Learn to disarm the attack.
A free game in the spirit of the classics: you're the defender. Inspect each request, IP and payload, then decide — allow, challenge, block, enrich or escalate. The defences level up as you go.
Login spray or forgetful customer?
Decide whether this login traffic needs friction before it becomes account takeover pressure.
POST /account/login HTTP/2host: shop.exampleip: 198.51.100.42asn: residential proxy rangeuser-agent: Mozilla/5.0signal: 19 usernames tried in 72 seconds
Best verdict: hidden until submitted
Choose your response.
Read the request, weigh the context, then pick the least harmful useful action. Some rounds accept more than one defensible answer when confidence is incomplete.
V1 is fully local and synthetic. No gameplay data is collected or sent anywhere.
Six levels. Each one upgrades the attacker.
Inspired by the leveled challenge of games like Gandalf — re-imagined for web security, bots and fraud.
Read the request
Spot the tell in a single suspicious HTTP request.
Score the bot
Decide: human, good bot, or something hiding.
Catch the payload
Find the injection inside an innocent-looking parameter.
Trust the IP?
Weigh reputation, ASN and behaviour before you allow.
Stop the fraud
Separate a real checkout from a carding run.
Hold the line
Defences upgrade each round — can you keep up?
A game first. Intelligence second — and only with consent.
Expelliarmus is built to teach. Down the line, opt-in challenge submissions could help sharpen our threat intelligence and OSINT feeds — but never silently. Participation will be explicit, moderated and abuse-controlled, and educational gameplay data is kept strictly separate from any production intelligence feed. V1 collects no gameplay data at all.
$ ask an AI to summarise this page