← all repositories
KeyValueSoftwareSystems/agent-opfor

Red-teaming AI agents like they’re enemy combatants

Attacks AI agents, MCP servers, and LLM apps like a real threat actor would—via CLI, browser, IDE, or SDK—so teams can stop guessing about security.

517 stars TypeScript LLMOps · EvalAgents
agent-opfor
Collecting fresh signals — velocity needs a few days of history.
collecting data…
star history

What it does

OPFOR—short for Opposition Force, the military term for a training enemy—red-teams the full AI agent surface: prompts, tool calls, MCP endpoints, memory, and multi-turn reasoning. It generates adversarial test cases mapped to OWASP suites (LLM Top 10, Agentic AI Top 10, MCP Top 10, API Security, and EU AI Act bias), fires them at the target, and uses an LLM judge to classify each response as pass or fail with reasoning. Every prompt, request, response, and verdict is logged to disk as HTML and JSON for reproducibility.

The interesting bit

Instead of forcing everyone through a Python script or YAML file, the project ships five entry points—CLI, browser extension, MCP server, IDE skills, and TypeScript SDK—that all share the same attack templates and judge logic. That inclusivity is rare in security tooling. The trace-aware mode is also clever: plug it into Langfuse or Netra and the judge sees internal tool calls and intermediate reasoning steps, catching leaks that never reach the user-facing text.

Key highlights

  • Maps to five industry standards in one tool: OWASP LLM Top 10, OWASP Agentic AI Top 10, OWASP MCP Top 10, OWASP API Security, and EU AI Act bias
  • Browser extension auto-detects chat interfaces for no-code red-teaming against live chatbots
  • opfor hunt spins up a multi-agent system (commander, operators, scout) that runs adaptive, autonomous attack campaigns without a config file
  • Trace-aware judging via Langfuse or Netra evaluates what happens inside the agent, not just the final rendered output
  • Apache 2.0, built by KeyValue Software Systems in India

Caveats

  • Autonomous opfor hunt mode is Claude-only for the attacking agents; your target can be any provider, but the red-team brain is locked to Anthropic
  • The browser extension is distributed via the Chrome Web Store; Firefox or Safari support is not mentioned in the sources

Verdict

Worth evaluating if you ship AI agents with tool calls or MCP servers and need to cover multiple OWASP suites without maintaining a patchwork of separate tools. If you only need to test a single LLM endpoint with no agentic surface, the full feature set may be more than you need.

Frequently asked

What is KeyValueSoftwareSystems/agent-opfor?
Attacks AI agents, MCP servers, and LLM apps like a real threat actor would—via CLI, browser, IDE, or SDK—so teams can stop guessing about security.
Is agent-opfor open source?
Yes — KeyValueSoftwareSystems/agent-opfor is an open-source project tracked on heatdrop.
What language is agent-opfor written in?
KeyValueSoftwareSystems/agent-opfor is primarily written in TypeScript.
How popular is agent-opfor?
KeyValueSoftwareSystems/agent-opfor has 517 stars on GitHub.
Where can I find agent-opfor?
KeyValueSoftwareSystems/agent-opfor is on GitHub at https://github.com/KeyValueSoftwareSystems/agent-opfor.

heatdrop uses Google Analytics to see which pages get read — nothing else. Your call. How we handle data.