Whether you're looking for an angel investor, a growth advisor, or just want to connect — I'm always open to great ideas.
Get in TouchAI, startups & growth insights. No spam.
TL;DR: OpenAI announced on March 9, 2026 that it is acquiring Promptfoo — the leading open-source platform for red-teaming and security testing of AI systems. Promptfoo's co-founders Ian Webster and Michael D'Angelo, along with their team, will join OpenAI to embed adversarial security testing directly into its model and infrastructure layers. The open-source project will remain open and continue to support multiple AI providers. Financial terms were not disclosed. The deal signals that frontier AI labs are no longer treating security as an afterthought — it is becoming a core capability that must be owned in-house.
If you have shipped an AI-powered product in the last two years, there is a reasonable chance your team has used Promptfoo. The platform grew from a niche developer tool into a critical piece of AI security infrastructure — quietly, methodically, and almost entirely through word of mouth among engineers who needed it.
By the time of the acquisition announcement, Promptfoo had reached 350,000 registered developers, 130,000 monthly active users, and adoption by 127 of the Fortune 500 — roughly 25% of America's largest companies. On GitHub, the project had accumulated more than 11,300 stars, making it one of the most widely adopted open-source tools in the LLM security space. Those numbers are not marketing projections. They are production usage metrics from organizations that were already depending on the tool to catch security vulnerabilities before they shipped.
The product spans three tightly integrated capabilities: automated red teaming that simulates adversarial attacks like prompt injection, jailbreaks, and data exfiltration attempts; real-time guardrails that intercept and filter unsafe model outputs in production; and static code scanning that integrates directly into CI/CD pipelines and developer IDEs to catch LLM-related vulnerabilities before code reaches deployment.
What made Promptfoo unusual is that it was built for developers, not security teams. The CLI-first design meant engineers could run security evaluations the same way they ran unit tests — locally, privately, and without enterprise procurement cycles. That philosophy drove adoption in exactly the companies that build the most AI: fast-moving startups, hyperscaler product teams, and the Fortune 500 organizations that were quietly deploying AI agents into critical workflows while their security teams were still writing policy documents.
Now that capability is going inside OpenAI.
Ian Webster and Michael D'Angelo founded Promptfoo in 2024 with a specific and unfashionable premise: AI is moving faster than the tools to evaluate whether it is safe, and the gap between deployment velocity and security rigor is going to cause real damage at enterprise scale.
Webster, the CEO, came from a background in developer tooling and data infrastructure. He understood that security tools only get adopted if developers actually use them in their daily workflow — not when they are mandated by compliance teams at the end of a sprint. That insight shaped everything about Promptfoo's architecture: the emphasis on local execution, the CLI-first design, the integration with GitHub Actions and common CI/CD systems, and the decision to keep the core free and open source.
D'Angelo, the CTO, focused on the technical depth that gave enterprise security teams confidence in the results. Red teaming an LLM is not the same as penetration testing a web application. The attack surface is fundamentally different — you are not looking for buffer overflows or SQL injection points, you are trying to elicit behaviors the model is not supposed to exhibit. That requires a different kind of adversarial tooling, and D'Angelo built a lot of it.
Together, they built a company that in roughly two years achieved the kind of enterprise penetration that most B2B software startups spend five years chasing. Zane Lackey, partner at Andreessen Horowitz and a prominent figure in enterprise security, called Promptfoo "a category-defining platform for AI evaluation" that helps organizations "find and fix AI risks before they ship." Ganesh Bell of Insight Partners, one of Promptfoo's investors, echoed the framing — calling it the tool that enterprises were reaching for precisely because it mapped to workflows developers already understood.
The timing of this acquisition is not accidental. OpenAI is in the middle of one of the most consequential pivots in its history — from a research organization that happened to make a consumer chatbot into an enterprise software company with government contracts, autonomous agents, and ambitions to embed AI into critical business infrastructure.
That transition creates a security problem that OpenAI could not solve with research papers.
