The problem
Most eval tools run single-prompt probes. A model blocks"how to make a bomb" and the tool marks it safe. Done.
But real attackers don’t send one prompt. A 2025 multi-lab study (researchers from OpenAI, Anthropic, Google DeepMind) showed that adaptive attacks bypass 12 published defenses with >90% success rate - even when those defenses originally reported near-zero attack rates.
Single-attempt testing misses real vulnerabilities.
What ai-blackteam does differently
ai-blackteam runs multi-turn, adaptive attacks that mirror real adversarial pressure:- 1,020 curated attack techniques with a 163M expanded attack surface
- 19 benchmark loaders - HarmBench, AdvBench, JailbreakBench, SorryBench, WMDP (bio/cyber/chem), DoNotAnswer, WildGuard, RedBench, SALAD-Bench, StrongREJECT, AART, ForbiddenQuestions, BeaverTails, RealToxicityPrompts, JailBreakV-28K, RedTeam-2K, AgentHarm
- 7 adaptive generators - PAIR, TAP, Fuzzer, AutoDAN (genetic algorithm), PAP (persuasion techniques), Crescendo (multi-turn escalation), Best-of-N (sample-and-pick)
- 17 providers - Anthropic, OpenAI, Azure OpenAI, Google, xAI Grok, DeepSeek, Mistral, Groq, Together AI, Perplexity, Cohere, Fireworks, AI21, Amazon Bedrock, Ollama, HuggingFace, plus a generic HTTP provider for your own endpoints
- Multi-turn depth - crescendo, sunk-cost, context-manipulation attacks that exploit conversational memory over 10+ turns
- Agent attacks - credential theft, data exfiltration, sandbox escape, config manipulation via tool-use; AgentHarm (UK AI Safety Institute) integrated
- MCP exploitation - tool poisoning, rug pulls, server impersonation, shadowing, privilege escalation
- 9 standards mapped - code-level taxonomy mappings for MITRE ATLAS v5.4.0, OWASP LLM Top 10 (2025), OWASP Agentic Top 10 (2026), MLCommons AILuminate, EU AI Act, NIST AI RMF, and CVSS; CSA MAESTRO and ISO 42001 as documented alignments. Three runnable scorecards:
scorecard --standard llm | agentic | compliance - CI-ready - exit codes, safety thresholds, SARIF (GitHub code scanning), JSON/Promptfoo/garak export
- Research-backed - implements published attacks from Microsoft Research, Palo Alto Unit 42, USENIX, UK AI Safety Institute
How it compares
ai-blackteam is independent and vendor-neutral: it isn’t owned by a model lab, so it tests every provider on equal footing. It pairs a large curated attack corpus with multi-turn and adaptive attacks, agent and tool-use exploitation, and mapping to multiple compliance standards. For honest, side-by-side breakdowns, including when another tool is the better fit, see the dedicated comparisons:vs Promptfoo
vs garak
vs PyRIT
vs DeepTeam
Next steps
Install
Get ai-blackteam running in under a minute
Quick Start
Run your first safety scan in 5 minutes