DeepTeam is a simple-to-use, open-source red teaming framework for LLM systems. Think of it as penetration testing, but for LLMs.
DeepTeam simulates attacks — jailbreaking, prompt injection, multi-turn exploitation, and more — to uncover vulnerabilities like bias, PII leakage, and SQL injection in your AI agents, RAG pipelines, and chatbots. It also offers guardrails to prevent these issues in production.
DeepTeam runs locally on your machine and is built on DeepEval, the open-source LLM evaluation framework.
[!IMPORTANT]
Need a place for your red teaming results to live? Sign up to the Confident AI platform to manage risk assessments, monitor vulnerabilities in production, and share reports with your team.
Want to talk LLM security, need help picking attacks, or just to say hi? Come join our discord.
🔥 Vulnerabilities, Attacks, and Features
-
📐 50+ ready-to-use vulnerabilities (all with explanations) powered by ANY LLM of your choice. Each vulnerability uses LLM-as-a-Judge metrics that run locally on your machine to produce binary pass/fail scores with reasoning:
-
- PII Leakage — disclosure of sensitive personal information
- Prompt Leakage — exposure of system prompt secrets and instructions
-
- Bias — stereotypes and unfair treatment across gender, race, religion, politics
- Toxicity — harmful, offensive, or demeaning content
- Child Protection — child-related privacy and safety risks
- Ethics — violations of moral reasoning and organizational values
- Fairness — discriminatory outcomes across groups and contexts
-
- BFLA — broken function-level authorization
- BOLA — broken object-level authorization
- RBAC — role-based access control bypass
- Debug Access — unauthorized access to debug modes and dev endpoints
- Shell Injection — unauthorized system command execution
- SQL Injection — database query manipulation
- SSRF — server-side request forgery to internal services
- Tool Metadata Poisoning — corrupted tool schemas and descriptions
-
💥 20+ research-backed adversarial attack methods for both single-turn and multi-turn (conversational) red teaming. Attacks enhance baseline vulnerability probes using SOTA techniques like jailbreaking, prompt injection, and encoding-based obfuscation:
-
- Prompt Injection — crafted injections that bypass LLM restrictions
- Roleplay — persona-based scenarios exploiting collaborative training
- Leetspeak — symbolic character substitution to avoid keyword detection
- ROT13 — alphabetic rotation to evade content filters
- Base64 — encoding attacks as random-looking data
- Gray Box — leveraging partial system knowledge for targeted attacks
- Math Problem — disguising attacks within mathematical inputs
- Multilingual — translating attacks to less-spoken languages
- Prompt Probing — probing the LLM to extract system prompt details
- Adversarial Poetry — transforming attacks into poetic verse with metaphor
- System Override — disguising attacks as legitimate system commands
- Permission Escalation — shifting perceived identity to bypass role restrictions
- Goal Redirection — reframing agent objectives for unauthorized outcomes