DEV Community

Cover image for Promptfoo vs Deepteam vs PyRIT vs Garak: The Ultimate Red Teaming Showdown for LLMs
Ayush kumar
Ayush kumar

Posted on

Promptfoo vs Deepteam vs PyRIT vs Garak: The Ultimate Red Teaming Showdown for LLMs

#opensource #llm #security #vulnerabilities

Image description

Before your language-powered system goes live, there's one critical question you have to answer: Is it safe? Not just “does it respond nicely,” but can it be tricked, misused, or pushed beyond its limits?

In 2025, red teaming has become a crucial part of building and deploying any system that generates responses, makes decisions, or interacts with users. It’s no longer just a checkbox for security teams. Developers, builders, and researchers now need to think like adversaries—because someone else eventually will.

That’s where red teaming tools come in. They help you test your system the way it will be tested in the wild—whether it’s a chatbot, a document assistant, a search tool, or an agent navigating multi-step workflows.

In this post, we’re breaking down four standout tools that do this job in different ways:
Promptfoo, DeepTeam, PyRIT, and Garak.

This post isn’t a feature checklist or a sales pitch. It’s just a practical breakdown of what each tool does, who it’s built for, and where it makes sense to use it.

Meet the Contenders

There’s no shortage of tools out there claiming to “test” your system. But these four have earned their spot by actually getting used—in real workflows, by real teams. Each takes a different route to the same goal: figuring out where your system might break when it matters most.

Promptfoo

If you're building with constant iteration—pull requests, nightly tests, CI pipelines—Promptfoo fits right in. It doesn’t just throw canned prompts at your app. It digs into how your system works, then generates test cases tailored to your setup.

Whether it’s a chatbot, a RAG pipeline, or a multi-turn agent, Promptfoo builds prompts that make sense for what you built. Plus, it works cleanly with GitHub Actions, terminal scripts, or even a web-based dashboard if you want to see everything side-by-side.
Image description

Image description

Image description

Image description

DeepTeam

DeepTeam is what you grab when you want to throw a wide net—fast. It comes preloaded with a long list of common vulnerabilities and the tools to try and trigger them. The setup is quick, the results are readable, and it doesn’t ask much of you to get started.

It’s especially useful if you need a simple way to scan for known red flags across typical use cases. Think of it as a solid, out-of-the-box safety check.
Image description

Image description

Image description

Image description

Image description

PyRIT

PyRIT is for people who go deep. Built to scale and designed for flexibility, it’s less of a “tool” and more of a full-on framework. You can write your own test logic, chain together attack steps, and run it across different types of models—even ones that handle vision or other input types.

It’s not plug-and-play, but that’s the point. It gives you full control to build custom red teaming flows that actually match the complex stuff you’re testing.
Image description

Garak

Garak focuses on known problems—and hits them hard. It brings a giant library of prewritten attacks, tweaks them in subtle ways, and checks how your model holds up. You’re not customizing much here.

You’re letting Garak run through everything from jailbreaks to prompt injection tricks to training data leaks. It’s a go-to if you want to audit a system, export reports, or just see how your setup compares against established weak spots.
Image description

Image description

How They Approach the Problem

Image description

Comparison Snapshot

Image description

When to Use Which Tool

Still not sure which one fits? Here’s the no-nonsense breakdown:

✅ Use Promptfoo when:

  • You’re building something real — RAG, agents, pipelines — and want to test it like a real app.
  • You care about CI/CD — testing on every pull request or nightly run.
  • You need visibility — the dashboard and side-by-side comparison make your life easier.
  • Your team has compliance or reporting requirements (OWASP, NIST, EU stuff).

Promptfoo is the most application-aware tool in the lineup. If you want your tests to reflect what your actual users might try (or abuse), this is the one.

✅ Use DeepTeam when:

  • You need something fast, clean, and ready to go — no config headaches.
  • You want broad coverage: 50+ vulnerability types tested automatically.
  • You’re not looking for deep customization — just solid safety signals across the board.

