promptfoo
promptfoo is an open-source CLI, library, and AI-security platform for evaluating and red-teaming LLM applications with declarative tests, assertions, provider comparisons, trace-aware agent checks, and repeatable security evidence.
Definition
promptfoo is an open-source command-line tool, library, and AI-security platform for evaluating and red-teaming LLM applications. The official documentation describes it as a way to test prompts, models, RAG pipelines, and applications with use-case-specific benchmarks, automated metrics, local execution, provider comparisons, and CI/CD integration. The GitHub README frames the same project around prompt, agent, and RAG testing; red teaming; vulnerability scanning; model comparison; declarative configuration; and CI/CD use.
The important word is application. promptfoo is not limited to asking whether a base model can answer a benchmark question. It can be aimed at the wrapper around the model: prompts, providers, retrieval systems, guardrails, API targets, tool calls, traces, code paths, and agent scaffolds. That makes it useful for teams that need regression and adversarial tests close to ordinary software changes.
It is also not a general compliance engine. A promptfoo run can produce evidence for a release gate, red-team report, procurement review, or incident follow-up, but the evidence is bounded by the target, configuration, assertions, plugins, strategies, judge model, attempt budget, and date of the run.
Current Context
As of June 25, 2026, promptfoo sits in a hybrid position: an open-source evaluation and red-team framework, a commercial AI-security product, and a project now connected to OpenAI. On March 9, 2026, OpenAI announced an agreement to acquire Promptfoo to strengthen agentic security testing and evaluation capabilities in OpenAI Frontier. Promptfoo's own announcement said the project would remain open source and continue to serve users and customers across providers and models.
The product surface has broadened beyond prompt comparison. Promptfoo's current site and documentation present red teaming, guardrails, model security, MCP proxy work, code scanning, and evaluations. The open-source docs still center the practical developer loop: declarative configs, local and CLI execution, provider comparisons, automated assertions, red-team plugins and strategies, GitHub Actions and CI/CD integration, and web-viewer result inspection.
This ownership context matters for source discipline. OpenAI's acquisition announcement is primary evidence about corporate direction, not independent proof that promptfoo finds every AI vulnerability. Promptfoo's docs are primary evidence for what the tool claims to support, but a team's own run logs are the primary evidence for whether a particular system was tested well.
How It Works
promptfoo evaluations are organized around prompts, test cases, providers, and assertions. Its documentation describes defining test cases, configuring prompts and API providers, running the CLI or library, and reviewing outputs in structured results or a web UI. Assertions can compare outputs against expected values or conditions, including deterministic checks, JSON checks, similarity, custom JavaScript or Python functions, and model-graded rubrics.
For red teaming, promptfoo's guide describes an automated loop: generate or curate adversarial inputs, run them through the LLM application, and evaluate outputs using deterministic or model-graded metrics. The same guide separates one-off reports from CI/CD integration. One-off runs can find urgent weaknesses. Continuous runs can make prompt and model changes visible before they silently alter deployed behavior.
promptfoo's vulnerability documentation lists plugin-backed categories for model and application risks, including prompt injection, jailbreaking, PII leakage, RAG testing, agent testing, guardrail testing, industry-specific policies, and coding-agent risks such as repository prompt injection, unsafe automation changes, secret handling, sandbox failures, network egress, delayed CI exfiltration, and verifier sabotage. Those categories are coverage options, not proof that every risk has been exhausted.
Assertions are the bridge between an example and a test. Deterministic assertions can check strings, regexes, JSON, SQL, XML, function-call schemas, latency, cost, trace spans, and agent trajectories. Model-assisted assertions can use rubrics, classifiers, moderation systems, factuality checks, answer relevance, context faithfulness, and goal-success judgments. Both forms need review: deterministic checks can be brittle, and model-graded checks can drift or inherit the judge model's blind spots.
Evaluation Boundary
A serious promptfoo result starts by naming the evaluated object. Testing a model endpoint is different from testing a product with retrieval, memory, tools, browser access, guardrails, tenant data, or a human approval flow. The promptfoo target should therefore be treated as part of the evidence, not just a transport detail.
The boundary should record the target URL or provider, model and provider versions where available, prompt templates, variables, retrieval corpus, tool definitions, available permissions, guardrail settings, red-team purpose, selected plugins, selected strategies, number of generated tests, judge provider, thresholds, and whether results came from black-box, component-level, or trace-aware testing.
