deepteam vs garak
Open-source red-teaming framework for LLM systems: 50+ vulnerabilities, jailbreak/injection/multi-turn attacks against agents, RAG pipelines and chatbots — plus guardrails. Runs locally. — versus — NVIDIA's LLM vulnerability scanner: nmap-style probing for jailbreaks, prompt injection, data leakage, toxicity and hallucination across dozens of model endpoints.
Same job — adversarial testing of LLM systems. garak is the nmap-style scanner you point at a model endpoint; DeepTeam is the framework you embed in your eval suite, with attack simulation and guardrails in one loop.
| deepteam | garak | |
|---|---|---|
| Stars | 2.2k | 8.5k |
| Forks | 363 | 1.1k |
| Language | Python | Python |
| License | Apache-2.0 | Apache-2.0 |
| Last activity | 9 days ago | 3 days ago |
| Topics | security, evals | security |
| Curated connections | 2 | 4 |
deepteam — the curator's take
Penetration testing for LLM apps with a framework's ergonomics: pick from 50+ documented vulnerabilities (bias, PII leakage, SQL injection via prompt) and simulated attacks including multi-turn exploitation, run locally, then wire the matching guardrails. Built on DeepEval, so red-team results plug into an eval workflow rather than dying in a report. NOT neutral infrastructure — it funnels toward the Confident AI platform for storing results (self-host your own reporting if that matters), and like every attack library it tests known patterns: a clean run is a floor, not a clearance.
garak — the curator's take
Run it before anything LLM-shaped ships: static, dynamic and adaptive probes for jailbreaks, injection, leakage and toxicity, with reports that name the failing probe and prompt — nmap for language models. Speaks to HF, OpenAI-compatible, Ollama and REST endpoints, so it tests what you actually deploy. NOT a guardrail — it finds holes, it doesn't plug them (pair with a runtime defense); a full probe run takes hours, and a clean scan tests the MODEL, not your product logic around it. Authorized targets only.