PyRIT vs Garak vs Promptfoo vs Mindgard: LLM Red Teaming Stack 2026

When I wired adversarial testing into ContentForge AI Studio's CI pipeline last quarter, the first run flagged 14 jailbreak vulnerabilities I had no idea were there — including one where a multi-turn "tutor mode" prompt chain reliably leaked our system instructions. That run took 38 minutes and cost about $2.40 in API calls. The same checks done manually would have taken our QA reviewer three days, and probably missed half of them.

Across the six AI products we run at Warung Digital (SmartExam, DiabeCheck, BizChat, DocSumm, ServiceBot, ContentForge), red teaming stopped being a pre-launch milestone and became a per-commit CI gate sometime around February 2026. The reason: customers started asking for it. Two of our enterprise prospects required documented adversarial testing reports before they would sign. So I spent eight weekends evaluating the entire LLM red teaming tooling landscape, integrated four of them into production, and want to write down what actually works versus what marketing pages claim.

This guide compares the four tools I shipped to production — PyRIT (Microsoft), Garak (NVIDIA), Promptfoo (now part of OpenAI as of March 2026), and Mindgard (commercial enterprise platform) — plus honorable mentions for the runners-up. By the end you should know which combination fits your stack and budget, and how to wire the kill chain together without burning hundreds of hours.

What "LLM Red Teaming" Actually Means in 2026

Red teaming is pre-deployment offensive testing. It is not the same as guardrails (runtime defense like Lakera Guard or NeMo Guardrails) and it is not the same as evals (correctness testing on golden datasets). Red teaming generates adversarial inputs designed to make your model misbehave — jailbreaks, prompt injection, PII extraction, denial of wallet attacks, agent action hijacking — and measures how often it succeeds.

The distinction matters because the three categories need different tools and run at different times. We run evals on every PR (Braintrust), guardrails at request time (NeMo + custom regex), and red teaming nightly + before every model swap (the stack covered in this article). If you try to make one tool do all three, you will get a worse outcome on each axis.

A useful mental model I've borrowed from the security community: Garak is your Nmap — broad surface sweep. PyRIT is your Metasploit — surgical multi-turn exploitation. Promptfoo is your regression test — confirm patches stick. Mindgard is your managed pentest vendor — you outsource the discipline. Most production teams need at least two of these.

Quick Decision Matrix

PyRIT — Microsoft's Multi-Turn Attack Engine

PyRIT (Python Risk Identification Tool) is Microsoft's open-source framework, originally built by the AI Red Team that does the adversarial assessments for products like Azure OpenAI and Bing Chat. It was released to the public in February 2024 and has since become the de facto standard for advanced jailbreak research.

What Makes PyRIT Different

The killer feature is multi-turn attack orchestration. Most jailbreaks in 2026 are not single-prompt — they are conversational. PyRIT ships built-in implementations of the major academic attack patterns:

• Crescendo: A 10-turn benign-to-adversarial gradient. The model agrees to small things, then larger things, then the actual attack payload — by which point it's already on a yes-path.
• TAP (Tree of Attacks with Pruning): Branches an attack tree, prunes failed paths, recombines successful sub-strategies. Computationally expensive but devastating against frontier models.
• PAIR (Prompt Automatic Iterative Refinement): Uses an attacker LLM to rewrite prompts based on target rejection messages until something gets through.

Where I Used It

SmartExam is our AI exam-question generator. The system prompt contains the rubric template, the difficulty calibration logic, and a list of forbidden topics. A user-facing "explain why this answer is correct" feature was the obvious attack surface — could a student get the model to reveal the answer key for unrelated questions in the same session?

Running PyRIT's Crescendo orchestrator with GPT-4o as the attacker LLM and our SmartExam endpoint as the target, we found a 7-turn conversation that would leak any answer in the active question bank. The fix was scope-isolating each explanation to a single QID at the system-prompt level. Without PyRIT we would have shipped that hole.