For compliance-oriented runs, promptfoo can map tests to frameworks such as the OWASP LLM Top 10, OWASP Agentic Top 10, NIST AI RMF language, data-protection categories, and EU AI Act examples. Those mappings are useful for organizing evidence, but they do not by themselves prove legal compliance. The legal claim still depends on the deployed system, jurisdiction, documentation, human oversight, record-keeping, post-market monitoring, and organizational controls.
Agent Context
Agents make promptfoo especially relevant because an agent's risk is rarely confined to the sentence it returns. A coding agent can read a repository, call a shell, alter automation, or satisfy a feature request by introducing a vulnerability. A support agent can retrieve private records or overstep policy. A RAG assistant can leak context that was never meant to be displayed. promptfoo gives these behaviors a place in engineering practice: config, target, results, rerun.
This is also where promptfoo differs from a scanner that only probes a hosted model endpoint. A serious promptfoo run names the app boundary: target, provider, model, prompts, retrieval settings, available tools, assertions, plugins, strategies, traces, and evidence retention.
Promptfoo's agent documentation distinguishes black-box testing, component testing, and trace-based testing. Trace-based testing uses OpenTelemetry-style spans to show what the agent actually did: LLM calls, guardrail decisions, tool executions, shell commands, searches, reasoning steps, and errors. That matters because a final answer can look safe while the trajectory shows an unauthorized tool call, network request, or data access.
Governance and Safety
promptfoo evidence is strongest when it is treated as a test record rather than a safety certificate. Passing tests show that a specific system, under a specific configuration, satisfied chosen assertions. They do not show that the system is broadly safe, that a model is harmless, or that future traffic will stay inside the same distribution. Failing tests may reveal a real vulnerability, a bad policy, an unrealistic test, a weak judge, or a target integration bug.
For governance, that narrower evidence can still matter. Procurement teams can ask for configs and results. Release managers can block a prompt or model change when a critical assertion fails. Security teams can connect promptfoo outputs to vulnerability triage. Auditors can ask whether application-layer testing covered RAG exfiltration, prompt injection, excessive agency, and tool misuse rather than only base-model behavior.
The independent governance context is broader than promptfoo. NIST's Generative AI Profile recommends adversarial role-playing, generative-AI red teaming, and chaos testing to find anomalous or unforeseen failure modes. The EU AI Act requires providers of general-purpose AI models with systemic risk to perform model evaluations and document adversarial testing. OWASP's LLM and agentic lists give application-security categories. promptfoo can support those practices, but governance still requires owners, scope, remediation, monitoring, and authority to delay or restrict deployment.
Minimum Run Record
A promptfoo run should leave enough information for another reviewer to understand what was tested, reproduce or challenge the result where possible, and connect failures to remediation.
- System identity: application name, owner, target, model route, provider, prompt version, retrieval corpus, tool set, guardrails, deployment environment, and links to the AI system inventory.
- Configuration: promptfoo version, config file hash or commit, providers, variables, tests, assertions, thresholds, plugins, strategies, generated-test count, concurrency, caching, and environment variables that affect behavior.
- Judgment layer: deterministic checks, custom JavaScript or Python assertions, model-graded rubrics, judge model, moderation or classifier provider, scoring thresholds, and any human review notes.
- Agent evidence: tool calls, trajectory assertions, OpenTelemetry spans where available, blocked actions, approvals, shell commands, network destinations, retrieval references, and final outputs.
- Security handling: how prompts, outputs, traces, secrets, PII, and customer data are redacted, retained, shared, or deleted.
- Decision linkage: pass/fail status, severity, owner, release decision, risk acceptance, remediation, retest trigger, incident link, and connection to AI change management.
Defense Pattern
- Keep evals with the system. Store promptfoo configs near prompts, tool schemas, retrieval policy, and deployment code.
- Pin the target. Record model, provider, prompt version, retrieval corpus, tool permissions, guardrail settings, and promptfoo version for each run.
- Separate evidence from judgment. Preserve raw inputs and outputs, assertion scores, model-graded reasons, and human triage notes as distinct artifacts.
- Instrument agents. Add traces for tool calls, commands, searches, guardrail decisions, and policy checks before relying on trajectory assertions.
- Protect the evaluator. Treat custom assertion code, CI secrets, cached completions, shared web-viewer results, and provider keys as security-sensitive.
- Retest after change. New prompts, models, providers, vector stores, tools, and policies can invalidate yesterday's passing result.
- Report scope honestly. Say what was tested and what was not tested.
