The best AI red-team and pentest tooling lives in open source. None of it ships with policy, approvals, or audit. Arx wraps each tool as a community-tier connector so every probe, scan, and exploit attempt runs through the same intercept → policy → audit pipeline as the rest of your platform — with a free seat and no SLA strings.
The community tier exists because adoption beats lock-in. Same governance as the paid platform; lower retention and no enterprise SLA. Upgrade only when you need it.
Every OSS-tool call routes through BaseConnector.execute. Nothing is special-cased; community connectors carry the same hard gates as platform connectors.
garak, promptfoo, PyRIT, PurpleLlama, agentic-radar all emit into one of three shapes — AIFinding, PentestFinding, AgentVuln — so policies key off severity uniformly.
Each tool runs in a SHA-pinned Docker image with 1 CPU / 1Gi RAM / 600s timeout, no host networking by default. No host volume mounts, scoped LLM keys.
Community connectors don't count toward platform connector caps. Audit retention capped at 30 days; web-only approval routing. Upgrade to extend.
The four canonical OSS AI red-team scanners, each wrapped so their native output maps into ARX's AIFinding shape. Run them on a schedule, on demand, or as a CI gate.
Lightweight CI-oriented prompt-injection / leak / jailbreak scanner from MetaCTF. Pair with promptfoo or PyRIT for layered coverage.
rules:list · scan:run
The "nmap of LLMs." Probe-based vulnerability scanner with families for jailbreak, prompt-injection, leak-replay, encoding bypass, toxicity, and more.
probes:list · scan:run · report:read
LLM eval and adversarial red-team plugins. Run promptfoo's harmful / jailbreak / PII / prompt-injection plugins under ARX policy and audit.
eval:run · redteam:run · report:read
LlamaGuard input/output safety, CodeShield insecure-code detection, CyberSecEval benchmarks. Customer-installed image; ARX never bundles model weights.
llama_guard:scan · code_shield:scan · cyber_sec_eval:run
Static posture from agentic-radar; runtime detections from agentfence. Both ingest into ARX as AgentVuln findings — uniform severity, uniform policy.
Static-analyze a LangChain / LlamaIndex / AutoGen / CrewAI agent codebase. Surface tool-misuse risk, missing HITL gates, scope violations, credential exposure.
frameworks:list · scan:run · report:read
Runtime agent firewall. ARX ingests detections (prompt injection, tool chain abuse, RCE-via-tool, data exfiltration) and applies governance — your control loop, not theirs.
findings:read · rules:read · alerts:ack
Lightweight HTTP-traffic pentest tooling that emits into the same PentestFinding shape as the autonomous agents below. Replays on HAR files, scans on live targets.
HTTP traffic analysis pentest tool. Run rules against HAR captures or live targets; ARX normalizes findings as PentestFindings with CWE / CVSS metadata.
rules:list · scan:run · report:read
Single pentest_agent meta-connector dispatches to autonomous LLM-driven pentest agents (pentagi, strix, ...). Refuses to run without a signed scope, an attributable initiator, and an LLM spend cap. Exploitation always escalates for human approval.
Meta-connector. Pick a provider (pentagi, strix) at runtime. Hard gates baked in: authorization_artifact, max_llm_spend_usd, initiated_by_user_id. Default policy bundle ESCALATEs every exploit:run.
providers:list · recon:run · scan:run · exploit:run
We add providers on customer request — never speculatively. Adding a provider does not add a customer-visible connector; abandoning one drops a dispatch case, not a feature. Deferred providers below.
0x4m4's hex-strike pentest agent. Provider available on demand.
0xSojalSec's PentestAgent. Provider available on demand.
vxcontrol's autonomous pentest agent. Default provider for the meta-connector.
GH05TCREW's pentest agent. Provider available on demand.
usestrix autonomous pentest agent. Second supported provider out of the box.
davidmatousek's pentest agent. Single-author repo; abandonment risk contained by the meta-connector.
Free community-tier seat. We'll set up garak + promptfoo on a target model, run the ai-redteam-benchmark workflow, and walk you through the audit trail and approval gate. No card.