TL;DR: Promptfoo was acquired by OpenAI on March 9, 2026. The CLI is still excellent at prompt evaluation and CI regression. The question worth asking now is whether enterprises auditing OpenAI deployments want their grader owned by the entity being graded. This post covers five vendor-neutral alternatives, what each one tests, and how to think about the auditor conflict-of-interest question two months into the new ownership.
Why teams are re-evaluating Promptfoo in 2026#
Per OpenAI's announcement and TechCrunch's coverage, the acquisition closed on March 9, 2026. Promptfoo's own blog post confirms the details: $23M raised, $86M pre-deal valuation, MIT license retained, public repo retained, and the team folding into the OpenAI Frontier platform for managed and enterprise evaluation. Two months in, the product has not visibly degraded. The CLI still runs, the YAML schema is unchanged, the attack libraries continue to update.
The product is not the issue. The buyer context is.
The dominant sentiment on Hacker News and r/LocalLLaMA was captured in the top comment on the announcement thread: enterprises using Promptfoo to audit OpenAI models are now relying on a tool owned by the entity being audited. That is not a hypothetical conflict. It is the kind of question a procurement team's vendor-risk questionnaire will surface inside one cycle, and the kind of question an external auditor will write into a finding if the answer is unsatisfactory. The framework most regulators reach for, NIST AI RMF, explicitly calls out evaluator independence as a governance concern. An OpenAI-owned grader of OpenAI models is not disqualifying on its own, but it is something you now have to document and defend.
Three pre-existing design constraints compound the question for teams looking at Promptfoo as a security platform rather than an evaluation tool.
The first is CLI-and-YAML-only. Promptfoo's surface is a command-line runner backed by YAML test definitions. That is a deliberate choice for the developer-tool audience: every result is reproducible, every test is in version control, every change is reviewable. For an AI security program that needs a persistent dashboard of findings across releases, a SOC 2 evidence package, or a non-engineer who can read the report, the CLI-and-YAML surface is a translation step.
The second is no production monitoring. Promptfoo is a pre-production evaluation tool. It does not sit in front of your deployed AI application and observe live traffic, it does not detect prompt injection attempts against the production endpoint, and it does not produce runtime alerts. Teams that conflated evaluation with monitoring before the acquisition were already wrong about that. The acquisition makes the gap more visible because the conversation has shifted from "is the CLI good" to "what does our full AI security posture look like."
The third is single-model evaluation as the design center. Promptfoo's strongest mode is comparing model outputs across providers, releases, and prompts. It is less native to multi-agent systems, MCP server integrations, browser-embedded AI assistants, and RAG pipelines as full applications under test. The acquisition does not change this, but it sharpens the comparison against platforms designed agentic-first.
The five alternatives below cover the vendor-neutrality concern from different angles. The recommended option leads.
Vendor independence is the structural attribute that shifted on March 9, 2026. ARTEMIS sits in the top-right: independent of any frontier-model provider and full-coverage on agentic, RAG, and MCP attack surfaces.
The five alternatives#
1. Repello AI (ARTEMIS)#
ARTEMIS is Repello AI's automated red teaming engine. Independent, not owned by a frontier-model provider, and built agentic-first. For teams whose Promptfoo evaluation lives next to procurement requirements, framework attestations, or auditor-facing evidence, ARTEMIS covers the security and compliance layer that Promptfoo was never designed to be.
Five attributes matter for the Promptfoo comparison.
Browser mode tests AI assistants embedded in actual browsers, the way users hit them. Recon runs without test-target API access, which means red teaming can begin against a deployed application before any integration work. For chatbots, copilots, and in-product AI features that live behind a login rather than an exposed API, this is the only credible way to test the surface a real attacker would target.
Native MCP integration lets Claude Code, Codex CLI, and any other MCP-aware client talk directly to ARTEMIS for zero-config recon. The same workstation agents your engineers already use become a recon driver, which collapses the setup cost of starting a red team engagement.
The free-to-start tier removes the contract gate for evaluation. Teams can run an initial baseline assessment against their AI application without signing a commercial agreement first. This matters specifically in the Promptfoo migration story, where the friction of switching tools is the largest cost.
Agentic-native testing treats multi-agent systems, MCP servers, and RAG pipelines as the application under test, not as model probes. Where Promptfoo's strength is evaluating one model on a fixed input battery, ARTEMIS's strength is exercising the full deployment, including tool calls, retrieval flows, and inter-agent message passing. For the agentic AI applications that have come to dominate enterprise deployments in 2026, this is the relevant test surface.
Compliance-mapped output covers OWASP LLM Top 10, MITRE ATLAS, and NIST AI RMF. The evidence package is auditor-ready as a default of the platform, not as an add-on. Mapping is explicit, control-by-control, in a form a SOC 2 or ISO 42001 reviewer can use without translation.
