If you run a red team, you know the rule: the auditor does not work for the audited. You picked Promptfoo exactly because it sat outside the model vendors. 350K developers, 25% of the Fortune 500, MIT-licensed, multi-provider. It ran your jailbreak fixtures, your prompt-injection probes, your PII-leak scenarios — and it reported what broke, regardless of which lab built the model. That independence was the product.
Security testing has a conflict-of-interest problem the rest of ML eval work doesn't. When you're scoring accuracy, vendor ownership is a nuisance. When you're scoring exploitability, vendor ownership is the whole question.
On March 9, 2026, OpenAI acquired Promptfoo. Founders Ian Webster and Michael D'Angelo joined OpenAI Frontier. Terms undisclosed. Last private valuation: $86M, per TechCrunch. The promptfoo.dev announcement committed — in writing — to keeping the framework MIT-licensed, multi-provider, and independently governed. Good language. Structural incentive says read it twice.
Here's what actually shifts for security teams. Promptfoo's red-team module ships pre-built attack packs — OWASP LLM Top 10, NIST AI RMF probes, a library of known jailbreak templates. When you ran those against GPT-4o last year, the failing cases became telemetry you owned. Post-acquisition, the cloud-hosted scanning tier routes through OpenAI infrastructure. Which means the set of prompts that successfully jailbreak an OpenAI model is now visible to the vendor whose model got jailbroken — before you've written the disclosure email. That's not a hypothetical; that's how the hosted runner works.
The Hacker News thread from March 9 surfaced two technical concerns the press release didn't. First, attack-pack curation: who decides which jailbreak templates ship in the default pack when the owner also ships the model being jailbroken? A dev.to teardown flagged that three OpenAI-specific prompt-injection tests quietly moved from the default suite to an "advanced" tier in the v2.14 release notes on March 22. Could be housekeeping. Could be not. Second, the grader model: Promptfoo's LLM-as-judge defaults to GPT-4o for rubric scoring. An OpenAI-owned framework using an OpenAI model to grade OpenAI model outputs is not a fresh conflict — it's the same conflict, now load-bearing. Anthropic's red-team guidance has always recommended cross-vendor grading for exactly this reason.
None of this means the tool got worse. The self-hosted OSS build still runs fine on your own infra, against any provider, with any grader you point at it. The MIT license is real. The commits keep landing. What changed is the default path: the cloud tier, the hosted attack packs, the managed grader. Teams that adopted Promptfoo for convenience inherit the new trust boundary whether they read the acquisition FAQ or not.
If your threat model includes OpenAI as a potential adversary — regulated industries, frontier-model evaluation contracts, any work under an NDA that names a specific lab — move grading to a cross-vendor setup this quarter. Run Promptfoo self-hosted, grade with Claude or Gemini, keep your attack fixtures in a private repo. DeepEval and Arize Phoenix are genuinely vendor-neutral if you'd rather switch tools entirely.
The honest read: the independent red-team tooling layer just got shorter by one name. The regulators haven't noticed yet 😾
→ OpenAI acquires Promptfoo → Promptfoo joining OpenAI → TechCrunch coverage
