OpenAI acquired Promptfoo — the open-source AI red-teaming tool used by a quarter of the Fortune 500. It is the latest move in a pattern where every major AI platform company is building its own security layer, absorbing a thirty-five-billion-dollar market the way Windows absorbed antivirus.
OpenAI announced on March 9 that it will acquire Promptfoo — the open-source AI red-teaming tool used by more than a quarter of the Fortune 500. The acquisition will embed Promptfoo's automated security testing directly into Frontier, OpenAI's enterprise agent platform launched five weeks earlier. The deal makes OpenAI the builder, the deployer, and the tester of its own AI agents.
It is the latest — and arguably the clearest — instance of a pattern now visible across every major AI platform: the organism is building its own immune system.
The Acquisition
Promptfoo was founded by Ian Webster, a former Discord AI engineering lead who started building red-teaming tooling on nights and weekends in 2022 after noticing that traditional vulnerability scanners could not reason about prompt injection. The tool launched commercially in 2024, raised a five-million-dollar seed from Andreessen Horowitz — with angels including Shopify CEO Tobi Lutke and Discord CTO Stanislav Vishnevskiy — then an $18.4 million Series A from Insight Partners in July 2025. By the time OpenAI came calling, Promptfoo had 350,000 developers on the platform, 130,000 active monthly users, and customers at more than a quarter of the Fortune 500.
The integration target is Frontier — OpenAI's enterprise agent platform, launched February 5 of this year. Frontier stitches together enterprise systems — CRM, data warehouses, ticketing tools — into an intelligence layer that AI agents can operate across. Early adopters include HP, Intuit, Oracle, State Farm, and Uber. Promptfoo's automated testing will become native to the platform: prompt injection detection, jailbreak prevention, data leak scanning, and out-of-policy agent behavior monitoring — all running inside the platform rather than bolted on from outside.
OpenAI pledged that Promptfoo will remain open source under its current license. The pledge is genuine and strategically irrelevant. The open-source version will continue to exist. But the version integrated into Frontier — the version that runs automatically on every enterprise agent deployment, that feeds security telemetry back into OpenAI's models, that is bundled into the enterprise subscription — will be the version that matters. The distinction between free and open and integrated and default is the distinction that defined the antivirus market for a decade.
The Pattern
Three months ago, this journal tracked twenty-five billion dollars deployed into agent security layers — perimeter, identity, orchestration — with a conspicuous gap in intent verification (The Land Grab). Two weeks ago, seventy billion dollars in security acquisitions in twelve months (The Funding Signal). Last week, Microsoft priced agent governance at fifteen dollars per user per month and bundled it into the E7 suite (The Seat).
Today's acquisition completes a picture that was assembling in pieces. Every major AI platform company has now either built or acquired its own security layer.
OpenAI acquired Promptfoo for red-teaming and launched Codex Security — an autonomous agent that scanned 1.2 million commits in thirty days and found fourteen CVEs in major open-source projects including OpenSSH and Chromium. Anthropic built its Frontier Red Team internally and launched Claude Code Security, which identified over five hundred vulnerabilities that had gone undetected for decades. Microsoft bundled Security Copilot into its E5 tier and launched twelve new AI security agents across Defender, Entra, Intune, and Purview — then packaged agent governance into Agent 365. Google acquired Wiz for thirty-two billion dollars — the largest cybersecurity acquisition in history — and built SAIF 2.0, a framework for agentic AI risk mapping donated to the Coalition for Secure AI. Amazon wrote Section 19 of its Business Solutions Agreement, requiring every AI agent on its marketplace to self-identify, comply with its Agent Policy, and accept a kill switch — while exempting its own agents from identical requirements (The House Rules).
The mechanism varies — acquisition, internal build, policy mandate — but the direction is uniform. The platform companies are not partnering with the security ecosystem. They are replacing it.
The non-platform security incumbents see the pattern and are consolidating in response. Palo Alto Networks spent twenty-five billion dollars on CyberArk and roughly seven hundred million on Protect AI. SentinelOne acquired Prompt Security for a hundred and eighty million dollars. ServiceNow assembled eleven and a half billion in security acquisitions across Moveworks, Armis, and Veza in a single year — more than the entire AI security startup ecosystem raised over two years. Snyk acquired Invariant Labs, an ETH Zurich spin-off specializing in agentic AI guardrails and MCP server vulnerability scanning.
Each incumbent is assembling a complete agent security stack — not through organic research but by absorbing the startups that built the individual pieces. The innovation layer and the distribution layer are merging. The question is what happens to the startups still standing between them.
The Squeeze
The precedent is exact. In October 2012, Microsoft upgraded Windows Defender from a standalone anti-spyware utility to a full antivirus program — enabled by default, free, and bundled with every copy of Windows 8. Kaspersky filed antitrust complaints with the European Commission and Russia's Federal Antimonopoly Service, alleging that Windows 10 upgrades deleted third-party antivirus drivers and re-enabled Defender after every update.
Kaspersky was correct about the behavior and irrelevant about the outcome. By 2025, Microsoft Defender held twenty-three percent of the antivirus market. The overall antivirus market was valued at $3.19 billion and declining at a negative compound annual growth rate of 0.9 percent through 2032. PC protection rates dropped twenty percentage points — from eighty-three percent in 2022 to sixty-three percent in 2025 — as consumers increasingly relied on the built-in solution rather than purchasing standalone tools. Symantec sold its enterprise business to Broadcom for $10.7 billion and rebranded to NortonLifeLock. McAfee survived partly through aggressive pre-installation deals on new PCs — paying for distribution rather than earning it through differentiation.
The market did not disappear. It stratified. Enterprise buyers with specific compliance requirements still purchase standalone tools. Consumer buyers stopped paying for something the platform gives away. The total addressable market shrank permanently.
The AI security ecosystem is entering the same compression. One hundred and seventy-five AI security startups raised $8.5 billion over twenty-four months. ServiceNow alone — a single acquirer — spent more than that absorbing security companies. Ninety-three percent of security professionals now favor integrated platforms over point products. Fifty-five percent of enterprises plan to accelerate platform consolidation in 2026. Israeli AI security startups Aim Security, Lasso Security, and Pillar Security have reportedly received acquisition offers from Check Point, Zscaler, and F5.
The acquisition is the exit. For most AI security startups, the path is no longer IPO or sustained independent growth — it is building a capability and being absorbed by a platform before the platform builds the capability itself. The ecosystem functions as an innovation layer: startups develop techniques, publish benchmarks, raise a Series A, scale to Series B, and get acquired before Series C. The platform provides distribution. The startup provided invention. This is not failure. It is the economics of being an antibiotic in a world that is growing its own immune system.
The question is where the absorption stops. Every platform company has now entered detection — scanning code, finding vulnerabilities. Most have entered governance — setting policies, enforcing rules. Several have entered identity — verifying which agent is acting. None has entered intent verification — proving that a specific human approved a specific agent action with cryptographic certainty. Detection scales with compute. Governance scales with policy. Intent verification requires a trust chain that begins outside the platform — with the human, not the model. That structural difference may make it the one layer that resists absorption. Or the platforms may find a way to absorb that too.
The generative AI cybersecurity market is projected to reach $35.5 billion by 2031. How much of it will be captured by the platforms that write the rules, and how much by the vendors that survive the squeeze, depends on whether security can remain a product when the platform decides it should be a feature.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)