Red-team your own ATO & signup-fraud detection
Model how an attacker creates accounts with throwaway numbers and verify your systems flag it — before real attackers do it for you.
Use case / Fraud & Security Testing
Test your SMS-OTP fraud defenses with the numbers attackers actually use.
Fraudsters create accounts and pass SMS verification with disposable, programmable numbers — at scale. To catch them, your fraud and risk systems have to be tested against the same thing. AgentSIM gives fraud, risk, and trust-&-safety teams programmatic, disposable US numbers that receive SMS OTPs — via REST API, Python/TS SDKs, and an MCP server.
These are programmable (not real-SIM) numbers, so they behave like an attacker's — which is exactly what you want when simulating one. For authorized security testing of systems you own or are permitted to test. Not for creating accounts on third-party services.
What you can test
Defensive testing your detection systems can act on
Every capability below is scoped to authorized, defensive red-teaming — testing systems you own, on infrastructure you control.
Generate synthetic-fraud test data
Drive your detection models with realistic, labelled input: programmable numbers behaving like attacker infrastructure, fully under your control.
Run continuous CI checks on your defenses
Add fraud-signal regression to your pipeline. Confirm your SMS-OTP anomaly detection still fires before every deploy, not only after an incident.
The workflow
Three calls. One complete fraud-simulation session.
Provision a disposable number, wait for the OTP that your test flow triggers, then release it. Each session is isolated and auditable — the same primitives a fraudster uses, now on your side of the table.
fraud-simulation.ts
const session = await provision({ country: "US" });
const { otpCode } = await session.waitForOtp({ timeout: 120 });
await session.release();Built for
- Fraud, risk, and trust-&-safety teams at your own company
- Authorized red-team engagements and penetration tests
- Regression testing your own signup-fraud detection models
- CI pipelines that validate OTP anomaly signals before deploy
- Controlled staging environments and owned auth providers
Not for
- Creating accounts on third-party services you do not own
- Bypassing anti-abuse systems at Google, Meta, Stripe, or banks
- Bulk account creation or ban evasion on consumer platforms
- Any use that violates the target service's terms or applicable law
- Replacing a long-lived recovery number for a persistent identity
Authorized testing, your infrastructure
Give your fraud defenses an honest workout.
Start with the console — 10 sessions free per month. No card required. If your red-team needs higher volume, the API and SDKs scale with you.