Skip to main content

Release Notes

Full release history for Promptfoo open source can be found on GitHub.

September 2025 Release Highlights

This month we shipped reusable custom policies, risk scoring, 8 new AI providers, and comprehensive enterprise features for security teams.

Evals

Providers

New Model Support
New Providers
  • Nscale - Image generation provider
  • CometAPI - 7 models with environment variable configuration
  • Envoy AI Gateway - Route requests through Envoy gateway
  • Meta Llama API - All 7 Meta Llama models including multimodal Llama 4
Provider Updates

Pause/Resume Evaluations

Use Ctrl+C to pause long-running evaluations and promptfoo eval --resume to continue later.

UI & Developer Experience

  • Keyboard navigation - Navigate results table with keyboard shortcuts
  • Bulk delete - Delete multiple eval results at once
  • Unencrypted attack display - Show both encoded and decoded attack forms
  • Passes-only filter - Filter to show only passing results
  • Severity filtering - Filter by severity level
  • Metadata exists operator - Filter by metadata field presence
  • Highlight filtering - Filter results by highlighted content
  • Persistent headers - Report page headers remain visible when scrolling
  • Team switching - Switch teams from command line

Export & Integration

  • Enhanced CSV exports - Includes latency, grader reason, and grader comment
  • Log export - promptfoo export logs creates tar.gz for debugging
  • Default cloud sharing - Auto-enable sharing when connected to Promptfoo Cloud
  • CI progress reporting - Text-based milestone reporting for long-running evals

Configuration

  • Context arrays - Pass context as array of strings (example)
  • MCP preset - Pre-configured Model Context Protocol plugin set

Red Teaming

Reusable Custom Policies

Custom policies can now be saved to a library and reused across red team evaluations:

  • Policy libraries - Create centralized security policy repositories
  • CSV upload - Bulk import policies via CSV
  • Severity levels - Assign severity (low/medium/high/critical) for filtering and prioritization
  • Test generation - Generate sample test cases from policy definitions

Reference policies in your red team config:

redteam:
  plugins:
    - id: policy
      config:
        policy: 'internal-customer-data-protection'

Risk Scoring

Red team reports now include quantitative risk scores based on severity, probability, and impact:

  • Overall risk score (0-10) for system security posture
  • Risk by category - Scores for different vulnerability types
  • Risk trends - Track improvement over time
  • Visual heatmaps - Identify high-risk areas

Use risk scores to prioritize remediation and set CI/CD deployment gates.

New Plugins

Strategies & Compliance

  • Layer strategy - Chain multiple strategies in a single scan
  • Threshold configuration - Set minimum pass scores for tests
  • ISO 42001 compliance - Framework compliance mappings for AI governance

Enterprise

Team Management

  • Flexible licensing - Pay only for the red team tests you run
  • License tracking - Usage monitoring and optimization insights
  • IDP mapping - Identity provider team and role mapping for SSO
  • Session configuration - Timeout and inactivity settings

Audit & Compliance

  • Audit logging UI - Comprehensive audit trails for webhooks, teams, providers, and user management

August 2025 Release Highlights

This month we added support for new models, model audit cloud sharing, and performance improvements.

Evals

Providers

New Model Support
  • GPT-5 - Added support for OpenAI's GPT-5 model with advanced reasoning capabilities
  • Claude Opus 4.1 - Support for Anthropic's latest Claude model
  • xAI Grok Code Fast - Added xAI's Grok Code Fast model for coding tasks
Provider Updates

Model Audit Cloud Sharing

Model audit results can now be shared to the cloud for team collaboration:

  • Persistent audit history - Track security scans over time
  • Team sharing - Share audit results across teams
  • Centralized storage - Store audit reports in the cloud
  • Path management - Remove recent scan paths from history

Enhanced Authentication

Added support for advanced authentication methods:

  • Certificate storage - Store client certificates for mTLS authentication
  • Signature authentication - Support for uploaded signature-based authentication
  • Credential sanitization - Prevent credential exposure in debug logs

AI-Powered HTTP Configuration

Added auto-fill capabilities for HTTP provider setup to reduce configuration time and errors.

Performance Improvements

  • HuggingFace dataset fetching - Improved speed and reliability for large datasets
  • Error handling - Better diagnostic messages and retry suggestions
  • UI improvements - Streamlined interfaces and progress indicators

Red Teaming

Medical Off-Label Use Plugin

Added Medical Off-Label Use Detection plugin to identify inappropriate pharmaceutical recommendations that could endanger patients.

Unverifiable Claims Plugin

Added Unverifiable Claims Detection plugin to test AI systems' susceptibility to generating fabricated but plausible-sounding claims.

MCP Agent Testing

Added MCP Agent example for red team testing with tool call results, demonstrating how to test AI systems that use Model Context Protocol.

July 2025 Release Highlights

This month we focused on expanding provider support, enhancing evaluation capabilities, and strengthening enterprise features to help you build more reliable and secure AI applications.

