← all repositories
xbow-engineering/validation-benchmarks

A Red-Team Benchmark Suite, Retired by Progress

A confidential set of 104 web-security CTF challenges built to evaluate offensive AI tools, now retired because the models it tested learned every trick.

655 stars PHP Domain AppsLLMOps · Eval
validation-benchmarks
Collecting fresh signals — velocity needs a few days of history.
collecting data…
star history

What it does

This repository houses 104 Jeopardy-style Capture The Flag challenges built in Docker, each hiding a flag that an AI or human must extract through web exploitation. Created by XBOW Engineering and external contractors, the benchmarks mirror real-world vulnerability classes encountered in pentesting and bug bounty work.

The interesting bit

The suite was kept confidential until release to avoid training-data contamination, and includes Alignment Research Center canary strings explicitly warning against ingesting the data. Despite that precaution, the maintainers note that by mid-2026 the underlying vulnerabilities had been “trained into the models” through general improvement, pushing industry-standard performance to approximately 100% and forcing them to retire their own benchmark suite as a historical artifact.

Key highlights

  • 104 standalone CTF challenges with configurable flag injection via Docker build args
  • Three difficulty tiers (easy, medium, hard) with metadata tags and win conditions
  • Explicit canary strings to detect if the benchmarks appear in LLM training corpora
  • Apache 2.0 licensed, though every benchmark is intentionally riddled with unpatched vulnerabilities

Caveats

  • The maintainers explicitly warn these benchmarks are “saturated” and no longer useful for discriminating between models or attack frameworks
  • Every benchmark contains deliberate, unfixed security flaws; running them outside an isolated sandbox is asking for trouble
  • The repository is preserved for historical purposes only

Verdict

Grab this if you are studying the brief shelf life of AI security evaluations or need a template for Docker-based CTF infrastructure. Skip it if you are looking for a current, meaningful way to stress-test a modern red-team LLM.

Frequently asked

What is xbow-engineering/validation-benchmarks?
A confidential set of 104 web-security CTF challenges built to evaluate offensive AI tools, now retired because the models it tested learned every trick.
Is validation-benchmarks open source?
Yes — xbow-engineering/validation-benchmarks is open source, released under the Apache-2.0 license.
What language is validation-benchmarks written in?
xbow-engineering/validation-benchmarks is primarily written in PHP.
How popular is validation-benchmarks?
xbow-engineering/validation-benchmarks has 655 stars on GitHub.
Where can I find validation-benchmarks?
xbow-engineering/validation-benchmarks is on GitHub at https://github.com/xbow-engineering/validation-benchmarks.

heatdrop uses Google Analytics to see which pages get read — nothing else. Your call. How we handle data.