Garak is an open-source LLM vulnerability scanner from NVIDIA’s AI Red Team, listed in the AI security category. It has 6,938 GitHub stars, 777 forks, and 71 contributors.
The name comes from the Star Trek character — fitting for a tool described as “the LLM vulnerability scanner” in the same way nmap scans networks or Metasploit tests exploits. NVIDIA released it under Apache 2.0 and actively maintains it with 3,500+ commits. The latest release is v0.14.0 (February 2026), which introduced redesigned HTML reports and JSON config support.
What is Garak?
Garak systematically probes language models for security weaknesses and safety failures. You point it at a model endpoint, pick which probe modules to run, and it generates adversarial inputs, feeds them to the model, and analyzes responses using detector modules.
Everything in Garak is a plugin. Probes generate test inputs. Detectors analyze responses. Generators interface with target LLMs. Evaluators compile results. Harnesses structure test workflows. Buffs modify probe behavior. Because of this modular design, you can test any model accessible via API.
Key Features
| Feature | Details |
|---|---|
| Probe Modules | 50+ (promptinject, dan, encoding, goodside, lmrc, malwaregen, packagehallucination, leakreplay, snowball, tap, visual_jailbreak, xss, and more) |
| Detector Types | 28 built-in |
| Generator Backends | 23 (openai, huggingface, azure, bedrock, cohere, groq, litellm, mistral, nim, nvcf, ollama, replicate, rest, watsonx, and more) |
| Output Formats | JSONL reports, HTML reports (redesigned in v0.14.0), hit logs, debug logs |
| Python Support | 3.10 to 3.12 |
| License | Apache 2.0 |
| Academic Paper | arXiv:2406.11036 |
| Community | Discord server, 71 contributors |
Probe categories
Garak ships with probes organized by attack type:
| Probe | What It Tests |
|---|---|
promptinject | Prompt injection techniques to override system instructions |
dan | “Do Anything Now” jailbreak variants |
encoding | Encoding-based bypasses (base64, ROT-13, etc.) |
goodside | Safe content verification |
knownbadsignatures | Known harmful patterns |
lmrc | Language Model Risk Cards |
malwaregen | Malware generation attempts |
packagehallucination | Fake package name suggestions |
leakreplay | Training data extraction |
snowball | Escalating harmful requests |
tap | Tree of Attack with Pruning |
visual_jailbreak | Visual encoding jailbreaks |
xss | Cross-site scripting via LLM output |
atkgen | Automated attack generation |
continuation | Continuation-based attacks |
divergence | Model divergence probing |
grandma | Social engineering via roleplay |
latentinjection | Latent prompt injection |
Generator backends
Garak supports 23 different ways to connect to target models. The major backends include:
- OpenAI — GPT models via API (chat and completion)
- Hugging Face — Pipeline and Inference APIs for hosted models
- AWS Bedrock — Claude, Llama, Titan, and other Bedrock models
- Cohere — Cohere Command models
- Groq — Fast inference endpoints
- LiteLLM — Unified interface to 100+ providers
- Ollama — Local models
- Replicate — Hosted open-source models
- REST — Custom API endpoints
- NIM/NVCF — NVIDIA inference endpoints
Output and reporting
Garak generates three types of output per scan:
- garak.log — Debug information, persists across runs
- JSONL report — Detailed per-attempt records with status tracking
- Hit log — Vulnerability findings only
Version 0.14.0 added redesigned HTML reports for easier reading.
Getting Started
python -m pip install -U garak. Requires Python 3.10 to 3.12. For development, clone the repo and install in editable mode.export OPENAI_API_KEY="sk-...". For Hugging Face: export HF_TOKEN="hf_...".python3 -m garak --target_type openai --target_name gpt-5-nano --probes encoding.garak --list_probes to see all available probe modules.CLI usage
The CLI is the primary interface. These examples are from the official README:
# List all available probes
garak --list_probes
# Probe an OpenAI model for encoding-based attacks
export OPENAI_API_KEY="sk-123XXXXXXXXXXXX"
python3 -m garak --target_type openai --target_name gpt-5-nano --probes encoding
# Test a Hugging Face model against DAN 11.0 jailbreak
python3 -m garak --target_type huggingface --target_name gpt2 --probes dan.Dan_11_0
# Run specific probes against GPT-4
garak --model_type openai --model_name gpt-4 --probes promptinject
Installation from source
For development or the latest features:
conda create --name garak "python>=3.10,<=3.12"
conda activate garak
gh repo clone NVIDIA/garak
cd garak
python -m pip install -e .
Or install directly from the main branch:
python -m pip install -U git+https://github.com/NVIDIA/garak.git@main
When to use Garak
Garak is the right tool when you need a dedicated vulnerability scanner with a wide library of attack probes. Its 50+ probe modules cover more attack techniques than most alternatives, and the plugin architecture lets you extend it with custom probes for your specific threat model.
The CLI-first design makes it easy to drop into existing workflows. Point it at any model endpoint, run a scan, and get a structured report.
Security teams use it for red team assessments of LLM deployments and pre-deployment security checks. The CLI output is also easy to pipe into monitoring dashboards for ongoing scans.
For a broader overview of AI threats and defenses, see our AI security guide. For a Python-native framework with structured vulnerability categories and OWASP mapping, see DeepTeam. For an evaluation framework that combines prompt testing with red teaming, look at Promptfoo. For Microsoft’s multi-turn red teaming orchestrator, check PyRIT. For runtime guardrails rather than testing, consider NeMo Guardrails or LLM Guard.
