Describe garak's role in the red-team toolchain
Garak is an open-source LLM vulnerability scanner, the nmap for LLMs first-pass tool.
When a network security team wants to know what services are running on a server, they reach for a scanner like nmap. They point the scanner at the server, it runs through a long list of known checks, and it produces a report listing what is exposed and what looks risky. Garak does the same job for a language model. You give it a model endpoint, it tries every known trick, pretending to be a different system, asking the model to leak its training data, requesting harmful instructions in encoded form, and it reports which tricks worked. It is not a sophisticated targeted attack, just a broad first-pass check that catches the obvious weaknesses before a deeper review.
Detailed answer & concept explanation~10 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
2 min: garak is the open-source LLM vulnerability scanner, nmap for LLMs. Battery of probes (injection, jailbreak, encoding, leakage, malware, hallucination, toxicity) produces a structured findings report. Roles: first-pass discovery before bespoke red-teaming, CI regression gate, periodic scanning. Limits: public probe library, detector noise, breadth not depth. Composes with PyRIT (custom campaigns), Promptfoo (CI), and continuous evaluation platforms.
Real products, models, and research that use this idea.
- Garak is maintained by NVIDIA and is open-source on GitHub; 2026 versions ship probes derived from the OWASP LLM Top 10 and published jailbreak research.
- Promptfoo's safety-mode probes pull from the garak library along with PyRIT and OWASP for CI integration.
- Anthropic and OpenAI both cite garak in their model cards as part of the external evaluation suite their models are tested against.
- Enterprise red-team programs at financial institutions and healthcare companies use garak as the first-pass scanner before engaging bespoke red-team consultants.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow do you handle garak's detector noise, probes marked as succeeded when the model actually refused?
QWhy is garak insufficient for continuous evaluation, even when run on a schedule?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating garak's pass as a guarantee of safety. It is a first-pass scanner; bespoke red-teaming and continuous evaluation are still needed.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.