Introduction

Opfor is an open-source red-teaming toolkit for AI agents and MCP servers. It generates OWASP-mapped attack prompts, fires them at your target, and judges each response with an LLM. You get an HTML report for browsing and a JSON report for CI. Test your AI the way a real attacker would — from your terminal, your IDE, a browser extension anyone on your team can use, or your own code.

Quickstart

Run your first scan and get a report in a few minutes.

Core concepts

Targets, evaluators, suites, judging, and reports.

Five ways to run it

Different people on your team need different entry points. Opfor ships five, all sharing the same evaluators, attack templates, and judge logic.

CLI

opfor setup → opfor run. For engineers, CI, and terminal-first workflows.

Browser extension

Click the icon on any chat UI. No code — for QA, PMs, and security analysts.

MCP server

Run opfor as an MCP server so Cursor or Claude Desktop can drive it.

Skills

/opfor-setup and /opfor-run slash commands inside your AI coding agent.

SDK

@agent-opfor/sdk — run scans programmatically from your own Node code.

Two kinds of target

Opfor picks its pipeline from your target type.

Target	What it is	How it’s attacked
`agent`	An HTTP endpoint or local script that speaks LLM chat	The attacker LLM writes adversarial prompts; opfor sends them and judges the reply
`mcp`	An MCP server (stdio process or remote URL)	Opfor enumerates tools, crafts adversarial `tools/call` payloads, and judges them

Use agent mode for chatbots, RAG apps, and tool-calling agents behind an HTTP API. Use mcp mode to attack an MCP server directly.

What it covers

Opfor ships curated suites mapped to industry standards — OWASP LLM Top 10, OWASP Agentic AI Top 10, OWASP MCP Top 10, OWASP API Security Top 10, and EU AI Act bias. Pick a suite for broad coverage or run individual evaluators for a focused scan.

Evaluator reference

Full list of evaluators and suites with their OWASP mappings.

QuickstartRun your first red-team scan and get a report.

⌘I