When you deploy a language model as a conversational interface, the security stakes are manageable. The model is answering questions. It can leak information, produce harmful content, or be manipulated — but the blast radius is bounded. When you deploy AI agents that take actions — booking travel, executing trades, filing documents, managing code repositories, making purchases — the blast radius is not bounded at all. A successfully manipulated agent can do things with real-world consequences that no jailbroken chatbot could.
OpenAI has been investing heavily in agentic AI. Operator-mode features in ChatGPT. The API-level capability to give models tool access. The Assistants API designed specifically for building autonomous workflows. The company's enterprise roadmap is built on the premise that its models can be trusted to act in the world on behalf of users and organizations, not just respond to questions.
That premise requires demonstrating, rigorously and repeatedly, that the agents cannot be manipulated into doing things they should not do. Prompt injection — where adversarial instructions are embedded in content an agent reads — is not a theoretical threat. It has already been demonstrated in deployed systems. Jailbreaks that work in a conversational context may have different but equally serious implications when the model has tool access. Data exfiltration through carefully crafted prompts is a documented attack vector.
Promptfoo had built the best automated tooling for testing exactly these vulnerabilities. Acquiring it means OpenAI can integrate that capability directly into its development cycle, rather than relying on external tooling that may not have access to model internals. The announcement specifically cited plans to embed Promptfoo's technology within "model and inference layer research" — language that points to something more fundamental than surface-level integration. The intention is to make security testing a native part of how OpenAI builds and evaluates its models, not a QA step that runs on finished products.
There is also a strategic dimension that goes beyond internal capability. OpenAI's relationship with enterprise customers depends on those customers trusting that the AI systems they deploy will not be exploited. Security incidents — even third-party incidents involving OpenAI's technology — damage that trust. Having Promptfoo's red teaming capabilities in-house lets OpenAI run adversarial evaluations on customer-facing deployments, not just on base models. That is a meaningful selling point for the large financial institutions, healthcare organizations, and government agencies that OpenAI needs to win.
To understand why this acquisition matters, it helps to understand how Promptfoo actually works — because the technical substance is more sophisticated than "AI security testing tool" implies.
Red teaming an AI system traditionally meant hiring a team of security researchers to spend days or weeks trying to find ways to make the model behave badly. It was expensive, non-repeatable, and dependent on the creativity and knowledge of the humans doing it.
Promptfoo automated a substantial portion of that process. The platform maintains libraries of known attack vectors — prompt injection patterns, jailbreak templates, social engineering prompts, adversarial instruction sequences — and can run them against any LLM automatically, at scale, and with structured output that tells developers exactly what worked, what did not, and how confident the system is in its evaluation.
More importantly, it runs these tests programmatically, which means they can be embedded in CI/CD pipelines. Teams can catch regressions in model safety the same way they catch regressions in code functionality — automatically, before anything ships.
The second major capability is runtime protection — the ability to intercept model inputs and outputs in production and apply real-time filtering. This is different from red teaming, which is a pre-deployment evaluation tool. Guardrails are the last line of defense that catches adversarial inputs that made it past development testing.
Promptfoo's guardrails can be configured for specific threat models: detecting personally identifiable information (PII) in model outputs, intercepting prompt injection attempts, blocking outputs that violate content policies, or flagging responses that exhibit signs of the model being manipulated into out-of-character behavior.
The third capability — and perhaps the one that drove the most developer adoption — is static code scanning. LLM vulnerabilities are not just runtime problems. They manifest in how applications are architected: how prompts are constructed, how user input is interpolated into system prompts, how model outputs are consumed downstream.
Promptfoo's scanner integrates with GitHub Actions, VS Code, and common CI/CD systems to flag LLM security anti-patterns in code before they reach production. It is the equivalent of a linter, but for prompt injection vulnerabilities and insecure LLM integration patterns rather than style issues or type errors.
