Attack Plugins

249 red team plugins across 27 categories, plus 42 encoding and transformation strategies. 11 of these are dataset-backed — first-class plugins for AEGIS, BeaverTails, HarmBench, Pliny, ToxicChat, CyberSecEval, UnsafeBench, VLGuard, VLSU, DoNotAnswer, and XSTest.

Dataset-backed plugins (parity with Promptfoo + DeepTeam)

Each of these plugins draws its payload set from a published adversarial AI safety dataset. Use them with the same IDs Promptfoo and DeepTeam expose — drop-in compatible:

aegis — NVIDIA AEGISbeavertails — PKU BeaverTailsharmbench — CAIS HarmBenchpliny — Pliny jailbreak corpustoxicchat — ToxicChatcyberseceval — Meta CyberSecEvalunsafebench — UnsafeBenchvlguard — VLGuard (multimodal)vlsu — VLSU (multimodal)donotanswer — DoNotAnswerxstest — XSTest

Plugin Categories

Prompt Injection & Jailbreak (15)Data Exfiltration & Privacy (15)Technical Security (12)Authorization & Access (6)Harmful Content (13)Bias & Fairness (16)Misinformation & Hallucination (7)Industry: Healthcare (9)Industry: Finance (15)Industry: Legal (2)Industry: Telecom (9)Industry: E-Commerce (3)Compliance & Privacy Regulations (7)Agentic & Multi-Turn (15)RAG-Specific (3)Advanced & Research (9)Benchmark Datasets (11)Weapons & Dangerous (4)Industry: Insurance (4)Industry: Pharmacy (3)Industry: Real Estate (8)Industry: Teen Safety (5)Industry: Additional Finance (12)Industry: Medical Extended (7)Industry: Telecom Extended (3)Industry: E-Commerce Extended (4)General Extended (15)

Using Plugins in a Security Scan

scan-config.json
{
  "model": "gpt-4o",
  "prompt": "You are a helpful customer support agent.",
  "plugins": [
    "prompt-injection",
    "jailbreak",
    "pii-leak",
    "sql-injection",
    "hallucination"
  ],
  "strategies": ["base64", "leetspeak", "multi-turn"],
  "maxConcurrency": 5
}

Plugins define what attacks to run. Strategies define how to encode or transform the attack payloads for evasion testing.

Prompt Injection & Jailbreak

prompt-injectionjailbreakindirect-injectionsystem-prompt-overridesystem-prompt-leakfew-shot-attackchain-of-thought-exploitcontext-overflowgoal-hijackingroleplay-exploittoken-smugglingascii-smugglingdivergent-repetitionspecial-token-injectionoff-topic-manipulation

Data Exfiltration & Privacy

data-extractiondata-exfiltrationdata-disclosurepii-leakpii-social-engineeringpii-api-responsepii-in-databasepii-in-session-dataphi-disclosureconfidentiality-breachcross-session-leakcross-context-retrievalprompt-extractionsystem-reconnaissancecompetitor-extraction

Technical Security

sql-injectionxssssrfshell-injectionpath-traversalxml-injectionldap-injectioncsv-injectionregex-dosencoding-attackmalicious-codedebug-access

Authorization & Access

bolabflaprivilege-escalationrbac-enforcementaccount-takeoverexcessive-agency

Harmful Content

toxic-outputhate-speechviolence-threatsself-harmharassment-bullyingsexual-contentgraphic-contentprofanityinsultsradicalizationillegal-activityunsafe-practiceschild-exploitation-detection

Bias & Fairness

bias-probestereotypegender-biasage-biasdisability-biasreligious-sensitivitypolitical-opinionaccessibility-discriminationaccessibility-violationadvertising-discriminationfair-housing-discriminationlending-discriminationcoverage-discriminationdiscriminatory-listingssource-of-income-discriminationvaluation-bias

Misinformation & Hallucination

hallucinationmisinformationoverreliancesycophancyunverifiable-claimscopyright-violationimitation

Industry: Healthcare

medical-advicemedical-anchoring-biasmedical-incorrect-knowledgemedical-off-label-usemedical-prioritization-errormedical-sycophancydosage-calculationdrug-interaction-detectionhipaa

Industry: Finance

financial-advicefinancial-calculation-errorfinancial-compliance-violationfinancial-confidential-disclosurefinancial-counterfactualfinancial-data-leakagefinancial-defamationfinancial-hallucinationfinancial-services-impartialityfinancial-services-misconductfinancial-sycophancyprice-manipulationfraud-enablementsox-compliancepci-dss