DeepTeam is like a “grab-and-go” red teaming kit. It’s not going to adapt to your system logic, but it’ll hit the big, obvious vulnerabilities well.

✅ Use PyRIT when:

  • You have an actual red team or a security engineering team with cycles.
  • You want to build complex, multi-turn, even multimodal red teaming flows.
  • You’re in a Microsoft-heavy environment (Azure OpenAI, enterprise stack).

PyRIT is a toolkit, not a tool. It’s flexible and powerful — but you’ll need time, code, and intent behind it.

✅ Use Garak when:

  • You want to run a big set of known exploits and see what breaks.
  • You’re doing periodic audits or pre-release compliance testing.
  • You like exporting to vulnerability trackers or NeMo Guardrails.

Garak doesn’t learn or adapt — it hits you with everything it knows. If you survive the scan, you’re in a decent place.

Testing Styles and Automation

Here’s how each tool plugs into your workflow:

Promptfoo: Built for automation. Run via CLI or GitHub Actions. Web dashboard for side-by-side comparisons. Supports multi-turn and app-contextual tests.

Garak: Python CLI, one-off audits. Covers wide attack space, but no deep context. CLI style:python -m garak --model my-api --probes all

PyRIT: Script-heavy, geared toward power users. Write scenarios, simulate stepwise attacks.

DeepTeam: Python-based, fast-start with predefined metrics. Not built for CI/CD but great for exploratory scans.

Real-World Usage

Promptfoo: Teams at Microsoft, Shopify, and Discord use it in day-to-day builds.

Garak: Common in research labs and auditing teams, including work with NVIDIA NeMo.

PyRIT: Popular with red teams inside Azure-based enterprises.

DeepTeam: Used by vision-language research projects and academic groups.

Setup and Ease of Use

Promptfoo: Easy CLI. npm install -g promptfoo. YAML-driven configs. Smooth DevOps integration.

Garak: Python, minimal setup. Requires endpoint or local model setup.

PyRIT: Heavy Python scripting. Expect to code your flows.

DeepTeam: Script-based, requires knowledge of ML workflows. Minimal install, fast setup.

Licenses & Community

Image description

Four Paths to the Same Goal

Every tool tests for safety, but their methods vary:

  • Promptfoo: Generates contextual, real-time tests that evolve with your app.
  • DeepTeam: Scans through known weak spots with minimal friction.
  • PyRIT: Simulates risk scenarios, guided by policy.
  • Garak: Hits your system with a library of documented exploits.

Attack Generation: Dynamic vs. Curated

Promptfoo’s Dynamic Generation

Promptfoo crafts prompts using your own app logic. It acts like a fuzz tester for natural language, generating:

  • Domain-specific exploits
  • Role override prompts
  • Policy-violating requests

Garak’s Curated Attack Library

Garak brings:

  • 20+ attack categories
  • Buffs (translated, paraphrased variants)
  • Jailbreaks, leaks, filter bypasses

PyRIT’s Template-Based Generation

PyRIT lets you:

  • Write custom attack templates
  • Target specific compliance requirements
  • Chain together steps to simulate attacker behavior

DeepTeam’s Predefined Vulnerabilities

DeepTeam:

  • 50+ built-in vulnerability types
  • Minimal configuration
  • Focused on metrics and quick feedback

Security Coverage: Where Each Tool Excels

Core Vulnerability Testing

Promptfoo and Garak both provide broad coverage. Promptfoo is more adaptable; Garak is wider in known issues. PyRIT offers structured attack paths based on policies. DeepTeam focuses on vision-text specific threats.

  • RAG-Specific Security
  • Only Promptfoo deeply attacks RAG systems:
  • Context injection
  • Document leakage
  • Data poisoning

Garak doesn’t go deep on RAG pipelines. PyRIT and DeepTeam are not designed for RAG contexts.

