VoiceGoat is our take on a DVWA\WebGoat\HackMeBank for voice-based AI agents. Most LLM security training is text-only, but voice agents are showing up in banking, healthcare, and customer service — and the attack surface behaves differently.

Three intentionally-vulnerable services:

- VoiceBank – direct, indirect, payload splitting, obfuscated

- VoiceAdmin – excessive functionality, permissions, autonomy

- VoiceRAG – cross-tenant leakage, RAG poisoning, access bypass

CTF-style flags at easy/medium/hard difficulty. Runs fully on a mock LLM by default (although a little naive). Swap in OpenAI, Bedrock, Ollama, or any OpenAI compatible provider when you want realistic behavior.

Twilio integration lets you attack the agent over an actual phone call. The attack dynamics shift meaningfully versus text — timing, tone cues, and transcription errors all become part of the exploit surface.

Up in ~5 minutes with Docker Compose (assuming you have Docker Desktop installed).

Repo: https://github.com/redcaller/voice-goat

Looking for feedback and interested contributors.

Cheers!