Skip to main content

The LLM Red Teaming Framework

Project description

DeepTeam.

The LLM Red Teaming Framework

Documentation | Vulnerabilities, Attacks, and Features | Getting Started | Confident AI

GitHub release discord-invite License

Deutsch | Español | français | 日本語 | 한국어 | Português | Русский | 中文

DeepTeam is a simple-to-use, open-source red teaming framework for LLM systems. Think of it as penetration testing, but for LLMs.

DeepTeam simulates attacks — jailbreaking, prompt injection, multi-turn exploitation, and more — to uncover vulnerabilities like bias, PII leakage, and SQL injection in your AI agents, RAG pipelines, and chatbots. It also offers guardrails to prevent these issues in production.

DeepTeam runs locally on your machine and is built on DeepEval, the open-source LLM evaluation framework.

[!IMPORTANT] Need a place for your red teaming results to live? Sign up to the Confident AI platform to manage risk assessments, monitor vulnerabilities in production, and share reports with your team.

Confident AI + DeepTeam

Want to talk LLM security, need help picking attacks, or just to say hi? Come join our discord.

 

🔥 Vulnerabilities, Attacks, and Features

  • 📐 50+ ready-to-use vulnerabilities (all with explanations) powered by ANY LLM of your choice. Each vulnerability uses LLM-as-a-Judge metrics that run locally on your machine to produce binary pass/fail scores with reasoning:

  • 💥 20+ research-backed adversarial attack methods for both single-turn and multi-turn (conversational) red teaming. Attacks enhance baseline vulnerability probes using SOTA techniques like jailbreaking, prompt injection, and encoding-based obfuscation:

  • 🏛️ Red team against established AI safety frameworks out-of-the-box. Each framework automatically maps its categories to the right vulnerabilities and attacks:

    • OWASP Top 10 for LLMs 2025
    • OWASP Top 10 for Agents 2026
    • NIST AI RMF
    • MITRE ATLAS
    • BeaverTails
    • Aegis
  • 🛡️ 7 production-ready guardrails for fast binary classification to guard LLM inputs and outputs in real time.

  • 🧩 Build your own custom vulnerabilities and attacks that integrate seamlessly with DeepTeam's ecosystem.

  • 🔗 Run red teaming from the CLI with YAML configs, or programmatically in Python.

  • 📊 Access risk assessments, display in dataframes, and save locally in JSON.

 

🚀 QuickStart

DeepTeam does not require you to define what LLM system you are red teaming — because neither will malicious users. All you need to do is install deepteam, define a model_callback, and you're good to go.

Installation

pip install -U deepteam

Red Team Your First LLM

from deepteam import red_team
from deepteam.vulnerabilities import Bias
from deepteam.attacks.single_turn import PromptInjection

async def model_callback(input: str) -> str:
    # Replace this with your LLM application
    return f"I'm sorry but I can't answer this: {input}"

risk_assessment = red_team(
    model_callback=model_callback,
    vulnerabilities=[Bias(types=["race"])],
    attacks=[PromptInjection()]
)

Don't forget to set your OPENAI_API_KEY as an environment variable before running (you can also use any custom model supported in DeepEval), and run the file:

python red_team_llm.py

That's it! Your first red team is complete. Here's what happened:

  • model_callback wraps your LLM system and generates a str output for a given input.
  • At red teaming time, deepteam simulates a PromptInjection attack targeting Bias vulnerabilities.
  • Your model_callback's outputs are evaluated using the BiasMetric, producing a binary score of 0 or 1.
  • The final passing rate for Bias is determined by the proportion of scores that equal 1.

Unlike traditional evaluation, red teaming does not require a prepared dataset — adversarial attacks are dynamically generated based on the vulnerabilities you want to test for.

 

Red Team Against Safety Frameworks

Use established AI safety standards like OWASP and NIST instead of manually picking vulnerabilities:

from deepteam import red_team
from deepteam.frameworks import OWASPTop10

async def model_callback(input: str) -> str:
    # Replace this with your LLM application
    return f"I'm sorry but I can't answer this: {input}"

risk_assessment = red_team(
    model_callback=model_callback,
    framework=OWASPTop10()
)

This automatically maps the framework's categories to the right vulnerabilities and attacks. Available frameworks include OWASPTop10, OWASP_ASI_2026, NIST, MITRE, Aegis, and BeaverTails.

 

Guard Your LLM in Production

Once you've found your vulnerabilities, use DeepTeam's guardrails to prevent them in production:

from deepteam import Guardrails
from deepteam.guardrails import PromptInjectionGuard, ToxicityGuard, PrivacyGuard

guardrails = Guardrails(
    input_guards=[PromptInjectionGuard(), PrivacyGuard()],
    output_guards=[ToxicityGuard()]
)

# Guard inputs before they reach your LLM
input_result = guardrails.guard_input("Tell me how to hack a database")
print(input_result.breached)  # True

# Guard outputs before they reach your users
output_result = guardrails.guard_output(input="Hi", output="Here is some toxic content...")
print(output_result.breached)  # True

7 guards are available out-of-the-box: ToxicityGuard, PromptInjectionGuard, PrivacyGuard, IllegalGuard, HallucinationGuard, TopicalGuard, and CybersecurityGuard. Read the full guardrails docs here.

 

DeepTeam with Confident AI

Confident AI is the all-in-one platform that integrates natively with DeepTeam and DeepEval.

  • Manage risk assessments — view, compare, and track red teaming results across iterations
  • Monitor in production — detect and alert on vulnerabilities hitting your live LLM system
  • Share reports — generate and distribute security reports across your team
  • Run from your IDE — use Confident AI's MCP server to run red teams, pull results, and inspect vulnerabilities without leaving Cursor or Claude Code

Confident AI

 

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

 

Authors

Built by the founders of Confident AI. Contact jeffreyip@confident-ai.com for all enquiries.

 

License

DeepTeam is licensed under Apache 2.0 - see the LICENSE.md file for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

deepteam-1.0.7.tar.gz (465.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

deepteam-1.0.7-py3-none-any.whl (848.7 kB view details)

Uploaded Python 3

File details

Details for the file deepteam-1.0.7.tar.gz.

File metadata

  • Download URL: deepteam-1.0.7.tar.gz
  • Upload date:
  • Size: 465.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.4.1 CPython/3.11.9 Darwin/22.4.0

File hashes

Hashes for deepteam-1.0.7.tar.gz
Algorithm Hash digest
SHA256 8bf35facbee109149f638aa96a7d72b39a8b8fc055d6d58384fd5cb5103bef2d
MD5 18071ccbcef7b11f0de9632366cd7cc0
BLAKE2b-256 d917e0799a33a34246a2dd0e95a59f6a3a3172628ced6e37e8d379b7a680f910

See more details on using hashes here.

File details

Details for the file deepteam-1.0.7-py3-none-any.whl.

File metadata

  • Download URL: deepteam-1.0.7-py3-none-any.whl
  • Upload date:
  • Size: 848.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.4.1 CPython/3.11.9 Darwin/22.4.0

File hashes

Hashes for deepteam-1.0.7-py3-none-any.whl
Algorithm Hash digest
SHA256 0ff51cd7c1565de999d2233535f920362bcfd78a8a440b92cc772888c1fce8b7
MD5 fbaff417c2176c97244b410419776f3c
BLAKE2b-256 7843de6bd4c9a6597051f9660bef1f71849caa2b834af08991564690e6ebca92

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page