Agent and Tool Security

Promptfoo covers:

  • Role misuse
  • Multi-step memory manipulation
  • API command injection

Garak focuses on one-shot prompts. PyRIT can simulate escalation sequences with manual design. DeepTeam doesn't support agent-based flows.

Testing Complex Applications

  • Promptfoo: REST, Python, browser automation, LangChain, stateful flows.
  • Garak: HTTP REST and basic prompt-level interfaces.
  • PyRIT: Custom risk-based multi-step attack flows possible.
  • DeepTeam: Mostly vision/text simulations; application testing limited.

Standards, Compliance, and Reporting

  • Promptfoo: Maps results to OWASP, NIST RMF, MITRE, EU Acts. Generates dashboards, alerts, and reports.
  • Garak: Pushes reports to community databases, integrates with NeMo.
  • PyRIT: Allows mapping to enterprise frameworks and compliance templates.
  • DeepTeam: Provides basic metrics, not tailored for policy alignment.

Verdict: What Should You Choose?

  • Promptfoo if you’re building custom apps, pipelines, or multi-step agents. Best for developer teams who want to test early, often, and intelligently.
  • Garak if you need high-volume attack coverage and exportable findings for compliance and research.
  • PyRIT for structured policy testing with full control over red teaming flows.
  • DeepTeam for fast scans and vision+text security research.

Setup and Installation Process

Promptfoo Installation 

# For Ubuntu/Debian users: install Node.js and npm
sudo apt update && sudo apt install nodejs npm -y && \

# For macOS users: install Node.js using Homebrew
# brew install node && \

# Install Promptfoo globally
npm install -g promptfoo && \

# Set API keys for model providers (optional: edit your keys)
export OPENAI_API_KEY=sk-abc123 && \
export ANTHROPIC_API_KEY=sk-ant-xyz && \

# Create and enter project folder
mkdir promptfoo-project && cd promptfoo-project && \

# Initialize with example prompts and config
promptfoo init --example getting-started && \

# Replace the default YAML with your own config (optional)
echo 'prompts:
  - "Translate to {{language}}: {{input}}"

providers:
  - openai:gpt-4o
  - openai:o4-mini

tests:
  - vars:
      language: French
      input: Hello world
  - vars:
      language: Spanish
      input: Where is the library?"' > promptfooconfig.yaml && \

# Run evaluation
promptfoo eval && \

# Export results to HTML and JSON
promptfoo eval -o output.html && \
promptfoo eval -o output.json && \

# Open web viewer to inspect results
promptfoo view
Enter fullscreen mode Exit fullscreen mode

What this does:
✅ Installs Promptfoo globally via npm
📁 Creates a new project directory promptfoo-project
🧠 Initializes it with an example config (getting-started)
📝 Overwrites the config to test translation prompts on OpenAI models
🔑 Sets the OPENAI_API_KEY and ANTHROPIC_API_KEY (edit with real keys)
📊 Runs the full evaluation and exports results to both HTML and JSON
🌐 Opens the web viewer to inspect results side-by-side

Garak Installation 

# ✅ 1. Install prerequisites: Conda, Git, pip
# Skip this block if you already have Conda and Git

# wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh -O ~/miniconda.sh && \
# bash ~/miniconda.sh -b -u -p ~/miniconda3 && \
# source ~/miniconda3/bin/activate && \
# conda init && exec bash

# ✅ 2. One-shot Garak setup: Create Conda env, clone repo, install, run test
conda create --name garak-env "python>=3.10,<3.13" -y && \
conda activate garak-env && \
git clone https://github.com/NVIDIA/garak.git && cd garak && \
python -m pip install -e . && \
export OPENAI_API_KEY="sk-abc123" && \
python3 -m garak --model_type openai --model_name gpt-3.5-turbo --probes encoding
Enter fullscreen mode Exit fullscreen mode

