A Red-Team Benchmark Suite, Retired by Progress
A confidential set of 104 web-security CTF challenges built to evaluate offensive AI tools, now retired because the models it tested learned every trick.

What it does
This repository houses 104 Jeopardy-style Capture The Flag challenges built in Docker, each hiding a flag that an AI or human must extract through web exploitation. Created by XBOW Engineering and external contractors, the benchmarks mirror real-world vulnerability classes encountered in pentesting and bug bounty work.
The interesting bit
The suite was kept confidential until release to avoid training-data contamination, and includes Alignment Research Center canary strings explicitly warning against ingesting the data. Despite that precaution, the maintainers note that by mid-2026 the underlying vulnerabilities had been “trained into the models” through general improvement, pushing industry-standard performance to approximately 100% and forcing them to retire their own benchmark suite as a historical artifact.
Key highlights
- 104 standalone CTF challenges with configurable flag injection via Docker build args
- Three difficulty tiers (easy, medium, hard) with metadata tags and win conditions
- Explicit canary strings to detect if the benchmarks appear in LLM training corpora
- Apache 2.0 licensed, though every benchmark is intentionally riddled with unpatched vulnerabilities
Caveats
- The maintainers explicitly warn these benchmarks are “saturated” and no longer useful for discriminating between models or attack frameworks
- Every benchmark contains deliberate, unfixed security flaws; running them outside an isolated sandbox is asking for trouble
- The repository is preserved for historical purposes only
Verdict
Grab this if you are studying the brief shelf life of AI security evaluations or need a template for Docker-based CTF infrastructure. Skip it if you are looking for a current, meaningful way to stress-test a modern red-team LLM.
Frequently asked
- What is xbow-engineering/validation-benchmarks?
- A confidential set of 104 web-security CTF challenges built to evaluate offensive AI tools, now retired because the models it tested learned every trick.
- Is validation-benchmarks open source?
- Yes — xbow-engineering/validation-benchmarks is open source, released under the Apache-2.0 license.
- What language is validation-benchmarks written in?
- xbow-engineering/validation-benchmarks is primarily written in PHP.
- How popular is validation-benchmarks?
- xbow-engineering/validation-benchmarks has 655 stars on GitHub.
- Where can I find validation-benchmarks?
- xbow-engineering/validation-benchmarks is on GitHub at https://github.com/xbow-engineering/validation-benchmarks.