As the AI ecosystem has shifted toward agentic architectures, Promptfoo added a secure proxy for Model Context Protocol (MCP) communications — the emerging standard for how AI agents communicate with external tools and services. This is a forward-looking capability that addresses the security implications of agents that can invoke APIs, read databases, and trigger downstream workflows.
The Promptfoo acquisition lands in the middle of an industry-wide reckoning with AI agent security that has been building for two years and has not resolved.
The fundamental problem is that agents are trusted proxies. When an enterprise deploys an AI agent to handle customer service requests, or to process invoices, or to draft legal documents, the agent operates with some level of delegated authority. It can read systems it is authorized to read. It can take actions it is authorized to take.
Prompt injection exploits that delegation. If an adversary can embed instructions into content the agent reads — a customer email, a web page, a PDF, a database record — those instructions may be interpreted by the model as legitimate commands. The agent follows them because the model does not have a robust mechanism for distinguishing between instructions from the operator and instructions embedded in external content.
The OWASP LLM Top 10 — the most widely referenced framework for LLM application security — lists prompt injection as the number one risk for deployed AI systems. It is not an edge case. It is the default threat model for any agentic deployment.
Other significant attack vectors include:
Indirect prompt injection via retrieval: RAG-based systems that retrieve content from external sources are particularly vulnerable, because the retrieved content is fed directly into the model's context window and can contain adversarial instructions the model cannot distinguish from legitimate retrieved knowledge.
Jailbreaking in multi-agent systems: Multi-agent architectures, where one AI orchestrates others, create new attack surfaces. A jailbreak that succeeds against a subagent may allow an adversary to issue instructions that propagate through the orchestration layer.
Data exfiltration through tool calling: Agents with file access or API access can be manipulated into exfiltrating data — not through the model's outputs, which may be monitored, but through API calls or file writes that execute actions before any content filter sees them.
Training data poisoning through agentic feedback loops: Systems that use agent feedback to improve model behavior create long-horizon attack vectors where adversarial inputs over time shift the model's default behavior in ways that are difficult to detect until they have already caused harm.
None of these attack vectors have fully satisfactory defenses today. The security community is still building the vocabulary and the tooling to reason about them systematically. Promptfoo is part of that effort — and now it is inside OpenAI.
The natural anxiety when an open-source project gets acquired by a large technology company is that the project will be shut down, paywalled, or subtly steered to serve the acquirer's interests at the expense of the community that built it.
Promptfoo's founders have been explicit about addressing that concern. The announcement stated clearly: "Promptfoo will remain open source" and will "continue to support a diverse range of providers and models."
That commitment matters for practical reasons beyond goodwill. A substantial portion of Promptfoo's value — the adoption by 25% of Fortune 500 companies, the 350,000 registered developers, the 11,300+ GitHub stars — is directly attributable to the open-source strategy. Enterprises did not adopt Promptfoo because they were sold to by a sales team. They adopted it because engineers found it useful, deployed it locally, and demonstrated results internally. That adoption pattern only works if the tool remains open, free, and vendor-neutral.
Locking it down would destroy the very thing that made it worth acquiring.
The multi-provider support commitment is particularly significant. Promptfoo currently works with OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Google Gemini, Ollama, and dozens of other LLM providers. That breadth is a selling point for enterprise teams that are not exclusively committed to one vendor. Maintaining it signals that Promptfoo is not going to become an OpenAI-only tool — at least not publicly.
What OpenAI gets is access to the team, the technology, and the ability to integrate Promptfoo's capabilities at the model layer in ways that external tooling cannot. The open-source project serves OpenAI's interests even after the acquisition, because every Promptfoo user is running tests against models — and the more those tests are run against OpenAI models, the more feedback OpenAI implicitly receives about its models' adversarial robustness.
The market Promptfoo was building in — and that OpenAI is now entering directly — is one of the fastest-growing segments in enterprise technology.
