Red-teaming AI agents like they’re enemy combatants
Attacks AI agents, MCP servers, and LLM apps like a real threat actor would—via CLI, browser, IDE, or SDK—so teams can stop guessing about security.
What it does
OPFOR—short for Opposition Force, the military term for a training enemy—red-teams the full AI agent surface: prompts, tool calls, MCP endpoints, memory, and multi-turn reasoning. It generates adversarial test cases mapped to OWASP suites (LLM Top 10, Agentic AI Top 10, MCP Top 10, API Security, and EU AI Act bias), fires them at the target, and uses an LLM judge to classify each response as pass or fail with reasoning. Every prompt, request, response, and verdict is logged to disk as HTML and JSON for reproducibility.
The interesting bit
Instead of forcing everyone through a Python script or YAML file, the project ships five entry points—CLI, browser extension, MCP server, IDE skills, and TypeScript SDK—that all share the same attack templates and judge logic. That inclusivity is rare in security tooling. The trace-aware mode is also clever: plug it into Langfuse or Netra and the judge sees internal tool calls and intermediate reasoning steps, catching leaks that never reach the user-facing text.
Key highlights
- Maps to five industry standards in one tool: OWASP LLM Top 10, OWASP Agentic AI Top 10, OWASP MCP Top 10, OWASP API Security, and EU AI Act bias
- Browser extension auto-detects chat interfaces for no-code red-teaming against live chatbots
opfor huntspins up a multi-agent system (commander, operators, scout) that runs adaptive, autonomous attack campaigns without a config file- Trace-aware judging via Langfuse or Netra evaluates what happens inside the agent, not just the final rendered output
- Apache 2.0, built by KeyValue Software Systems in India
Caveats
- Autonomous
opfor huntmode is Claude-only for the attacking agents; your target can be any provider, but the red-team brain is locked to Anthropic - The browser extension is distributed via the Chrome Web Store; Firefox or Safari support is not mentioned in the sources
Verdict
Worth evaluating if you ship AI agents with tool calls or MCP servers and need to cover multiple OWASP suites without maintaining a patchwork of separate tools. If you only need to test a single LLM endpoint with no agentic surface, the full feature set may be more than you need.
Frequently asked
- What is KeyValueSoftwareSystems/agent-opfor?
- Attacks AI agents, MCP servers, and LLM apps like a real threat actor would—via CLI, browser, IDE, or SDK—so teams can stop guessing about security.
- Is agent-opfor open source?
- Yes — KeyValueSoftwareSystems/agent-opfor is an open-source project tracked on heatdrop.
- What language is agent-opfor written in?
- KeyValueSoftwareSystems/agent-opfor is primarily written in TypeScript.
- How popular is agent-opfor?
- KeyValueSoftwareSystems/agent-opfor has 517 stars on GitHub.
- Where can I find agent-opfor?
- KeyValueSoftwareSystems/agent-opfor is on GitHub at https://github.com/KeyValueSoftwareSystems/agent-opfor.