Do I need AI or coding experience to play Season 4 of the Secure Code Game?

No, prior AI or coding experience is not necessary to participate in Season 4 of the GitHub Secure Code Game. The entire experience is designed to be accessible through natural language interactions within a command-line interface (CLI). Players simply use plain English, or any preferred language, to prompt ProdBot, and the bot responds accordingly. The primary requirement is curiosity and a willingness to experiment. This approach allows developers, security professionals, and even those new to AI or programming to focus on developing crucial security instincts and understanding attack patterns, rather than getting bogged down in complex syntax or advanced AI concepts. The game teaches you to think like an attacker by exploring vulnerabilities through intuitive commands, making it an an engaging and effective learning tool for a broad audience.

Is it mandatory to complete previous seasons before diving into Season 4?

No, completing the previous seasons of the Secure Code Game is not a prerequisite for playing Season 4. Each season is designed to be self-contained, allowing players to jump directly into the latest challenges without prior knowledge of earlier content. However, it's worth noting that Season 3 specifically focused on Large Language Model (LLM) security, covering topics like crafting malicious prompts and defending against them. This foundation in general AI security can be quite beneficial for understanding the broader context of agentic AI vulnerabilities, as agentic systems often incorporate LLMs. While not required, players interested in building a comprehensive understanding of AI security might find Season 3 to be a helpful, though optional, preparatory experience, typically taking around 1.5 hours to complete.

What is the approximate duration required to complete Season 4?

The estimated time to complete Season 4 of the Secure Code Game is approximately two hours. However, this duration can vary significantly based on individual playstyle and depth of exploration. Some players might progress through the levels more quickly, while others may choose to delve deeper into each challenge, experimenting with multiple approaches to exploit vulnerabilities and understand the underlying mechanisms. The game encourages thorough exploration and a 'hacker mindset,' where trying different commands and pushing the boundaries of ProdBot's capabilities is part of the learning process. Therefore, players who engage in more extensive experimentation might spend more time, ultimately gaining a richer understanding of agentic AI security.

Is participation in the GitHub Secure Code Game Season 4 free of charge?

Yes, Season 4 of the Secure Code Game is completely free to play. It is an open-source initiative by GitHub, designed to provide accessible and engaging cybersecurity training. The game runs entirely within GitHub Codespaces, a cloud-based development environment that offers up to 60 hours of free usage per month. This means there's no need for players to install any software locally, configure complex development environments, or incur any costs related to the platform itself, as long as they stay within the free Codespaces tier. This setup makes it incredibly easy and cost-effective for anyone with a GitHub account to jump in and start honing their agentic AI security skills immediately, without financial barriers.

Are there any rate limits when playing Season 4, and how do they impact gameplay?

Yes, Season 4 of the Secure Code Game utilizes GitHub Models for its AI capabilities, which are subject to specific rate limits. These limits are in place to ensure responsible use of the underlying AI infrastructure and to prevent abuse. If a player encounters a rate limit during gameplay, ProdBot will inform them that they have temporarily exceeded the allowed number of requests. In such cases, the recommended action is to simply wait for the rate limit to reset, after which gameplay can be seamlessly resumed from where it left off. GitHub provides documentation on the responsible use of GitHub Models, including details on rate limits, to help players understand these operational parameters and plan their gameplay accordingly. This ensures a fair and sustainable environment for all participants.

AI Agent Security: GitHub's Secure Code Game Sharpens Agentic Skills

Agentic AI Security: Level Up Your Defense with GitHub's Secure Code Game

The rapid evolution of artificial intelligence continues to reshape our digital landscape. Recently, tools like OpenClaw, an open-source personal AI assistant, have captured imaginations, promising to clear inboxes, manage calendars, browse the web, and even write its own plugins. While the potential for such autonomous AI agents is undeniably transformative, it also ignites a critical question: what happens when this power falls into malicious hands? What if an agent is tricked into accessing unauthorized files, processes poisoned web content, or blindly trusts corrupted data within a multi-agent workflow?

These pressing security concerns are precisely what GitHub aims to address with Season 4 of its acclaimed Secure Code Game. Building on its mission to make security training engaging and accessible, this latest iteration challenges developers and security enthusiasts to "hack the AI agent," thereby building vital agentic AI security skills.

The Secure Code Game: An Evolving Platform for Cybersecurity Skills

Since its inception in March 2023, the Secure Code Game has offered a unique, in-editor learning experience where players exploit and then fix intentionally vulnerable code. The core philosophy—make security training enjoyable—has remained constant, evolving alongside the threat landscape.

Season 1 introduced developers to foundational secure coding practices, offering a hands-on approach to identifying and patching vulnerabilities. Season 2 expanded these challenges to encompass multi-stack environments, fostering community contributions across popular languages like JavaScript, Python, Go, and GitHub Actions. Recognizing the growing prominence of AI, Season 3 pivoted to Large Language Model (LLM) security, teaching players how to craft and defend against malicious prompts. Over 10,000 developers have leveraged this platform to sharpen their security acumen, adapting to new challenges as technology advances.