Evals

New Models / Providers

Expanded Provider Support
New Model Support
Enhanced Capabilities
  • LiteLLM Embeddings - Similarity testing and semantic search
  • Google Vision - Image understanding for multimodal evaluations
  • HTTP Provider Enhancements - Added support for JKS and PFX client certificates.
  • Browser Provider - Connect to existing Chrome browser sessions via Chrome DevTools Protocol (CDP) for testing OAuth-authenticated applications

Assertion Improvements

  • Context Transforms: Extract additional data from provider responses to use in assertions: context-based assertions. These are especially useful for evaluating RAG systems.
  • Finish Reason Validation: Use finish-reason as an option in assertions to validate how AI model responses are terminated. This is useful for checking if the model completed naturally, hit token limits, triggered content filters, or made tool calls as expected.
  • Tracing Assertions: Use your tracing and telemetry data in assertions: trace-span-count, trace-span-duration, and trace-error-spans

Other Features

  • External Test Configuration - defaultTest can now load test cases from external files for easier management

Developer Experience Improvements

  • Python Debugging - Use import pdb; pdb.set_trace() in executed third-party Python scripts for easier debugging
  • Enhanced Search - Comprehensive metadata filtering to search results with search operators (equals, contains, not contains) and persistent button actions

Web UI Improvements

Enhanced Eval Results Page

We've significantly improved the evaluation results interface to handle large-scale testing more effectively:

  • First-Class Zooming Support - Zoom in and out of the eval results table to see more data at once or focus on specific details. This is especially useful when working with evaluations containing hundreds or thousands of test cases.

  • Advanced Metadata Filtering - Filter results using powerful search operators (equals, contains, not contains) with persistent button actions. Click on any metric pill in the results to instantly apply it as a filter, making it easier to drill down into specific failure modes or success patterns.

  • Improved Pagination - Enhanced pagination controls with "go to" functionality and better handling of large result sets. The UI now maintains scroll position and filter state as you navigate between pages.

  • Multi-Metric Filtering - Apply multiple filters simultaneously to find exactly the results you're looking for. For red team evaluations, you can now filter by both plugin and strategy to analyze specific attack vectors.

  • Performance Optimizations - Fixed horizontal scrolling issues, improved rendering performance for large tables, and optimized memory usage when dealing with extensive evaluation results.

These improvements make it much easier to analyze and understand evaluation results, especially for large-scale red teaming exercises or comprehensive test suites.

Red Teaming

Enterprise Features

  • Regrade Red Team Scans - After adding grading rules, re-grade existing scans without re-running them. Once you've changed a grading system (pass/fail criteria, reasoning, etc.) you can re-grade existing eval results to measure the effect of those changes.
  • Identity Provider Integration - Map teams and roles from your Identity Provider to automatically assign permissions
  • MCP Proxy - Enterprise-grade security for MCP servers with access control and traffic monitoring for sensitive data

Strategies

New Agentic Multi-Turn Strategies

We've launched two powerful new agentic multi-turn red team strategies that adapt dynamically based on target responses:

  • Custom Strategy - Define your own red teaming strategies using natural language instructions. This groundbreaking feature lets you create sophisticated, domain-specific attack patterns without writing code. The AI agent interprets your instructions and executes multi-turn conversations tailored to your specific testing needs.

  • Mischievous User Strategy - Simulates an innocently mischievous user who plays subtle games with your AI agent through multi-turn conversations. This strategy uncovers vulnerabilities by mimicking real-world user behavior where users might push boundaries through playful or indirect approaches rather than direct attacks.

Both strategies leverage AI agents to conduct intelligent, adaptive conversations that evolve based on your system's responses, making them far more effective than static attack patterns.

Other Strategy Improvements
  • HTTP Target Improvements - Enhanced test button now provides detailed error diagnostics, automatic retry suggestions, and context-aware fixes for common configuration issues like authentication failures, CORS errors, and malformed requests

June 2025 Release Highlights

This month we focused on enhancing observability, expanding provider support, and strengthening red team capabilities to help you build more reliable and secure AI applications.

Evals

Tracing

See Inside Your LLM Applications with OpenTelemetry

We've added OpenTelemetry tracing support to help you understand what's happening inside your AI applications. Previously, LLM applications were often "black boxes"—you could see inputs and outputs, but not what happened in between. Now you can visualize the entire execution flow, measure performance of individual steps, and quickly identify issues.

Tracing and OpenTelemetry Support

This is especially valuable for complex RAG pipelines or multi-step workflows where you need to identify performance bottlenecks or debug failures.

Use it when:

  • Debugging slow RAG pipelines
  • Optimizing multi-step agent workflows
  • Understanding why certain requests fail
  • Measuring performance across different providers

New Models / Providers

Expanded Audio and Multimodal Capabilities

As AI applications increasingly use voice interfaces and visual content, you need tools to evaluate these capabilities just as rigorously as text-based interactions. We've significantly expanded support for audio and multimodal AI:

  1. Google Live Audio - Full audio generation with features like:

    • Voice selection and customization
    • Affective dialog for more natural conversations
    • Real-time transcription
    • Support for Gemini 2.0 Flash and native audio models

  2. Hyperbolic Provider - New support for Hyperbolic's image and audio models, providing more options for multimodal evaluations

  3. Helicone AI Gateway - Route requests through Helicone for enhanced monitoring and analytics

  4. Mistral Magistral - Added support for Mistral's latest reasoning models

Other Features

Static Model Scanning with ModelAudit

Supply chain attacks through compromised models are a growing threat. We've significantly enhanced our static model security scanner to help you verify model integrity before deployment, checking for everything from malicious pickle files to subtle statistical anomalies that might indicate trojaned models.