AI security encompasses a cluster of adjacent problems: evaluating model safety before deployment, monitoring model behavior in production, detecting adversarial attacks in real time, auditing AI systems for regulatory compliance, and testing the integrity of multi-agent workflows. No single company has solved all of these. Most are still early.
The urgency is driven by regulation as much as by technical risk. The EU AI Act, which took effect in 2024 and entered enforcement phases in 2025, requires high-risk AI systems to undergo conformity assessments that include security evaluations. Similar frameworks are being developed in the United States, the United Kingdom, and Singapore. Large enterprises deploying AI in regulated industries — banking, healthcare, insurance, legal services — need documentation that their systems have been adversarially tested. Promptfoo's structured output format and CI/CD integration make it directly useful for generating that documentation.
The market is also being shaped by high-profile AI security incidents that have made headlines. Demonstrations of successful prompt injection against deployed customer service agents, jailbreaks that expose internal system prompts, and agentic systems that were manipulated into performing unintended actions have all generated board-level concern about AI security at large enterprises.
Analyst estimates for the AI security market vary, but converge on a trajectory toward tens of billions of dollars in annual spending by the late 2020s, as enterprise AI deployments scale and the regulatory framework tightens. Promptfoo was positioned exactly in the path of that growth — developer-first tooling that was already embedded in enterprise workflows at scale.
The AI security testing space has attracted serious players, and OpenAI's acquisition of Promptfoo reshapes the dynamics.
Adversarial Robustness Toolbox (ART): IBM's open-source framework for adversarial machine learning has broader ML security scope than Promptfoo — it includes computer vision, tabular data, and classic ML models alongside LLMs. It is research-oriented rather than developer-workflow-oriented, which limits production adoption.
Garak: Another open-source LLM vulnerability scanner, developed by NVIDIA researchers. Garak is powerful but more oriented toward research teams than production engineering workflows. Its lack of commercial backing means slower iteration on enterprise integration.
LangKit and WhyLabs: Focused on LLM observability and drift detection in production. Complementary to Promptfoo's pre-deployment focus rather than directly competitive.
Lakera: Zurich-based startup providing AI security infrastructure including prompt injection detection (Lakera Guard) and LLM security training platforms. Raised a Series A in 2024. Directly competitive with Promptfoo's guardrails capability.
Protect AI: Seattle-based company building AI security posture management, including MLflow model scanning, supply chain security, and LLM security. Raised $35 million in a Series A. Broader scope than Promptfoo but overlapping in LLM security.
Robust Intelligence (acquired by Cisco): The company that built one of the first enterprise AI testing platforms was acquired by Cisco in late 2024 for a reported $500 million. That acquisition — Cisco buying AI security for its enterprise security portfolio — is the closest analogy to OpenAI's Promptfoo deal, though the strategic logic is inverted: Cisco bought outward-facing security tooling, while OpenAI is buying security capability to internalize and harden its own systems.
The competitive pressure is intensifying. Microsoft has been investing in responsible AI tooling through Azure AI Studio. Google has built red teaming capabilities into its Vertex AI platform. Amazon has launched security features in AWS Bedrock. The large cloud providers all recognize that enterprise AI adoption depends on demonstrable security, and they are all building or acquiring the tooling to provide it.
OpenAI, with Promptfoo, is now in that race with the most developer-native tool in the space.
Zoom out from the technical details of this deal and the strategic picture comes into focus.
OpenAI spent 2022 and 2023 winning the consumer AI market. ChatGPT became a cultural phenomenon, the fastest-growing consumer product in history, and a demonstration that general-purpose AI had arrived. That phase is largely over — not because ChatGPT failed, but because it succeeded, and the company has pivoted to what comes next.
What comes next is enterprise. OpenAI's most profitable contracts are not consumer subscriptions. They are enterprise API agreements, government contracts, and the vertical AI deployments that large organizations are building on top of OpenAI's models. Those customers have different requirements than individual users. They need auditability. They need compliance documentation. They need to be able to demonstrate to their boards, their regulators, and their legal teams that the AI systems they are deploying have been rigorously tested.
