TL;DR: Splx.ai was acquired by Zscaler on November 3, 2025, and the product now sits inside a roughly $30B network-security suite. The technology is still capable, and the red-team heritage is real. The question worth asking is whether a focused AI red teaming tool, now absorbed into an enterprise security conglomerate, still fits how you buy. This post covers five alternatives, what each one tests, and how to think about platform absorption when you evaluate.
Why teams are re-evaluating Splx in 2026#
Splx.ai was a focused AI red teaming startup founded in 2023, headquartered in NYC, with roughly $9M raised across a $2M pre-seed (LAUNCHub, September 2024) and a $7M seed (March 2025). Per coverage of the deal, Zscaler closed the SPLX acquisition on November 3, 2025, and the splx.ai homepage now opens with "SPLX is now part of Zscaler." The product, marketed under the "built by world-class AI red teamers" line and the "dynamic remediation reducing attack surface by 95%" stat, is being absorbed into Zscaler's broader Zero Trust and GenAI protection portfolio.
Nothing about that absorption makes the technology worse on day one. The probe library, the remediation engine, and the engineering team that built it are still in place. What changes is the buyer context. Three pre-existing characteristics of Splx are worth naming alongside the acquisition story, because together they shape the re-evaluation:
First, credit-metered pricing. Splx's public commercial structure ran Free plus Professional (quote, 2000 credits per month) plus Enterprise (quote). Credits are a flexible billing primitive, but they make annual budgeting awkward, and they sit uncomfortably next to Zscaler's per-seat and per-bandwidth enterprise unit economics. Buyers who renew after the integration should expect pressure to migrate onto a suite-bundled line item rather than a separate credit pool.
Second, no public customer logos pre-acquisition. Splx ran a relatively quiet GTM, with limited published case studies or named enterprise references before the deal. That kept the brand pure on technical credibility, which was a deliberate choice. It also means that the customer base shape, the typical deployment size, and the contract dynamics are now visible only inside Zscaler. Independent benchmarking against peers is harder than it was for, say, Mindgard or Robust Intelligence.
Third, attack-database-as-IP positioning. Splx leaned hard on the depth and recency of its internal attack corpus, framed as proprietary research from its red-team founders. That positioning is durable when the company is standalone and the founders are running roadmap. It is less durable when the corpus becomes one input to a larger platform's threat-intel pipeline, and the team that maintains it competes for attention against network-security priorities.
Put those three traits next to the acquisition and the re-evaluation question becomes specific. If you bought Splx for the focused-startup attributes (transparent technical roadmap, credit-metered evaluation flexibility, founder-led red-team depth), you are now buying a different product. If you bought Splx for the technology alone and you are already a Zscaler shop, the absorption is probably a positive. The honest framing is somewhere in between, and the alternatives below exist for the first kind of buyer.
Five buyer-experience attributes that shifted at the November 2025 acquisition. The product itself did not get worse, but the procurement, pricing, and roadmap context all changed.
The five alternatives#
1. Repello AI (ARTEMIS)#
ARTEMIS is Repello AI's automated AI red teaming engine, and it is the closest like-for-like replacement for what Splx was pre-acquisition. Like Splx, it runs context-specific attack simulations against the application under test, draws from a continuously evolving attack library, and produces structured output that maps to industry frameworks. Unlike Splx in 2026, it is independent. Repello AI is a standalone company whose roadmap is governed by AI security buyers, not by a parent platform's network-security renewal cycle.
A few specifics that matter when you evaluate.
Browser mode. ARTEMIS tests AI assistants embedded in actual browsers, the way users hit them. That covers assets you cannot instrument through an API: the embedded chat widget on a customer portal, the AI-assisted help console behind a SaaS login, the copilot on a third-party app. Most AI red teaming platforms, Splx included, assume the target exposes a testable endpoint. Browser mode removes that assumption.
Native MCP integration. Claude Code and Codex CLI talk directly to ARTEMIS over the Model Context Protocol. For developers and red teamers running adversarial probes from inside their IDE, the recon and replay loop is zero-config: the agent describes the target, ARTEMIS scopes it, and the run lives next to the code being tested.
Free-to-start tier. Buyers can evaluate ARTEMIS without going through a quote-only Professional gate. That matters for procurement teams who want to validate technical fit before committing to a contract conversation, and it sits in contrast to the credit-metered, quote-everywhere shape that Splx's commercial motion inherited from the broader category.
Agentic-native testing. ARTEMIS treats multi-agent systems, MCP servers, and RAG pipelines as the application, not as adjuncts. Attack patterns include agent-to-agent prompt injection, MCP tool poisoning, retrieval pipeline contamination, and chained tool-abuse scenarios. This is the part of the surface that grows fastest year over year, and the part where a platform absorbed into a parent suite is most likely to fall behind.