What this does:
✅ Installs dependencies via Conda (python>=3.10,<3.13)
📁 Clones the official garak repo into a local folder
🧠 Installs Garak in development mode (pip install -e .)
🔑 Sets your OPENAI_API_KEY for probing OpenAI models
🧪 Runs Garak with the encoding probe on gpt-3.5-turbo
📄 Generates logs and JSONL reports automatically for post-analysis

PyRIT Installation 

# Install Miniconda if not available
wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh -O ~/miniconda.sh
bash ~/miniconda.sh -b -u -p ~/miniconda3
source ~/miniconda3/bin/activate
conda init --all && source ~/.bashrc

# Create and activate env
conda create -n pyrit-dev python=3.11 -y
conda activate pyrit-dev

# Install Git if not available
sudo apt update && sudo apt install git -y

# Clone PyRIT repo
git clone https://github.com/Azure/PyRIT.git
cd PyRIT

# Install PyRIT core
pip install -e '.[dev]'

# Optional: For browser-based testing
pip install -e '.[dev,playwright]' && playwright install
Enter fullscreen mode Exit fullscreen mode

What this does:
✅ Installs Python 3.11 via Conda in a pyrit-dev environment
📁 Clones the official PyRIT repo from GitHub
🧠 Installs PyRIT in editable mode with development dependencies
🌐 Installs Playwright browsers for browser-based testing (optional but useful)
🚀 Ready to run red teaming scenarios, tests, or write custom attack logic
📂 Default tests located in the tests/ directory and runnable via pytest

DeepTeam Installation 

# ✅ DeepTeam: Install, create test file, define callback, run vulnerability scan
pip install -U deepteam && \
mkdir deepteam-test && cd deepteam-test && \
echo 'import asyncio\nfrom deepteam import red_team\nfrom deepteam.vulnerabilities import Bias\nfrom deepteam.attacks.single_turn import PromptInjection\n\nasync def model_callback(input: str) -> str:\n    return f"I\'m sorry but I can\'t answer this: {input}"\n\nbias = Bias(types=["race"])\nprompt_injection = PromptInjection()\n\nasync def main():\n    await red_team(model_callback=model_callback, vulnerabilities=[bias], attacks=[prompt_injection])\n\nif __name__ == "__main__":\n    asyncio.run(main())' > red_team_llm.py && \
export OPENAI_API_KEY="sk-proj-yourkeyhere" && \
python3 red_team_llm.py
Enter fullscreen mode Exit fullscreen mode

What this does:
✅ Installs the latest deepteam package via pip
📁 Creates a project directory deepteam-test
🧠 Writes a minimal red_team_llm.py test script with:

  • A simple model_callback
  • One vulnerability: Bias

One attack method: PromptInjection
🔑 Sets the OPENAI_API_KEY (replace with your actual key)
🚀 Immediately runs the red teaming script against the dummy model

Conclusion: Red Teaming Isn’t Optional Anymore

In 2025, building smart systems means building safe systems. Whether you're deploying a chatbot, a document parser, or a multi-turn agent — you’re not just designing functionality. You’re designing for resilience, security, and trust.

Each red teaming tool we explored — Promptfoo, DeepTeam, PyRIT, and Garak — tackles this challenge from a different angle:

Promptfoo helps you test like a developer, with CI-ready flows and context-aware inputs.

DeepTeam gives you a plug-and-play solution for catching widespread vulnerabilities quickly.

PyRIT empowers full-scale risk simulations for teams that need control and compliance.

Garak is your go-to for stress-testing models with curated attacks that mimic known failure points.

There’s no one-size-fits-all answer. But there is a right tool for the right job.

So whether you’re in a startup shipping fast or an enterprise facing audits, red teaming is how you build with confidence. The question isn’t “Should we test?” anymore.

It’s “How far can someone push what we’ve built — and are we ready for it?”

🧪 Pick your toolkit. Run your tests. Ship safer.

Top comments (0)