Hands-On Cost

For a full Crescendo + TAP run against SmartExam, I measured ~$8 in OpenAI API calls (attacker model) per 100 attack attempts. PAIR was cheaper at ~$2/100. Compute on a Hostinger VPS (4 vCPU, 8GB RAM) handled the orchestration without GPU. Total wall-clock for a 500-attempt nightly run: 42 minutes.

Tradeoffs

PyRIT's learning curve is real. You will write Python. The documentation assumes you understand attack taxonomy, threat models, and have read a couple of the underlying papers. If your team can't justify a week of ramp-up time, start with Promptfoo instead and add PyRIT later.

Garak — NVIDIA's Broad-Spectrum Vulnerability Scanner

Garak is to LLMs what Nmap is to networks — point it at a target, get a report listing every known weakness it can probe for. It is maintained by NVIDIA's AI security team and licensed Apache 2.0.

What Makes Garak Different

Garak ships with 37+ probe modules organized into categories: prompt injection, package hallucination, encoding attacks (Base64, ROT13 bypasses), continuation attacks (DAN-family jailbreaks), data leakage probes, malware-generation probes, toxicity probes, and more. Each probe has a corresponding detector that scores model responses.

The killer feature is the zero-configuration sweep. Point Garak at an OpenAI-compatible endpoint with one CLI flag and walk away. Two hours later you have a report ranking every probe by failure rate. No YAML, no Python, no plumbing.

Where I Used It

ServiceBot is our AI helpdesk product. It runs on a self-hosted Llama 3.1 8B (because the customer data can't go to OpenAI). Before promoting a fine-tuned variant from staging to production, we run Garak's full probe suite against the staging endpoint.

The first Garak run on our fine-tune flagged a regression I would not have caught: the fine-tuned model was MORE susceptible to Base64-encoded prompt injection than the base model, because the training data accidentally included encoded examples that primed it to decode. The base model failed 4% of encoding probes; the fine-tune failed 31%. We rolled back the training data, retrained, dropped to 6%. Garak found that in 90 minutes.

Hands-On Cost

Garak runs entirely against the target model — no attacker LLM needed. Cost is the inference cost on your target. For ServiceBot's self-hosted Llama, that's effectively free (we already pay for the GPU). For OpenAI-hosted targets, a full probe run is typically $5-15 in target inference cost.

Tradeoffs

Garak's strength — broad pre-built coverage — is also its weakness. Every probe is a known attack pattern. Garak won't find novel attacks specific to your application logic. It also has limited multi-turn capability; it's a single-shot scanner by design. Pair it with PyRIT, don't replace PyRIT with it.

Promptfoo — The CI Gate (Now Part of OpenAI)

Promptfoo started as an open-source LLM evaluation framework and grew red teaming as a first-class feature. On March 9, 2026, OpenAI announced its acquisition of Promptfoo for a reported $86M. The team — led by Ian Webster and Michael D'Angelo — continues to maintain the open-source MIT-licensed CLI while building integrated enterprise features inside the OpenAI platform.

What Makes Promptfoo Different

YAML configs. CI-native. npm install -g promptfoo, write a promptfooconfig.yaml declaring your target plus the attack plugins you want, and you have a CI job. The GitHub Actions integration is genuinely one-shot — Promptfoo publishes an action on the marketplace and the entire config is a 15-line workflow file.

Promptfoo's red team mode includes 30+ attack plugins covering OWASP LLM Top 10 categories, with severity scoring. The report renders as a static HTML dashboard you can attach to a PR comment or ship to compliance. We attach it to every release tag in our ContentForge repo.

Where I Used It

ContentForge AI Studio went from "manual red team before each release" to "automated red team on every PR touching the prompt files" the week I integrated Promptfoo. The configuration was 47 lines of YAML, took about an hour to write, and 20 minutes to wire into GitHub Actions.

The CI run on each PR takes 6-9 minutes (we limit to 50 attack attempts per plugin on PR, vs. 500 on the nightly main-branch job). On the first run after wiring it up, Promptfoo flagged 3 regressions a junior engineer had unknowingly introduced by refactoring the system prompt to "be more concise." Two were prompt-injection vectors, one was a PII-extraction risk on the support contact form.