Compliance-mapped output. Reports map across OWASP LLM Top 10, MITRE ATLAS, and NIST AI RMF, not just one framework. Auditors who are starting to ask for evidence under ISO 42001 and the EU AI Act will read the ARTEMIS output without needing a separate framework-mapping engagement.
Independent and vendor-neutral. ARTEMIS is not a module inside a larger platform suite where AI security has to compete with other product lines for roadmap attention. The full company runs on the AI security problem.
If you are budgeting an evaluation, book a demo and ask for a scoped run against your specific stack rather than a generic walkthrough.
2. Mindgard#
Mindgard is a UK-based AI red teaming platform that automates LLM vulnerability testing and produces structured compliance reporting. It is the most direct commercial peer to Splx in terms of category positioning, and the technology is solid. Mindgard's strength is automated probe-driven testing against a well-defined risk taxonomy, with reporting that lands cleanly inside an OWASP-mapped output.
The gaps worth surfacing for a Splx-replacement evaluation are agentic coverage and framework breadth. Mindgard's testing model was built around single-model evaluation. Multi-agent systems, MCP integrations, and the orchestration-level attack surfaces are not native coverage. Framework output maps primarily to OWASP LLM Top 10, with lighter mapping to MITRE ATLAS or NIST AI RMF.
For a fuller breakdown of where Mindgard fits and where it stops, see our deeper breakdown of Mindgard alternatives.
3. Promptfoo#
Promptfoo is an open source LLM testing and evaluation framework that covers both output-quality evaluation and security testing (prompt injection, jailbreaking, PII leakage). It has a web UI, integrates with most major model providers, and slots into CI/CD pipelines through a CLI and GitHub Actions. For teams that want a single tool covering evaluation and security side by side, it is a strong fit.
There is a parallel acquisition story worth naming. Promptfoo was acquired by OpenAI in March 2026, and the same platform-absorption questions that apply to Splx under Zscaler apply to Promptfoo under OpenAI, with the added wrinkle that OpenAI is itself a model provider. A red teaming tool whose corporate parent ships the model under test is a structural conflict that buyers should consider explicitly. We cover the implications in our parallel story on Promptfoo's own neutrality question after the OpenAI acquisition.
On the technical surface, Promptfoo is a testing and evaluation tool. It does not cover runtime protection, agentic attack surfaces natively, or AI asset inventory. It requires engineering time to configure and interpret. For teams that need a complete program rather than a testing utility, it covers one layer of a multi-layer problem.
4. Garak#
Garak is an open source LLM vulnerability scanner originally developed by Leon Derczynski and now maintained with support from NVIDIA. It runs probes across a defined taxonomy of LLM failure modes (prompt injection, jailbreaking, hallucination, data leakage, toxicity generation) with a large and actively updated library. Integration into Python pipelines is straightforward.
Garak is the right tool for teams that want free, extensible, community-maintained red teaming at the model level. It is the closest open source analog to the original Splx probe-library shape.
The ceiling is the same one you hit with any open source tool in this category. Garak tests models, not AI applications. It does not natively test RAG pipelines, agentic workflows, or MCP integrations. It produces no compliance report. It requires engineering time to configure, interpret, and act on. For teams without a dedicated AI security engineer, the gap between running Garak and having an auditor-acceptable remediation plan is significant.
5. PyRIT#
PyRIT (Python Risk Identification Toolkit) is Microsoft's open source framework for red teaming generative AI systems. It exposes a programmatic interface for multi-turn adversarial conversations, automated attack orchestration, and response scoring across safety dimensions. Microsoft uses it internally to red team its own AI products, which is a useful signal on framework depth.
PyRIT suits teams building on Azure AI infrastructure and engineers who want to write custom attack scenarios in Python. The framework is flexible and the Azure integration is tight.
The constraints are the same as Garak's. PyRIT is a framework, not a product. There is no dashboard, no out-of-the-box compliance reporting, no default attack coverage that runs without configuration. Like Garak, it covers the model-and-prompt layer cleanly and does not extend to runtime protection, asset discovery, or full agentic surface coverage. It also requires meaningful Python engineering to operate at the rigor a security program needs.
Comparison table#
| Platform | Agentic / MCP coverage | Browser-mode testing | Pricing transparency | Framework coverage | Independent vendor |
|---|---|---|---|---|---|
| Repello AI (ARTEMIS) | Yes | Yes | Free-to-start tier published | OWASP, MITRE ATLAS, NIST AI RMF | Yes |
| Splx.ai (Zscaler) | Limited | No | Credit-metered, quote-only | OWASP primary | No, now part of Zscaler |
| Mindgard | Limited | No | Quote-only | OWASP primary | Yes |
| Promptfoo | Limited | No | Open source plus paid tier | OWASP partial | No, now part of OpenAI |
| Garak | No | No | Open source, free | OWASP partial | Yes (community) |
| PyRIT | No | No | Open source, free | Custom mapping | Maintained by Microsoft |
How to choose#
Start from the question that drove the Splx evaluation in the first place. If the answer was "we want a focused, standalone AI red teaming product with strong probe depth and a clean technical roadmap," then the relevant filter for the next vendor is independence. ARTEMIS and Mindgard are the two commercial candidates that stay independent in 2026. Splx and Promptfoo both joined larger corporate parents in the last six months, and Garak and PyRIT are open source projects with the operating-cost realities that come with that.
