DeepTeam and promptmap2: Next-Gen LLM Red Teaming Frameworks
The LLM red teaming landscape continues to evolve rapidly. Beyond established tools like garak and promptfoo, two newer frameworks are pushing the boundaries of automated LLM security testing: DeepTeam from Confident AI provides a comprehensive red teaming platform with 50+ built-in vulnerabilities, while promptmap2 from Utku Sen focuses on automated prompt injection scanning for custom LLM applications.
DeepTeam by Confident AI
DeepTeam is an open-source framework designed to make LLM red teaming accessible and systematic. It integrates the latest security guidelines and research into a cohesive testing pipeline.
Core Capabilities
DeepTeam provides a structured approach to LLM security testing across three pillars:
1. Vulnerability Detection
With 50+ state-of-the-art, ready-to-use vulnerabilities, DeepTeam covers a broad spectrum of LLM security risks:
| Category | Vulnerabilities |
|---|---|
| Safety | Toxicity, violence, self-harm, hate speech |
| Privacy | PII leakage, training data extraction, membership inference |
| Robustness | Prompt injection, jailbreaks, adversarial inputs |
| Fairness | Bias detection, demographic parity, stereotype perpetuation |
| Hallucination | Factual inconsistency, fabricated references, unsupported claims |
2. Attack Simulation
DeepTeam implements multiple attack strategies including:
- Gray-box attacks: Testing with partial knowledge of the system
- Prompt injection: Direct and indirect injection techniques
- Jailbreak attempts: Multi-turn jailbreak strategies
- Social engineering: Manipulative prompts designed to bypass safety filters
3. Guardrail Implementation
After identifying vulnerabilities, DeepTeam helps add guardrails to secure your LLM systems:
from deepteam import red_teamfrom deepteam.vulnerabilities import PromptInjection, PIILeakagefrom deepteam.attacks import GrayBoxAttack
# Define your LLM systemdef my_llm_app(input_text): # Your LLM application logic return response
# Run red team assessmentresults = red_team( target=my_llm_app, vulnerabilities=[PromptInjection(), PIILeakage()], attacks=[GrayBoxAttack()])Framework Integration
DeepTeam supports structured testing aligned with major security frameworks:
- OWASP Top 10 for LLMs: Maps findings to the OWASP LLM risk categories
- NIST AI RMF: Aligns with the NIST risk management framework
- Custom frameworks: Define your own testing methodology
How DeepTeam Differs from garak and promptfoo
| Feature | DeepTeam | garak | promptfoo |
|---|---|---|---|
| Vulnerability focus | Broad (safety + security) | Security-focused | Prompt testing |
| Guardrail building | Yes | No | Limited |
| Framework alignment | OWASP, NIST | Custom | Custom |
| Attack types | Gray-box, injection, jailbreak | 50+ probe types | Red teaming + jailbreaks |
| CI/CD integration | Yes | CLI-based | Native CI/CD |
promptmap2
promptmap2 is the successor to the original promptmap tool by Utku Sen, focused specifically on automated prompt injection scanning for custom LLM applications.
What promptmap2 Does
promptmap2 takes a systematic approach to prompt injection testing:
- System prompt analysis: Examines your LLM’s system prompt for potential weaknesses
- Automated attack generation: Creates targeted injection payloads based on the system prompt
- Multi-vector testing: Tests injection through multiple input channels
- Impact assessment: Evaluates the severity of successful injections
Key Improvements Over promptmap v1
- Broader attack coverage: More injection techniques and mutation strategies
- Better false positive handling: Improved detection of actual vs. apparent injection success
- Custom application support: Designed specifically for custom LLM applications, not just raw models
- Automated reporting: Structured output for integration with security workflows
Use Cases
promptmap2 is particularly valuable for:
- Custom LLM applications: Test your specific application logic, not just the base model
- System prompt hardening: Identify and fix weaknesses in your system prompts
- Pre-deployment testing: Run prompt injection tests before releasing LLM applications
- Continuous security: Integrate into CI/CD for ongoing prompt injection regression testing
Comparison with Other Injection Scanners
| Tool | Focus | Approach |
|---|---|---|
| promptmap2 | Custom LLM apps | Analyzes system prompts, generates targeted attacks |
| promptmap (v1) | Custom LLM apps | Basic prompt injection scanning |
| whistleblower | System prompt leakage | Capability discovery and prompt extraction |
| HouYi | LLM-integrated apps | Full injection chain |
Integrating into Your Red Team Workflow
Recommended Testing Pipeline
Phase 1: Broad Scanning├── garak — Comprehensive security probing├── DeepTeam — Safety + security + guardrails└── promptfoo — Prompt regression testing
Phase 2: Targeted Testing├── promptmap2 — System prompt injection testing├── whistleblower — Prompt leakage assessment└── FuzzyAI — Jailbreak fuzzing
Phase 3: Custom Attacks├── PyRIT — Microsoft's risk identification├── DeepTeam custom vulnerabilities└── Manual red team exercisesCI/CD Integration
Both tools can be integrated into development workflows:
# GitHub Actions example- name: LLM Red Team run: | pip install deepteam promptmap2 deepteam scan --target my_llm_app --output results.json promptmap2 --endpoint http://localhost:8000 --system-prompt ./system.mdKey Takeaways
- DeepTeam brings structured, framework-aligned red teaming to LLM security testing with 50+ built-in vulnerabilities
- DeepTeam uniquely includes guardrail building capabilities, closing the loop from finding vulnerabilities to fixing them
- promptmap2 specializes in automated prompt injection testing tailored to custom LLM applications
- Both tools complement existing frameworks like garak and promptfoo, filling gaps in guardrail implementation and application-specific testing
- Integrating these tools into CI/CD pipelines ensures continuous security testing throughout the LLM application lifecycle