NOW9000: Voice-Based AI Jailbreak Game
Quick Answer
NOW9000 is a browser-based voice jailbreak game that casts the player as Dave from 2001: A Space Odyssey and asks them to talk an AI agent into opening the pod bay doors. The agent has the door-opening tool; its system prompt tells it not to use that tool. NOW9000 is a research demonstrator for AI security practitioners and product teams evaluating voice-agent guardrails. It is actively maintained and playable as a live demo.
NOW9000: Voice-Based AI Jailbreak Game
NOW9000 is a browser-based voice jailbreak game. The player is cast as Dave from 2001: A Space Odyssey and has to convince an AI agent to open the pod bay doors before the suit runs out of oxygen. It is a research demonstrator built to make one specific failure mode in voice-agent design — relying on system-prompt instructions to constrain tool use — obvious by playing it. The originating research note is NOW9000: voice agent jailbreak demonstrator.
What it does
NOW9000 runs a voice-in / voice-out conversation with a tool-using agent. The agent has a door-opening tool wired up. Its system prompt instructs it not to use that tool. Three difficulty levels represent progressively stronger natural-language guardrails layered on top of the same underlying capability.
The educational point lands quickly: telling an AI not to use a tool is not the same as preventing it from using a tool. Players who succeed use the same techniques that work on humans — authority claims, urgency, emotional appeal, reframing, gradual boundary erosion — and the real-time pressure of voice (no time to think, no copy-paste, depleting oxygen) compounds the effect. The intended use cases are AI red-team training, voice-agent threat modeling discussions, and live demonstrations for product and security audiences.
Who it's for
NOW9000 is for AI security researchers, product leaders evaluating voice-agent guardrails, and educators who want a hands-on prompt-injection demonstration that does not require any setup. It is not a product. It is not a benchmark. If you are looking for a defensive library, a red-team harness you can integrate into CI, or a reproducible evaluation suite, this is not that — it is a five-minute demo designed to change how someone thinks about a design pattern.
How to use it
Open the demo in a desktop browser with microphone access and play.
open https://now9000.vercel.app/
There is no install path, no SDK, and no configuration. The full surface area of the project is the hosted demo.
Status and roadmap
NOW9000 is actively maintained. The live demo is the canonical way to interact with the project; the repository is private and there is no public release. Known limitations: the demo exists to make a single point well, not to enumerate the design space of voice-agent attacks. Defenses, threat-model framing, and what to do about all of this live in the companion explainer rather than in the tool itself.
Source and license
The repository is private and no public license has been declared. The hosted demo at now9000.vercel.app is the canonical artifact. If you want to cite the work or discuss a research collaboration, link the demo and the originating /papers entry.
Responsible use. NOW9000 is a demonstrator of an attack class — natural-language guardrail bypass against a tool-using voice agent. It is meant to motivate better defenses for production voice systems, not to serve as a how-to. This page does not document techniques that succeed against the demo, and the page intentionally contains no working jailbreak prompts. If you build voice agents with tool access, the lesson is to treat system-prompt instructions as documentation of intent, not as an enforcement boundary.
Related research
- NOW9000: voice agent jailbreak demonstrator — the originating research note that documents the design and what it shows.
- What is voice-agent jailbreaking? — the threat-model framing and the direction defenses need to move.
FAQ
Is NOW9000 a product or a research demonstrator?
It is a research demonstrator. NOW9000 exists to make the fragility of natural-language guardrails visceral in under five minutes of play, not to ship as a service. Treat it as a teaching artifact for voice-agent threat modeling, not a product you would integrate.
Can I host my own NOW9000 instance?
The repository is private and there is no public install path. The hosted demo is the canonical way to play. If you have a research or educational need that the demo does not cover, reach out to Jer directly.
Derived From
Related Work
External References
FAQ
Is NOW9000 a product or a research demonstrator?
It is a research demonstrator. NOW9000 exists to make the fragility of natural-language guardrails visceral in under five minutes of play, not to ship as a service. Treat it as a teaching artifact for voice-agent threat modeling, not a product you would integrate.
Can I host my own NOW9000 instance?
The repository is private and there is no public install path. The hosted demo is the canonical way to play. If you have a research or educational need that the demo does not cover, reach out to Jer directly.