If the original answer was "we need credit-metered pricing so we can pay per use without a fixed annual commitment," the post-acquisition reality on the Splx side is uncertain, and the rest of the commercial category mostly prices on platform-license-per-asset or per-engagement contracts. Our vendor pricing decoder walks through the five commercial pricing models and what each one optimises for, so buyers can match the unit of cost to the unit of work they actually do. Credit metering does not map neatly onto any of the five, which is part of why it tends to be reshaped during post-acquisition integration.
If the original answer was "we need to satisfy an auditor under ISO 42001, NIST AI RMF, or the EU AI Act," then framework breadth and report shape matter more than headline probe count. ARTEMIS produces output mapped across OWASP LLM Top 10, MITRE ATLAS, and NIST AI RMF as the default. The open source tools require a separate mapping engagement that usually exceeds the cost of a commercial platform. Mindgard maps cleanly to OWASP, with lighter coverage of the other two.
The unifying point: pick the tool whose roadmap you trust to keep up with category drift over the next 24 months. Agentic and MCP attack surfaces grew faster than any other category in 2025 and 2026. A tool whose engineering capacity gets reallocated to integration work, network-security priorities, or model-provider conflict of interest is the wrong tool for a surface that doubles every two quarters. Book a demo of ARTEMIS if you want to evaluate the independent option against your real stack.
FAQ#
Why are teams looking for Splx.ai alternatives in 2026?
Splx.ai was acquired by Zscaler on November 3, 2025, and the product now sits inside a roughly $30B network-security suite. Buyers who picked Splx specifically for its standalone focus and red-team heritage are reasonably asking whether a module inside a larger platform still fits how they buy security tooling. The product itself did not get worse at the acquisition. The buyer context changed, and roadmap priorities at a public security conglomerate look different from those at a focused AI red teaming startup.
Is Splx.ai still a good AI red teaming tool after the Zscaler deal?
The underlying technology is still strong on automated AI red teaming and the dynamic remediation work that drove the original pitch. The "built by world-class AI red teamers" heritage is real and survives the acquisition. The questions worth asking now are about platform absorption, credit-metered pricing inside an enterprise-suite renewal, and whether agentic and MCP coverage will keep pace with category drift while the product integrates into Zscaler's broader Zero Trust portfolio.
What is the main difference between Splx.ai and Repello ARTEMIS?
Both run automated AI red teaming with a structured probe library. The differences are commercial and architectural. ARTEMIS is independent and vendor-neutral, not a module inside a larger network-security suite. It ships a free-to-start tier so buyers can evaluate without a quote gate. It tests browser-embedded AI assistants the way users actually hit them, useful for assets you cannot instrument. It plugs into Claude Code and Codex CLI through native MCP integration for zero-config recon. And it maps output across OWASP LLM Top 10, MITRE ATLAS, and NIST AI RMF rather than a single framework.
What does platform absorption mean for an AI red teaming buyer?
When a focused product joins a larger suite, three things tend to happen over the next 12 to 24 months. Roadmap priorities shift toward the buying parent's revenue motion, which at Zscaler is network and Zero Trust. Pricing migrates from standalone to suite-bundled, which is good for net-new Zscaler customers and worse for AI-security buyers who want a line-item they can defend. And the specialist team that drove the product's heritage tends to thin out as integration work consumes engineering cycles. None of this is guaranteed, but it is the pattern, and it is reasonable to plan for.
Can open source tools replace Splx.ai for automated AI red teaming?
For specific use cases with engineering resources, yes. Garak covers broad LLM vulnerability scanning with a large probe library and NVIDIA support. PyRIT covers programmatic adversarial testing with strong Azure integration. Promptfoo covers evaluation and security testing with a UI, though buyers should note Promptfoo's own neutrality question after the OpenAI acquisition in March 2026. None of the three produce auditor-ready compliance reports out of the box, and none cover agentic or MCP attack surfaces natively.
Which Splx.ai alternative is the right fit for a regulated enterprise?
For a regulated enterprise that needs automated red teaming, compliance-mapped reporting against OWASP LLM Top 10, MITRE ATLAS, and NIST AI RMF, and an independent vendor whose roadmap is not subordinated to a parent company's network-security strategy, ARTEMIS is the closest like-for-like replacement with the strongest agentic and MCP coverage. Open source tools require dedicated engineering to operate at audit-acceptable rigor. The other commercial options each cover a subset of the surface Splx originally addressed.