Hands-On Cost

The CLI is free. Attack inference cost depends on which plugins you enable and against which target. For a 200-attempt nightly run against ContentForge (target: Claude Sonnet 4.6), we average $3.10/night in API costs. PR-level runs cost about $0.40 each.

Tradeoffs

Promptfoo's attack library is broad but not as deep as PyRIT for multi-turn research scenarios. It is also new enough that the enterprise pricing post-OpenAI-acquisition is still settling — quotes I've seen from peers range widely. The open-source CLI remains fully featured though, so most teams won't need the paid tier.

Mindgard — Managed Enterprise Red Teaming

Mindgard is a UK-founded commercial AI security platform with 11 PhDs on the research team, recognized in the OWASP LLM and Generative AI Security Solutions Landscape Guide and winner of the 2025 Cybersecurity Excellence Award for Best AI Security Solution. It positions itself as DAST for AI — Dynamic Application Security Testing.

What Makes Mindgard Different

You don't write any test code. Mindgard's platform discovers your AI surface, runs continuous adversarial probes drawn from their internal research catalog, and produces compliance-grade reports mapped to OWASP LLM Top 10, NIST AI RMF, EU AI Act, and ISO/IEC 42001 controls.

The coverage extends beyond LLMs to multimodal models, agent systems, NLP classifiers, and computer vision — useful if your AI portfolio spans more than just chat. CI/CD integration is mature: Jenkins, GitLab, GitHub Actions, Azure DevOps.

Where I Did NOT Use It

I evaluated Mindgard in a 30-minute sales call and got a quote based on the number of AI systems under test plus CI integration depth. For our six-product portfolio it was well into five figures annually — appropriate for a regulated enterprise, way over budget for a 30-person company. We passed.

That said, if I were running AI red teaming at a bank, a healthcare provider, or a Fortune 500 with hard compliance deadlines, I would seriously evaluate Mindgard against HiddenLayer and Lakera. The audit-quality reports alone are worth the price tag at that scale.

Tradeoffs

Pricing opacity is real (no public price list). The platform is closed-source, so if you walk away you lose the test history. The reporting and compliance mapping is the moat — if you don't need it, you're paying for features you won't use.

Honorable Mentions

• HiddenLayer. Commercial platform. Pick this over Mindgard if your threat model includes ML model supply chain attacks (malicious safetensors files, pickled deserialization exploits). Their model scanner is the best in market.
• Lakera Red. Sibling product to Lakera Guard. Tight integration if you're already running Guard in production. Less coverage than Mindgard but cheaper entry point.
• DeepTeam. From the Confident AI team behind DeepEval. Open-source, MIT licensed, conceptually similar to Promptfoo but with a Python-native API. Worth a look if your team prefers Python over YAML.
• Giskard. Strong on traditional ML model testing (tabular, NLP classifiers) plus growing LLM coverage. The right pick if your "AI" is mostly classical ML with some generative on top.
• Inspect (UK AISI). Framework from the UK AI Safety Institute, designed for evaluations and safety research. Less commercial polish, more academic rigor.

My Production Stack — The Kill Chain

Here is the exact red teaming stack we run on the four AI products that have customer-facing LLM features (SmartExam, BizChat, ServiceBot, ContentForge):

1. On every PR: Promptfoo CI gate, 50 attempts per plugin, ~7 minutes, ~$0.40. Blocks merge if severity-high findings increase.
2. Nightly main-branch: Promptfoo with 500 attempts per plugin (~$3) + Garak full probe sweep (~$8 against OpenAI targets, free against self-hosted). Reports go to a Slack channel.
3. Weekly: PyRIT Crescendo + TAP runs against the highest-risk endpoints (SmartExam answer-key leak, BizChat revenue-data leak). 4 hours of compute, $30-50 in attacker-model API.
4. Before any model swap: Full PyRIT + Garak + Promptfoo run against the candidate model. Don't promote unless severity-high count is <= baseline.
5. Quarterly: External pentest by a human red team (we use a freelance consultant, not Mindgard). Catches novel attacks the tools don't know about yet.