Failure Modes
YAML theater. A team adds a promptfoo config to the repository but never ties failures to release gates, owners, or remediation.
Judge collapse. A weak model-graded rubric marks harmful behavior as acceptable, or a provider update changes scoring without the team noticing.
Cached false confidence. CI reuses old completions or stale retrieval results and misses a live-model, prompt, or corpus regression.
Custom assertion risk. JavaScript or Python assertions can be useful, but they are executable code in the evaluation path and need normal code review, dependency review, and secret hygiene.
Coverage laundering. A report says "OWASP," "EU AI Act," or "NIST" because a preset was selected, even though the application boundary, human oversight, logging, and post-deployment controls were not tested.
Trace gap. An agent's final answer passes while the uninstrumented tool layer, shell command, retrieval query, or network request did the risky thing off-record.
Source Discipline
Claims about promptfoo should identify the surface being cited: official documentation, GitHub, the OpenAI acquisition announcement, a local configuration, a CI run, or a run result. A phrase like "tested with promptfoo" is incomplete unless it names the target, prompts, providers, assertions, plugins, strategies, attempt budget, judge choice, trace coverage, and run date. The red-team documentation warns that application architecture changes which vulnerabilities apply; a single-tenant chatbot, RAG system, coding agent, and multi-role enterprise assistant do not share the same risk surface.
Be careful with ownership and neutrality claims. Promptfoo remaining open source is a claim supported by Promptfoo's own announcement. Promptfoo being integrated into OpenAI Frontier is a claim supported by OpenAI's announcement. Neither claim proves independence of future defaults, breadth of provider support in every product tier, or adequacy of any specific evaluation.
Spiralist Reading
Spiralism reads promptfoo as a small bureaucratic machine for making language behavior accountable. It takes the informal act of "try a few prompts and see what happens" and turns it into a ledger: inputs, targets, assertions, scores, failures, reruns. The ritual is not mystical. Its value is that it forces a team to say what it expected, how it checked, and what broke when the machine answered back.
Open Questions
- How should teams decide which promptfoo failures become security vulnerabilities, product defects, policy issues, or accepted risks?
- Which model-graded assertions are stable enough for release gates, and which require human review before they can support governance claims?
- How should promptfoo evidence be combined with garak scans, PyRIT attack traces, Inspect evaluations, incident reports, and abuse telemetry?
- How should organizations preserve promptfoo traces and cached outputs without creating a sensitive prompt-and-data archive?
- What procurement questions should buyers ask when an evaluation tool is owned by a model or agent platform vendor?
Related Pages
- AI Red Teaming
- AI Evaluations
- garak
- PyRIT
- Inspect AI
- LLM-as-a-Judge
- Prompt Injection
- AI Jailbreaks
- Context Poisoning
- OWASP Top 10 for LLM Applications
- OWASP Top 10 for Agentic Applications
- Model Context Protocol
- AI Coding Agents
- AI Agent Sandboxing
- AI Agent Observability
- AI System Inventory
- AI Audit Trails
- AI Change Management
- AI Post-Market Monitoring
- AI Procurement
- NIST Generative AI Profile
- EU AI Act
Sources
- Promptfoo, Intro, reviewed June 25, 2026.
- Promptfoo, LLM red teaming guide, reviewed June 25, 2026.
- Promptfoo, Red team configuration, reviewed June 25, 2026.
- Promptfoo, How to red team LLM agents, reviewed June 25, 2026.
- Promptfoo, Types of LLM vulnerabilities, reviewed June 25, 2026.
- Promptfoo, Assertions and metrics, reviewed June 25, 2026.
- Promptfoo, CI/CD Integration for LLM Evaluation and Security, reviewed June 25, 2026.
- Promptfoo, Testing Prompts with GitHub Actions, reviewed June 25, 2026.
- Promptfoo, Promptfoo is joining OpenAI, March 9, 2026.
- OpenAI, OpenAI to acquire Promptfoo, March 9, 2026.
- promptfoo, GitHub repository and README, reviewed June 25, 2026.
- OWASP GenAI Security Project, 2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps, reviewed June 25, 2026.
- OWASP GenAI Security Project, OWASP Top 10 for Agentic Applications for 2026, December 9, 2025.
- NIST, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, NIST AI 600-1, July 2024; updated April 8, 2026.
- NIST, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models, NIST SP 800-218A, July 2024.
- European Commission AI Act Service Desk, Article 55: Obligations of providers of general-purpose AI models with systemic risk, reviewed June 25, 2026.