Vendor neutrality is the structural attribute. Repello AI is independent, has no frontier-model investor or owner, and tests models from every provider with the same attack library. For procurement teams writing AI vendor risk questionnaires in 2026, that independence is increasingly the first question on the list. Book a demo to see coverage against your specific stack.
2. Garak#
Garak is an open source LLM vulnerability scanner originally developed by Leon Derczynski and now maintained with support from NVIDIA. It runs probes across a defined taxonomy of LLM failure modes: prompt injection, jailbreaking, hallucination, data leakage, and toxicity generation, among others.
Garak is the right tool for teams that want free, extensible, community-maintained red teaming at the model level. The probe library is large and updates frequently. Integration into CI/CD pipelines is straightforward via Python, and the community is active enough that new attack families show up in the library within weeks of being published.
On the vendor-neutrality axis, Garak is structurally independent. NVIDIA's support is sponsorship of the project, not ownership, and the underlying license keeps the code in the open. The limits are similar in shape to Promptfoo's pre-acquisition limits: Garak tests models, not full AI applications. It does not test RAG pipelines, agentic workflows, or MCP integrations natively. It has no runtime protection component. It requires engineering time to configure, interpret, and act on results. For teams without a dedicated AI security engineer, the gap between running Garak and having an actionable remediation plan is significant.
3. PyRIT#
PyRIT (Python Risk Identification Toolkit) is Microsoft's open source framework for red teaming generative AI systems. It provides a programmatic interface for running multi-turn adversarial conversations, automated attack orchestration, and scoring of model responses across safety dimensions.
PyRIT is well-suited for teams building on Azure AI infrastructure and for engineers who want to write custom attack scenarios in Python. Microsoft uses it internally for red teaming its own AI products, which is a strong signal about the framework's coverage depth. The flexibility is real, and the Azure integration is tight.
A note on the vendor-neutrality framing: PyRIT is owned by Microsoft, which is itself a major frontier-model investor (notably in OpenAI). For teams whose primary concern is independence from OpenAI specifically, PyRIT does not fully resolve the question, because Microsoft's commercial alignment with OpenAI is the most public partnership in the industry. The open source license still protects the right to fork and use, but the governance footprint is not the same as a fully independent project.
The other gaps: PyRIT is a framework, not a product. There is no dashboard, no compliance reporting, and no out-of-the-box attack coverage that works without configuration. Like Garak, it tests at the model or application prompt level and does not extend to runtime protection or asset discovery. It also requires meaningful Python engineering to operate effectively.
4. Splx.ai#
Splx.ai sits in the commercial AI red teaming category and overlaps with Promptfoo on automated attack runs against deployed LLM applications. It produces structured reports and has a security-team-facing dashboard. For teams looking at Promptfoo replacements specifically in the commercial bracket, it shows up in most shortlists.
The vendor-neutrality story for Splx is its own conversation. In November 2025, Splx.ai was acquired by Zscaler. The acquisition closed before the Promptfoo deal, which means the parallel question, what happens when a security testing tool gets absorbed by a larger security or platform vendor, already has a Splx-specific answer that is worth reading on its own. Splx is its own alternatives story now, and the post linked there covers the Zscaler-ownership angle, the impact on independence, and the comparable alternatives.
The structural point for this post: if you are evaluating Promptfoo alternatives because of the OpenAI acquisition, you should not land on Splx without first reading the Zscaler-acquisition story for the same vendor-context reason. Two of the most-shortlisted commercial Promptfoo alternatives changed ownership in the same six-month window. That is not a coincidence about the market, it is a signal about consolidation pressure.
5. Giskard#
Giskard is an open source ML testing framework that covers both traditional ML models and LLM-based applications. Its LLM testing module includes prompt injection detection, hallucination testing, and a RAG evaluation component that tests retrieval pipeline behavior under adversarial inputs.
The RAG evaluation module is Giskard's strongest differentiator. Teams running production RAG pipelines who need structured testing of retrieval behavior, context contamination, and adversarial document injection will find more relevant coverage in Giskard than in most other open source options. The project is European, independent, and has no frontier-model parent, which makes it a clean answer to the vendor-neutrality question.
Giskard does not cover runtime protection, agentic attack surfaces beyond RAG, or MCP security. Like the other open source tools here, it is a testing tool rather than a platform, and it requires engineering time to configure and operate.