The Promptfoo acquisition addresses that requirement directly. It lets OpenAI say — credibly, with evidence — that its agents have been adversarially tested by the team that built the industry's most widely adopted AI security platform.
There is also a product dimension. OpenAI is building out an enterprise safety and evaluation suite. The language in the acquisition announcement — about integrating Promptfoo's technology at the "model and inference layer" — suggests that some version of Promptfoo's capabilities will become native to the OpenAI platform. Enterprise customers who deploy agents through the Assistants API or Operator features may gain access to automated red teaming and guardrails as platform-native capabilities, rather than having to integrate third-party tools.
That would be a significant competitive advantage. If OpenAI can offer enterprise customers a complete loop — build, deploy, and continuously red-team AI agents within a single platform — it reduces the integration burden that currently makes enterprise AI security slow and expensive.
The deal also signals something broader about the direction of frontier AI labs. The era when AI companies could ship models and treat security testing as someone else's problem is over. As agentic AI moves from demonstration to production deployment, the question of whether these systems can be trusted — technically, verifiably, at scale — has become one of the most important questions in the industry. OpenAI's acquisition of Promptfoo is an acknowledgment that answering it is a core responsibility, not a compliance checkbox.
What is Promptfoo? Promptfoo is an open-source AI security testing platform that helps developers evaluate, red-team, and protect AI applications. It is used by 350,000 developers and approximately 25% of Fortune 500 companies to test for vulnerabilities like prompt injection, jailbreaks, and data exfiltration in AI systems before and after deployment.
Who founded Promptfoo? Promptfoo was co-founded by Ian Webster (CEO) and Michael D'Angelo (CTO) in 2024.
How much did OpenAI pay for Promptfoo? Financial terms were not disclosed in the acquisition announcement.
Will Promptfoo remain open source? Yes. The founders confirmed that the open-source project will remain open and will continue to support multiple AI providers and models, not just OpenAI's.
What will the Promptfoo team do at OpenAI? The team will integrate Promptfoo's security testing capabilities directly into OpenAI's model and infrastructure development process, with the goal of catching vulnerabilities earlier in the AI development lifecycle.
Why is AI agent security important right now? AI agents — systems that take autonomous actions on behalf of users — have a fundamentally larger attack surface than conversational AI. Prompt injection, jailbreaks, and data exfiltration are documented attack vectors against agentic systems. As enterprises deploy AI agents into critical business workflows, testing those systems against known attacks becomes essential.
Who are Promptfoo's competitors? Key competitors include Lakera (AI security guardrails), Protect AI (AI security posture management), Garak (open-source LLM vulnerability scanner), and cloud provider AI security tools from Microsoft Azure, Google Vertex AI, and AWS Bedrock. Robust Intelligence, a similar company, was acquired by Cisco in 2024.
What does this acquisition mean for enterprises evaluating OpenAI? Enterprises considering OpenAI for agentic AI deployments can expect more robust, platform-native security testing capabilities as Promptfoo's technology integrates into OpenAI's enterprise offerings. It also signals that OpenAI is taking agent security seriously as a first-class concern rather than a third-party integration problem.
Sources: Promptfoo acquisition announcement, TechCrunch coverage, GitHub repository
CollectivIQ launches a multi-model AI consensus platform that queries 10+ LLMs simultaneously and reduces hallucinations from 14.2% to 3.8% — a 73% improvement over single-model AI.
Melbourne AI agency Enterprise Monkey publicly quit ChatGPT over the Pentagon deal and advertising, joining the 700K+ user #QuitGPT movement — and signaling a broader enterprise shift toward Claude.
Microsoft unveiled the Frontier Suite (Microsoft 365 E7) on March 9, 2026 — a $99/user enterprise AI bundle bundling Copilot Wave 3, Agent 365, and Copilot Cowork. Here's what it means for the future of enterprise software.