Match PyRIT and garak to the red-teaming jobs they are actually good at
PyRIT (Microsoft) is an orchestration framework for adaptive multi-turn attacker-LLM red-teaming; garak (NVIDIA) is a scanner with a fixed probe library, use garak in CI regression, use PyRIT for quarterly
Think of two tools in a security team's kit. The first is like an antivirus scanner, it has a big library of known threats and you run it on a schedule to check that none of them slip through. That is garak. The second is like a hired penetration tester who actually thinks during the test, tries one trick, watches your reaction, tries a different angle, and chains attacks together. That is PyRIT. You need both. The scanner catches the regressions you would never notice; the tester finds the surprises that no static list could have predicted.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
3 min: contrast a probe-library scanner with an orchestration framework, describe the CI versus scenario fit for each, and walk through the feedback loop from PyRIT findings to garak probes.
Real products, models, and research that use this idea.
- Microsoft red-team teams publish PyRIT scenarios that simulate adaptive attacker behaviour against Azure OpenAI deployments; these have driven several public CVE-like advisories on prompt-injection patterns.
- NVIDIA's garak is bundled into NeMo Guardrails CI examples and is increasingly the default open-source regression scanner for OSS LLM application stacks.
- Commercial red-team services like Lakera Red and Patronus typically combine elements of both, pre-built probe suites plus adaptive attacker harnesses, recognising that neither layer alone is sufficient.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you turn a PyRIT-discovered incident into a garak probe?
QWhat is the right cadence for PyRIT exercises versus garak regression?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating PyRIT and garak as alternatives to each other; they cover different parts of the red-team programme and the production answer is to use both with clear roles.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.