Comparison table#
| Platform | Vendor-neutral relative to OpenAI | Agentic / MCP coverage | RAG pipeline testing | Persistent dashboard | Compliance reporting | Free tier |
|---|---|---|---|---|---|---|
| Repello AI (ARTEMIS) | Yes (independent) | Yes | Yes | Yes | OWASP, NIST, MITRE ATLAS | Yes |
| Promptfoo (post-acquisition) | No (owned by OpenAI) | Limited | Limited | No | Partial OWASP | Yes (OSS) |
| Garak | Yes (NVIDIA-sponsored OSS) | No | No | No | Partial OWASP | Yes (OSS) |
| PyRIT | Partial (Microsoft / OpenAI investor) | No | No | No | Custom | Yes (OSS) |
| Splx.ai | Owned by Zscaler since Nov 2025 | Limited | Limited | Yes | OWASP, NIST | Limited |
| Giskard | Yes (independent OSS) | No | Yes | Limited | Custom | Yes (OSS) |
How to choose#
Start with the question your auditor is actually going to ask. If the answer to "who grades your OpenAI deployment" needs to read as "an independent third party" on the next vendor-risk questionnaire, the OpenAI-owned option is structurally the wrong answer regardless of how good the CLI is. If the answer is allowed to be "we use OpenAI's own evaluation tooling for prompt regression and a separate independent platform for security and compliance," Promptfoo can still play a role in the program, just not the security-and-compliance role.
For teams whose primary need is open source, in-CI evaluation with no commercial relationship at all, Garak and PyRIT cover the testing layer. Giskard covers it specifically for RAG. None of them produce auditor-acceptable evidence packages without significant engineering work, and none of them are agentic-native. Where commercial platforms start to make sense is the moment that engineering cost exceeds a platform license. Our vendor pricing decoder walks through the five commercial pricing models and what each one optimises for.
For teams that need a vendor-neutral commercial platform with agentic coverage, compliance reporting, and a free tier to start evaluating without a contract, ARTEMIS is the recommended path. Independence from the frontier-model providers is structural to Repello's positioning, not a marketing claim, and it is the attribute that resolves the question the OpenAI acquisition opened. Book a demo to walk through coverage against your stack and see the auditor-acceptable evidence package the platform produces by default.
A closing thought on the broader category. The Promptfoo deal is the second major AI red teaming acquisition in two quarters (Splx into Zscaler in November 2025, Promptfoo into OpenAI in March 2026). Consolidation is happening, and the vendors who remain structurally independent are a smaller set than they were a year ago. For a parallel read on a different commercial platform's gaps, see our Mindgard alternatives breakdown.
FAQ#
Did OpenAI actually acquire Promptfoo?
Yes. Per OpenAI's own announcement and TechCrunch's coverage from March 9, 2026, OpenAI acquired Promptfoo to fold it into the OpenAI Frontier platform for managed and enterprise evaluation. Promptfoo had raised $23M at an $86M pre-deal valuation. The MIT-licensed repo stays public, and the CLI continues to ship. The product itself is largely unchanged in the two months since close. What changed is the buyer context.
Is Promptfoo still safe to use after the acquisition?
Safe is the wrong frame. The CLI is still excellent for prompt evaluation, regression testing, and CI gates. The question that matters for procurement and audit is vendor neutrality: an auditor asking who is grading your OpenAI deployment now has a non-trivial answer when the grader is owned by OpenAI. For internal quality work this is largely a non-issue. For external-facing security claims, framework attestations, and red team evidence packages, the conflict-of-interest question shows up in due-diligence questionnaires immediately.
What was wrong with Promptfoo before the acquisition?
Nothing was wrong. The design constraints were always explicit: CLI-first, YAML-driven, no persistent dashboard for findings across runs, no production monitoring, and a primary focus on prompt evaluation rather than full agentic system red teaming. Those constraints were features for the developer-tool audience and limits for the security and compliance audience. The acquisition did not introduce those limits, it just changed how much weight to put on them.
What alternative tools are vendor-neutral relative to OpenAI?
Open source tools have no vendor alignment by construction: Garak (NVIDIA-supported), PyRIT (Microsoft, used internally for their own AI red teaming), and Giskard for RAG evaluation are the established options. On the commercial side, Repello AI's ARTEMIS is an independent platform with no frontier-model investor or owner, which is the relevant attribute when an auditor asks about grader independence.
Does the MIT license protect Promptfoo from changing direction?
The license protects the existing code and the right to fork it. It does not protect roadmap direction, the rate of new attack-library updates, or the prioritization of non-OpenAI model coverage. Fork talk on Hacker News and r/LocalLLaMA started within hours of the announcement, and a serious fork is technically straightforward. The harder question is whether the community that maintained Promptfoo's attack libraries stays cohesive under new ownership or splits across the fork. That answer is still being written two months in.
What should I actually do if my team relies on Promptfoo today?
Three steps. First, separate the use cases: keep Promptfoo for prompt evaluation and CI quality gates where vendor neutrality is not a procurement question. Second, evaluate a vendor-neutral platform for the security and compliance layer, especially if your AI applications touch regulated data or external auditors. Third, document the decision in your AI governance file: an auditor who reads in 2027 that you continued using an OpenAI-owned tool to red team your OpenAI deployment, without any documented mitigation, will ask why.
