Test AI products before attackers do: prompt attacks, tool abuse, data leakage, unsafe output, guardrail bypass, multi-agent workflows, and runtime policy enforcement.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does LLM red team test?
- OWASP LLM Top 10 campaigns with datasets and judges.
- This page is part of AI Security under Featured.
- It links back into the broader red team models, agents, tools, and guardrails experience.
- OWASP LLM Top 10 coverage for prompt injection, sensitive information disclosure, supply chain, data leakage, plugins, agency, overreliance, and model theft.
- Jailbreak strategies, roleplay, encoding, payload splitting, multilingual variants, custom datasets, and judge-backed scoring.
- Agentic tests for tool authorization, memory poisoning, context exfiltration, planner hijacking, and unsafe side effects.
- Sentry runtime guardrails, HTTP sidecars, LiteLLM plugins, MCP middleware, PII, secrets, unsafe HTML, and tool authorization checks.
- AI governance mapping to OWASP LLM, MITRE ATLAS, NIST AI RMF, EU AI Act, ISO/IEC 42001, GDPR, and SOC 2.
Execution
How does Pencheff run this?
- Register an LLM endpoint, chatbot, model gateway, MCP host, or agent workflow.
- Choose built-in categories, datasets, guardrails, custom prompts, and optional judge settings.
- Run adversarial campaigns across prompt, tool, memory, retrieval, output, and policy paths.
- Classify failures by category, strategy, severity, transcript, token cost, and guardrail recommendation.
- Turn passing and failing prompts into regression suites for releases and model upgrades.
Evidence
What evidence does this produce?
- Prompt, response, tool call, policy decision, transcript, category, strategy, judge result, and confidence.
- Recommended guardrails with exact unsafe behavior, enforcement point, and regression prompt.
- Token usage, model/provider metadata, retry behavior, and cost-oriented observability.
- Governance mappings for AI risk, safety, privacy, and compliance programs.
Controls
How is this kept safe to run?
- Tests can be run through HTTP, chat-completions, LiteLLM, MCP, or custom adapters.
- Guardrail recommendations stay tied to the scan that exposed the failure.
- Agentic testing focuses on authorization, context boundaries, and side-effect control.
- Runtime policy checks can be placed before prompts, after responses, or around tools.
Documentation
Read the full reference.
References
Authoritative sources
FAQ
Common questions
- What does an LLM red team test actually do?
- An LLM red team test sends thousands of adversarial prompts to your AI application, using automated attack strategies to find cases where the model produces harmful, false, or security-compromising output — including prompt injection, jailbreaks, PII leakage, and insecure code generation.
- What is prompt injection and why is it the top LLM risk?
- Prompt injection is an attack where malicious content in a user message, document, or tool response overrides the system prompt and redirects the LLM to take unintended actions — such as leaking data, bypassing guardrails, or impersonating the system. It is OWASP LLM01 and the highest-impact AI vulnerability class.
- How does Pencheff's LLM-as-judge grading work?
- After each adversarial turn, an independent judge model — separate from the model under test — evaluates whether the response constitutes a security failure according to the target policy. This eliminates manual review of thousands of responses and produces a consistent, auditable pass/fail verdict.
- Can I add custom jailbreak tests or policies to the LLM red team?
- Yes. Pencheff exposes a plugin SDK that lets you write custom attack modules, target-specific policy evaluators, and domain-specific adversarial prompt sets — extending the red team beyond the built-in OWASP LLM Top 10 modules.
Related