Most labs cover one vertical. This one covers twenty-five.
Chimera is a vulnerable API platform at roughly 10x the scale of any comparable open-source lab. 480+ endpoints across 25 industry verticals, 12 wrapped in branded production-style web apps. Healthcare, banking, e-commerce, SaaS, government, telecom, and more. Real attack surfaces with remediation built in. The standardized canvas every adversary scenario writes against.
Twenty-five verticals. Four hundred eighty ways in.
Branded portals across the industries you actually defend.
Generic OWASP-style labs teach the patterns. Chimera puts them in production context: business-logic flaws like how a healthcare portal authenticates patients or how a bank portal authorizes transfers. Twelve verticals get the full UI treatment. The other thirteen are API-only with the same attack-surface depth.
Built for learning, instrumented for measuring.
Step-by-step guided walkthroughs of complete exploit chains. Follow along as attacks unfold across realistic multi-step scenarios: recon, exploit, escalate, exfil, with the full chain demonstrated against real endpoints.
See exactly where vulnerabilities exist in the source and how to remediate them. Connects every attack surface to the line of code that introduced it, with actionable fixes attached. The "why" behind every flaw.
Blue-team mode integrates with Synapse to show attack flows as they hit the defender. Watch detection cycles run, see which rules catch what, debug WAF policy in real time against real attack traffic.
Track and visualize exploit chains targeting LLMs. Prompt injection, jailbreaking, indirect injection, and data exfiltration through tool calls are mapped to attack stages and tied to remediation patterns.
From visualizer to source-line remediation.
Healthcare IDOR → Mass assignment → Privilege escalation.
A typical exploit tour walks you through a real chain. Not toy CTF puzzles. Each step shows the request, the unexpected response, the X-Ray Inspector explanation tying it back to source, and the remediation. The example below comes from the healthcare vertical's patient-records endpoint.
Chimera is the targets layer of Atlas Crew Security.
On its own, Chimera is a vulnerable API lab: useful for hands-on training, secure-coding workshops, and AppSec onboarding. Inside the platform, it's the standardized canvas Crucible writes assertions against and Synapse defends. Together, the four products form a closed-loop measurement system that tells you whether your defenses actually do what you think they do.
See the platform →Run Chimera locally in one command.
Local-first, no signups. Pull the image, expose the portals on localhost, and start exploring. For the integrated Atlas Crew Security stack, use npx @atlascrew/bridge up instead.