OpenAI said it has agreed to acquire Promptfoo, an AI security platform that helps enterprises identify and remediate vulnerabilities in AI systems during development.
OpenAI said Promptfoo’s technology will be integrated into OpenAI Frontier, the company’s platform for building and operating AI coworkers, once the acquisition is finalized.
What OpenAI is buying
The acquisition gives OpenAI a company whose products are designed to help test AI systems during development and before wider deployment. OpenAI said Promptfoo is trusted by more than 25% of Fortune 500 companies and said its open-source CLI and library are widely used for evaluating and red-teaming LLM applications.
Promptfoo, in its own announcement, said it was founded in 2024 by Ian Webster and Michael D’Angelo, and that more than 350,000 developers have used the product, with 130,000 active monthly users.
What Frontier gains from the deal
OpenAI’s stated reason for the deal is narrow and specific. The company said Frontier will gain automated security testing and red-teaming for risks including prompt injections, jailbreaks, data leaks, tool misuse and out-of-policy agent behaviors.
It also said Promptfoo’s technology will be used to integrate security and evaluation earlier into development workflows, with reporting and traceability features meant to help organizations document testing, monitor changes over time and meet governance, risk and compliance expectations for AI.
Those categories line up closely with the way the security field is already describing agent and LLM risk. The Open Worldwide Application Security Project (OWASP)’s Top 10 for Large Language Model Applications lists prompt injection, sensitive information disclosure, supply chain vulnerabilities, insecure output handling and excessive agency among the leading classes of risk for LLM systems.
The National Institute of Standards and Technology (NIST)’s Generative AI Profile, released in 2024 as a companion resource to the AI Risk Management Framework, is designed to help organizations govern, map, measure and manage generative AI risks, including those tied to large language models, cloud-based services and acquisition.
The document also includes a section on pre-deployment testing, placing evaluation, documentation and testing inside a broader operational risk process rather than a standalone model benchmark exercise.
OpenAI’s competitors have introduced similar evaluation and governance tooling. Google Cloud said it had introduced agent evaluation in Vertex AI, AWS documents show Bedrock Guardrails includes prompt attack detection, and Microsoft’s guidance for enterprise AI agents tells organizations to review security and governance guidance, enable automatic security scans and verify runtime protection status before broader rollout.
What Promptfoo’s own product scope covers
Promptfoo’s own product materials help explain what OpenAI is actually buying. In its red-teaming documentation, Promptfoo says its framework supports automated testing for privacy and security issues such as PII leaks, access-control vulnerabilities and SSRF, as well as technical vulnerabilities including prompt injection and extraction, jailbreaking, hijacking, and SQL and shell injection.
The same documentation says the system also tests for broader behavioral and misuse issues such as misinformation, excessive agency, hallucination and overreliance.
How the acquisition fits the Frontier and Codex Security buildout
That product scope fits the way OpenAI has been positioning Frontier since its launch on Feb. 5. In introducing Frontier, OpenAI said enterprises were being slowed less by model intelligence than by how agents are built and run inside organizations.
It described Frontier as an end-to-end platform for building, deploying and managing agents, with shared context, permissions and boundaries, and said early adopters included HP, Intuit, Oracle, State Farm, Thermo Fisher and Uber.
OpenAI also said Frontier is built on open standards so software teams can plug in and build agents that benefit from the same shared context.
OpenAI extended that strategy later in February through its Frontier Alliances with Accenture, BCG, Capgemini and McKinsey, which the company said was designed to help enterprises move from pilots to production with secure, scalable agent deployments.
Against that backdrop, the Promptfoo acquisition adds testing, red-teaming and compliance tooling to the same Frontier platform. The acquisition also landed only days after OpenAI introduced Codex Security, its application security agent for software projects.
In that March 6 announcement, OpenAI said Codex Security is designed to build project context, create a threat model, validate issues and propose patches. It had scanned more than 1.2 million commits across external repositories in its beta cohort over the prior 30 days, according to the company, identifying 792 critical findings and 10,561 high-severity findings,.
Read together, the two announcements show OpenAI adding more security tooling around both software and agents, though the company has described them as separate products with different scopes.
What remains open and what has not been disclosed
What OpenAI has committed to publicly is more limited, but still important for current users. OpenAI said it will continue building the open-source Promptfoo project while advancing integrated enterprise capabilities inside Frontier.
Promptfoo said it will remain open source, continue serving users and customers and continue supporting a diverse range of providers and models, describing the open-source suite as a red-teaming, static scanning and evals tool for any AI model or application.
That matters because Promptfoo’s value before the deal was not limited to OpenAI models or OpenAI infrastructure.
What neither company has disclosed is also clear from the record. OpenAI did not disclose financial terms. It did not provide a closing date beyond saying the transaction is subject to customary conditions.
It also did not publish a timetable for when Promptfoo’s testing, reporting or compliance features will become native Frontier capabilities, or how those features will be packaged commercially once the acquisition closes.