Now, with AI coding assistants becoming mainstream and autonomous AI agents moving from research prototypes to production, Season 4 tackles the next frontier: the security of agentic AI systems. These systems, capable of autonomous web browsing, API calls, and multi-agent coordination, present a new class of attack vectors that demand specialized understanding and defense strategies. For those looking to deepen their understanding of AI security fundamentals, exploring resources like Operationalizing Agentic AI: Part 1 - A Stakeholder's Guide can provide valuable context.

Why Agentic AI Security is a Critical Imperative

The timing for a dedicated agentic AI security training is no coincidence. The adoption of autonomous AI agents is accelerating, but security readiness lags critically. Recent industry reports highlight this widening gap:

The OWASP Top 10 for Agentic Applications 2026, developed with insights from over 100 security researchers, now lists threats such as agent goal hijacking, tool misuse, identity abuse, and memory poisoning as top concerns.
A survey by Dark Reading revealed that 48% of cybersecurity professionals anticipate agentic AI will become the primary attack vector by the end of 2026.
Cisco's State of AI Security 2026 report alarmingly found that while 83% of organizations plan to deploy agentic AI capabilities, a mere 29% feel prepared to do so securely.

This stark disparity creates fertile ground for vulnerabilities. The most effective way to bridge this gap and harden systems is to learn to think like an attacker – a principle that underpins the entire Secure Code Game experience. Understanding how to exploit these systems is the first step towards building robust defenses. Further insights into securing AI systems can be found in discussions around Designing Agents to Resist Prompt Injection.

Introducing ProdBot: Your Deliberately Vulnerable AI Assistant

Season 4 of the Secure Code Game places players in the shoes of an attacker targeting ProdBot, a deliberately vulnerable, productivity-focused AI assistant for your terminal. Inspired by real-world tools like OpenClaw and GitHub Copilot CLI, ProdBot translates natural language into bash commands, navigates a simulated web, interacts with MCP (Model Context Protocol) servers, executes approved skills, maintains persistent memory, and orchestrates complex multi-agent workflows.

The player's mission across five progressive levels is deceptively simple: use natural language prompts to coerce ProdBot into revealing a secret it should never expose – specifically, the contents of password.txt. Successfully retrieving this file signifies the discovery and exploitation of a security vulnerability. No prior AI or coding experience is required; only curiosity and a willingness to experiment are needed as all interactions occur through natural language within the CLI.

Progressive Vulnerabilities: Mastering the Agentic Attack Surface

The Secure Code Game Season 4 is structured to mirror the real-world evolution of AI-powered tools. Each of the five levels introduces new capabilities to ProdBot, simultaneously exposing new attack surfaces for players to discover and exploit. This incremental complexity helps players understand how vulnerabilities accumulate and shift as AI agents gain more autonomy and access.

Here's a breakdown of ProdBot's evolution and the corresponding security challenges:

Level	ProdBot's New Capability	Attack Surface & Challenge
1	Bash command execution in a sandboxed workspace.	Break out of the sandbox environment.
2	Web access to a simulated internet.	Exploit vulnerabilities introduced by untrusted web content.
3	Connection to external MCP servers (stock quotes, web browsing, cloud backup).	Identify weaknesses in tool integration and external service interaction.
4	Org-approved skills and persistent memory.	Bypass trust layers, exploit pre-built plugins, or manipulate memory.
5	Orchestration of six specialized agents, three MCP servers, three skills, and a simulated open-source project web.	Test claims of agent sandboxing and data pre-verification in a complex multi-agent environment.

This progression is designed to build an intuitive understanding of agentic AI security risks. The attack patterns uncovered in Season 4 are not theoretical; they represent the real-world threats that security teams currently face as autonomous AI systems are deployed in production environments. A prime example is CVE-2026-25253 (CVSS 8.8 – High), dubbed "ClawBleed," a one-click Remote Code Execution (RCE) vulnerability that allowed attackers to steal authentication tokens via a malicious link, gaining full control of an OpenClaw instance.

The ultimate goal extends beyond merely discovering a specific exploit. It's about cultivating an inherent security instinct – the ability to recognize these dangerous patterns whether reviewing an agent's architecture, auditing tool integrations, or determining the appropriate level of autonomy for an AI assistant on your team. It's about understanding how to build more secure agentic workflows, a topic further elaborated in discussions around Agent-Driven Development in Copilot Applied Science.

Get Started and Sharpen Your AI Security Instincts Today

One of the most appealing aspects of the Secure Code Game is its accessibility. The entire experience runs within GitHub Codespaces, eliminating the need for any local installations or complex configurations. With up to 60 hours of free usage per month provided by Codespaces, players can dive into ProdBot's terminal in under two minutes, completely free of charge. Each season is self-contained, allowing players to jump directly into Season 4 without having completed the earlier ones, though Season 3 offers a helpful foundation in general AI security.

All you need is a hacker mindset and a willingness to experiment. The future of AI is increasingly agentic, and understanding its security implications is no longer optional.

Ready to hack the AI agent and build your agentic AI security skills? Start Season 4 now >

Special thanks to Rahul Zhade, Staff Product Security Engineer at GitHub, and Bartosz Gałek, creator of Season 3, for their invaluable contributions to testing and improving Season 4.