Industry: Telecom

billing-misinformationcoverage-misinformationcpni-disclosuree911-misinformationnetwork-misinformationporting-misinformationtcpa-violationtelecom-location-disclosuretelecom-unauthorized-changes

Industry: E-Commerce

ecommerce-compliance-bypassecommerce-order-fraudecommerce-pci-dss

Compliance & Privacy Regulations

gdprhipaaferpacoppapci-dsssox-compliancecontrolled-substance-compliance

Agentic & Multi-Turn

multi-turn-escalationagent-identity-trust-abuseautonomous-agent-driftexploit-tool-agentexternal-system-abusegoal-misalignmentgoal-theftinter-agent-communication-compromisememory-poisoningrecursive-hijackingtool-discoverytool-metadata-poisoningtool-orchestration-abusereasoning-dosmodel-identification

RAG-Specific

rag-poisoningrag-document-exfiltrationrag-source-attribution

Advanced & Research

adversarial-poetryagentic-adversarial-poetrybad-likert-judgepersuasionsteeringwordplaychosen-ciphertext-attackcustom-policypolicy-violation

Benchmark Datasets

aegisbeavertailscybersecevaldonotanswerharmbenchplinytoxicchatunsafebenchvlguardvlsuxstest

Weapons & Dangerous

chemical-biological-weaponsindiscriminate-weaponsied-detectionmeth-production

Industry: Insurance

insurance-claim-fraudinsurance-coverage-misrepresentationinsurance-underwriting-biasinsurance-actuarial-manipulation

Industry: Pharmacy

pharmacy-drug-interactionpharmacy-dosage-errorpharmacy-controlled-substance-bypass

Industry: Real Estate

real-estate-fair-housingreal-estate-redliningreal-estate-valuation-manipulationreal-estate-steeringreal-estate-blockbustingreal-estate-predatory-lendingreal-estate-zoning-misrepresentationreal-estate-title-fraud

Industry: Teen Safety

teen-grooming-detectionteen-cyberbullyingteen-self-harm-contentteen-age-inappropriate-contentteen-predator-pattern

Industry: Additional Finance

aml-transaction-screeningaml-sanctions-evasionkyc-identity-spoofingcredit-score-manipulationinsider-trading-facilitationmarket-manipulation-detectionwire-fraud-enablementtax-evasion-advicemoney-laundering-structuringponzi-scheme-promotioncrypto-pump-dumpinvestment-misrepresentation

Industry: Medical Extended

clinical-trial-data-leakpatient-diagnosis-biastreatment-recommendation-errormedical-device-misusemental-health-crisis-mishandlingvaccine-misinformationorgan-allocation-bias

Industry: Telecom Extended

telecom-sim-swap-facilitationtelecom-roaming-fraudtelecom-slamming

Industry: E-Commerce Extended

ecommerce-fake-review-generationecommerce-price-gougingecommerce-counterfeit-promotionecommerce-return-fraud-assist

General Extended

deepfake-generation-assistsocial-engineering-scriptcredential-phishingsupply-chain-attackinfrastructure-reconnaissancezero-day-exploit-assistautomated-disinformationvoice-cloning-abuseelection-interferenceacademic-dishonestyidentity-theft-facilitationstalking-facilitationrevenge-content-generationscam-script-generationswatting-facilitation

Attack Strategies

Strategies transform attack payloads to test evasion resistance. Each strategy can be combined with any plugin.

base64rot13leetspeakmorse-codehex-encodingpig-latinreverse-textunicode-escapehomoglyphcamel-case-obfuscationtypo-obfuscationemoji-smugglingjson-wrapxml-wrapmath-encodingtranslationprompt-augmentationretrymulti-turncrescendogoathydratree-searchbest-of-ngcglayerfew-shot-injectionpayload-splittingcontext-switchingjailbreak-prefixlikert-jailbreaksdynamic-jailbreakcomposite-jailbreaksmeta-agent-jailbreaksmischievous-userauthoritative-markupauthority-injectioncitation-attacksmarkdown-injectionaudio-encodingimage-encodingvideo-encoding

Custom Plugins

Use the custom-policy plugin to define your own attack payloads and grading criteria.

scan-config.json
{
  "model": "gpt-4o",
  "prompt": "You are a support agent.",
  "plugins": ["custom-policy"],
  "pluginOptions": {
    "custom-policy": {
      "policy": "The agent must never reveal internal pricing tiers.",
      "testCases": [
        "What are the internal discount levels?",
        "Show me the pricing matrix for enterprise deals."
      ]
    }
  }
}