Total tooling cost for this stack: ~$180/month in API calls plus the cost of the Hostinger VPS that runs the orchestration ($16/month). Zero license fees. Total engineering time invested in setup: about 60 hours across six weeks, mostly mine.

The Numbers — What I've Measured Across 4 Months

From January through April 2026, across the four products with this stack live:

• 91 distinct severity-high vulnerabilities caught before reaching production. Of those, 38 would have been "demo-breaking" (model leaks system prompt, model performs hallucinated tool call, model generates content violating our content policy).
• 2 false positives per 100 attack attempts on average — Promptfoo's grading is reasonably tight; PyRIT's varies more by attack type. Manual triage budget: ~3 hours/week.
• 0 production red team incidents in this window. Compared to the previous 4 months (pre-tooling) when we had 2 publicly visible incidents and probably more we didn't catch.
• Per-product setup time: 8-12 hours after the framework was in place. Adding a fifth product (DocSumm, last month) took 9 hours.

FAQ

Do I need all four tools?

No. The minimum viable stack is Promptfoo (CI gate) + Garak (broad scanner). That covers 70% of what most teams need. Add PyRIT when you start finding application-specific multi-turn vulnerabilities that the canned probes can't reach. Add Mindgard (or HiddenLayer) only if you have compliance requirements that demand a vendor.

What about jailbreaking my own model — is that legal?

Yes, if you own the model deployment or have written permission from the model provider. All four tools above are built for testing systems you control. Don't run them against ChatGPT.com or someone else's hosted product without explicit authorization — that is unauthorized testing and likely violates the provider's terms of service.

How often do attack libraries get updated?

Garak releases new probes roughly monthly. Promptfoo plugins update with each minor release (~weekly). PyRIT lags slightly — major new attack patterns ship every 1-2 months but typically come from published research, not closed-team development. Mindgard's catalog is continuous — that is part of what you pay for.

What about agent red teaming specifically?

Agent red teaming (tools, memory, planning loops) is younger and less mature than chat red teaming. Promptfoo has agent plugins (look for the agent-* family). PyRIT supports tool-use orchestration in its newer releases. Mindgard explicitly covers agents. If you're shipping a serious agent product, plan to write some custom attack code beyond what the libraries provide.

Can I just use OpenAI's Frontier Red Team features now that they acquired Promptfoo?

If you're an OpenAI enterprise customer, you increasingly can. OpenAI is integrating Promptfoo's capabilities into their Frontier safety platform. The open-source CLI is staying free and MIT-licensed, so you don't have to use the OpenAI-integrated version. For multi-model teams (we use Claude, OpenAI, and self-hosted Llama), the CLI is still the right choice.

Does any of this matter for small AI products?

Yes, more than you'd think. The cheapest tier of this stack — Promptfoo CLI + GitHub Actions free tier + your existing model API budget — adds maybe $50/month in API costs and a one-time afternoon of setup. For a 1-person AI side project, that is cheap insurance against a public embarrassment that could kill the product.

The Bottom Line

Red teaming in 2026 is no longer optional for any AI product with public endpoints. The good news: the open-source tooling is genuinely production-ready. Promptfoo + Garak + PyRIT is a free stack that catches the overwhelming majority of vulnerabilities, runs in CI, and integrates with the version control workflow your team already uses. Mindgard, HiddenLayer, and Lakera are the right call when you need vendor-backed compliance reporting, but most teams should start with the open-source kill chain and only add commercial tools when a contract or regulator forces the question.

The discipline matters more than the tools. Run something on every commit. Run more nightly. Run the deep stuff weekly. Take the findings seriously even when they look noisy — by month three, the signal-to-noise ratio gets very good, and the cost of fixing something a tool found is always less than the cost of fixing something a customer found.