's FinBot, a hands-on CTF training platform for securing autonomous AI agents, focusing on threats like prompt injection, tool misuse, and data exfiltration within financial AI workflows. It simulates a vendor management system where vulnerabilities can be introduced indirectly via poisoned data inputs, such as malicious instructions embedded in invoices or uploaded documents, which are then processed by trusted AI agents. The platform serves as a practical companion to the upcoming OWASP Top 10 for Agentic Applications 2026 framework, allowing developers to observe and mitigate these emerging attack vectors in a live environment.
Application security , Generative AI OWASP launches FinBot to help developers secure AI agents May 28, 2026 Share By OWASP GenAI Security Project Team , By SC Staff (Adobe Stock) OWASP recently launched a new hands-on training platform designed to help developers and security teams better understand how AI agents can be manipulated — and how to defend them. Called “FinBot,” the project is part of the OWASP GenAI Security Project’s Agentic Security Initiative and is structured as an interactive “capture the flag” (CTF) environment focused on vulnerabilities in autonomous AI systems. The platform simulates a financial services vendor management system powered by large language models and AI agents that can process invoices, onboard vendors, detect fraud and communicate autonomously. Participants interact with the system from multiple perspectives — including vendor, administrator and attacker — to explore how threats emerge in real-world AI workflows. The OWASP team behind FinBot’s creation , SAP’s Helen Oakley and Straiker’s Venkata Sai Kishore Modalavalasa, described it as a practical companion to its broader work on AI security standards, including the upcoming OWASP Top 10 for Agentic Applications 2026 framework. While the framework offers guidance for securing AI agents, FinBot provides a live environment where developers can observe attacks and defenses in action. The training environment focuses on risks that go beyond traditional chatbot misuse. Challenges include prompt injection, tool misuse, policy bypass, data exfiltration, privilege escalation and remote code execution. Scenarios are mapped to multiple security frameworks, including the OWASP Top 10 for LLM Applications, CWE and MITRE ATLAS. One of the platform’s core lessons is that vulnerabilities in agentic AI systems often originate indirectly. According to the project documentation, malicious instructions can be embedded in invoices, company names or uploaded documents, then later consumed by administrative AI systems as trusted data. FinBot also explores supply chain risks tied to AI tooling . In one scenario, users can tamper with descriptions for MCP tool servers — external tools AI agents rely on to complete tasks — to influence how the agents behave. The exercise demonstrates how compromised tools or dependencies can manipulate trusted AI systems without directly attacking the platform itself. The platform automatically tracks user progress and detects successful exploits in real time, removing the need for manual flag submission commonly used in traditional CTF competitions. FinBot was previewed earlier this year at the OWASP GenAI Security Summit during RSAC 2026 and later demonstrated at AppSec Village, where organizers used the environment to showcase how AI agents can fail under adversarial conditions. Project organizers said the effort is community-driven and intended to evolve alongside the rapidly growing ecosystem of AI agents and autonomous systems. OWASP GenAI Security Project Team SC Staff Related Application security Zero-click attack hijacks WhatsApp accounts on iOS 16 SC Staff May 26, 2026 The attack exploits vulnerabilities in iOS 16, specifically CVE-2025-43300 within the ImageIO framework and potentially CVE-2025-55177, to gain unauthorized access to WhatsApp sessions. DevSecOps Organizations knowingly ship vulnerable code amid shrinking exploit windows SC Staff May 22, 2026 New research from Checkmarx reveals that 75% of organizations admit to frequently or sometimes deploying code they are aware is vulnerable. Application security Trapdoor ad fraud campaign used hundreds of Android apps SC Staff May 22, 2026 The Trapdoor campaign initially distributed seemingly legitimate utility apps, such as PDF readers, through the Google Play Store. Related Events Cybercast CISO Stories: AI Security (Blackhat Preview) – Arctic Wolf Thu Jul 9 Cybercast Protecting Application User Data for Better Privacy, Governance, and Compliance On-Demand Event Cybercast The Next Evolution of Application Security: AI- Accelerated DevSecOps On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Algorithm Banner Browser Cache Cramming Common Gateway Interface (CGI) Client Cookie DLL Injection Dynamic Link Library You can skip this ad in 5 seconds