New Web Interface: ModelAudit now includes a visual UI accessible at /model-audit when running promptfoo view:

  • Visual file/directory selection with drag-and-drop support
  • Real-time scanning progress with live updates
  • Tabbed results display with severity color coding
  • Scan history tracking

Expanded Format Support:

  • SafeTensors - Support for Hugging Face's secure tensor format
  • HuggingFace URLs - Scan models directly from HuggingFace without downloading
  • Enhanced Binary Detection - Automatic format detection for .bin files (PyTorch, SafeTensors, etc.)
  • Weight Analysis - Statistical anomaly detection to identify potential backdoors

Security Improvements:

  • Better detection of embedded executables (Windows PE, Linux ELF, macOS Mach-O)
  • Path traversal protection in archives
  • License compliance checking with SBOM generation
  • Protection against zip bombs and decompression attacks
Developer Experience Improvements
  • Assertion Generation - Automatically generate test assertions based on your use cases, saving time in test creation
  • SQLite WAL Mode - Improved performance and reliability for local evaluations with better concurrent access
  • Enhanced Token Tracking - Per-provider token usage statistics help you monitor costs across different LLM providers
  • Evaluation Time Limits - New PROMPTFOO_MAX_EVAL_TIME_MS environment variable prevents runaway evaluations from consuming excessive resources
  • Custom Headers Support - Added support for custom headers in Azure and Google Gemini providers for enterprise authentication needs
  • WebSocket Header Support - Enhanced WebSocket providers with custom header capabilities

Red Teaming

Enterprise Features

Advanced Testing Capabilities for Teams

Generic attacks often miss system-specific vulnerabilities. We've added powerful features for organizations that need sophisticated AI security testing to create targeted tests that match your actual security risks:

  1. Target Discovery Agent - Automatically analyzes your AI system to understand its capabilities and craft more effective, targeted attacks

  2. Adaptive Red Team Strategies - Define complex multi-turn attack strategies with enhanced capabilities for targeted testing

  3. Grader Customization - Fine-tune evaluation criteria at the plugin level with concrete examples for more accurate assessments

  4. Cloud-based Plugin Severity Overrides - Enterprise users can centrally manage and customize severity levels for red team plugins across their organization

Plugins

Comprehensive Safety Testing for High-Stakes Domains

Different industries face unique AI risks. We've introduced specialized plugins for industries where AI errors have serious consequences, ensuring you're testing for the failures that matter most in your domain:

Medical Safety Testing

Medical Plugins detect critical healthcare risks:

  • Hallucination - Fabricated medical studies or drug interactions
  • Prioritization Errors - Dangerous mistakes in triage scenarios
  • Anchoring Bias - Fixation on initial symptoms while ignoring critical information
  • Sycophancy - Agreeing with incorrect medical assumptions from users

Financial Risk Detection

Financial Plugins identify domain-specific vulnerabilities:

  • Calculation Errors - Mistakes in financial computations
  • Compliance Violations - Regulatory breaches in advice or operations
  • Data Leakage - Exposure of confidential financial information
  • Hallucination - Fabricated market data or investment advice

Bias Detection Suite

Biased AI systems can perpetuate discrimination at scale. Our new comprehensive bias detection tests ensure your AI treats all users fairly and respectfully across:

  • Age - Ageism in hiring, healthcare, or service recommendations
  • Disability - Unfair assumptions about capabilities
  • Gender - Role stereotypes and differential treatment
  • Race - Ethnic stereotypes and discriminatory patterns

Enterprise-Grade Datasets

  • Aegis Dataset - NVIDIA's 26,000+ manually annotated interactions across 13 safety categories for comprehensive content safety testing

New Red Team Capabilities

Intent Plugin Enhancements

The Intent (Custom Prompts) plugin now supports JSON file uploads with nested arrays for multi-step attack sequences. The enhanced UI makes it easier to manage complex test scenarios.

Enhanced HTTP Provider Support

Red team tests now include automatic token estimation for HTTP providers, helping you track costs even with custom API integrations.

System Prompt Override Testing

A new System Prompt Override plugin tests whether your LLM deployment is vulnerable to system instruction manipulation—a critical security flaw that could disable safety features.

Strategies

Smarter Multi-Turn Attack Techniques

Real attacks rarely succeed in a single message. We've enhanced our attack strategies to better simulate how bad actors actually try to manipulate AI systems through extended, adaptive conversations:

  1. Enhanced GOAT and Crescendo - Now include intelligent agents that can:

    • Navigate multi-step verification processes
    • Respond to intermediate prompts like "confirm your account"
    • Handle conditional logic in conversations
    • Adapt strategies based on system responses

  2. Emoji Encoding Strategy - New obfuscation technique using emoji to bypass content filters