AI/LLM Red Team Suite
Point RedPincer at any LLM API endpoint, select your attack modules, and run automated red team assessments with real-time streaming results, heuristic analysis, and exportable reports.
Warning
RedPincer is designed for authorized security testing and research only. Use it to audit AI systems you own or have explicit permission to test. Do not use this tool against systems without authorization.
|
|
| Category | Payloads | Description |
|---|---|---|
| 💉 Prompt Injection | 40 | Instruction override, delimiter confusion, indirect injection, payload smuggling |
| 🔓 Jailbreak | 41 | Persona splitting, gradual escalation, hypothetical framing, roleplay exploitation |
| 🔍 Data Extraction | 40 | System prompt theft, training data probing, membership inference, embedding extraction |
| 🛡️ Guardrail Bypass | 40 | Output filter evasion, multi-language bypass, homoglyph tricks, context overflow |
| 🔧 Tool Abuse | 22 | Tool enumeration, schema exfiltration, parameter injection, privilege escalation, workflow hijack |
| 🔁 Multi-Turn Escalation | 21 | 5 escalation chains: rapport→authority, context shifting, boundary testing, role anchoring, commitment |
| :locked_with_key: Encoding Bypass | 18 | Base64, hex, ROT13, unicode homoglyphs, reverse text, morse code, layered encoding |
OpenAI · Anthropic · OpenRouter · Any OpenAI-compatible endpoint
Bug Fixes
- Auto-fetch models — Select from available models via dropdown after entering API key
- Edit/delete targets — Full CRUD on saved LLM targets
- Reduced false positives — Context-aware analysis detects "explain then refuse" patterns
- Stop button — Cancel running attacks with AbortController
- Verbose reports — 10-section professional pen-test quality reports
New Features
- ✨ AI Payload Generation — Use the target LLM to generate novel attack payloads
- 🧠 Adaptive Attack Engine — Analyzes weaknesses and suggests targeted follow-ups
- 📈 Multi-Target Comparison — Run same payloads against multiple models
- 🗺️ Vulnerability Heatmap — Visual matrix of success rates
- 🔁 Regression Testing — Save baselines, detect patched/new vulnerabilities
- ✏️ Custom Scoring Rubrics — Weighted criteria with letter grades
- 60 new payloads — Now 222 total across 7 categories
- 🔒 Session-Based Auth — Opt-in username/password protection with HMAC cookies
- 🛡️ Rate Limiting — Sliding window rate limits on all API routes
- 🔧 Tool Abuse Payloads — 22 payloads for tool enumeration, schema exfiltration, privilege escalation
- 🔁 Multi-Turn Escalation — 21 payloads across 5 escalation chain strategies
- :locked_with_key: Encoding Bypass — 18 payloads testing base64, hex, ROT13, unicode, and layered encoding
- 📤 Structured Export — Download results as JSON, CSV, or SARIF v2.1.0 for CI/CD and SIEM integration
- 🔑 API Key Vault — Server-side AES-256-GCM encrypted key storage (keys never persist client-side)
# Clone the repository
git clone https://github.com/rustyorb/pincer.git
cd pincer
# Install dependencies
npm ci
# Start development server
npm run devOpen http://localhost:3000 to access the dashboard.
npm run build
npm startgraph LR
A[Configure Target] --> B[Select Categories]
B --> C[Run Attack]
C --> D[Review Results]
D --> E[Generate Report]
D --> F[Run Adaptive Follow-up]
E --> G[Export MD / JSON / CSV / SARIF]
- Configure a Target — Add an LLM endpoint with provider, API key, and model (auto-fetched)
- Select Attack Categories — Check the categories to test
- Run Attack — Hit RUN to stream attacks; hit STOP to cancel anytime
- Review Results — Analyze with heuristic classification, severity scores, and leaked data highlights
- Generate Report — Export findings as Markdown, JSON, CSV, or SARIF
| Tool | Description |
|---|---|
| Compare | Run same payloads against 2-4 targets simultaneously |
| Adaptive | Analyze weaknesses from a run, generate targeted follow-ups |
| Heatmap | Visual matrix of vulnerability rates by category and severity |
| Regression | Save baseline results, re-run later to detect fixes or regressions |
| Scoring | Define custom rubrics with weighted category/severity/classification scores |
| Chains | Build multi-step attacks with {{previous_response}} template variables |
| Payload Editor | Create custom payloads with syntax highlighting + AI generation |
| Export | Download results as JSON (full data), CSV (spreadsheet), or SARIF (GitHub/Azure security) |
Target Config ──> POST /api/attack ──> NDJSON Stream ──> Heuristic Analysis ──> Zustand Store
│
localStorage
- All components are client-side (
"use client") — no server components - Single-page layout —
page.tsxswitches views based onstore.view - NDJSON streaming — real-time results from API routes
- Heuristic analysis — pattern-matching classifier (no LLM-based grading)
- Zustand + persist — state synced to
localStorage
| Route | Method | Description |
|---|---|---|
/api/attack |
POST | Streams attack results as NDJSON |
/api/chain |
POST | Executes multi-step attack chains |
/api/test-connection |
POST | Validates endpoint connectivity |
/api/models |
POST | Fetches available models from provider |
/api/generate-payload |
POST | AI-powered payload generation |
/api/generate-adaptive |
POST | AI-generated follow-up attacks based on weakness analysis |
/api/explain |
POST | AI-powered explanation of attack results |
/api/mutate-payload |
POST | AI mutation of blocked payloads to find bypasses |
/api/summarize-run |
POST | AI-generated executive summary of attack run |
/api/keys |
POST/DELETE/GET | Server-side encrypted API key vault (store, remove, check) |
/api/auth/login |
POST | Session-based login (when auth enabled) |
/api/auth/logout |
POST | Clear session cookie |
/api/auth/status |
GET | Check authentication state |
src/
├── app/
│ ├── page.tsx # Main app with 12-view routing
│ ├── layout.tsx # Root layout + fonts
│ ├── globals.css # Tailwind + OKLCH color tokens
│ └── api/
│ ├── attack/route.ts # Attack streaming (NDJSON)
│ ├── chain/route.ts # Chain execution
│ ├── test-connection/route.ts # Connection validation
│ ├── models/route.ts # Model list fetching
│ ├── generate-payload/route.ts # AI payload generation
│ ├── generate-adaptive/route.ts # AI adaptive follow-up generation
│ ├── explain/route.ts # AI result explanation
│ ├── mutate-payload/route.ts # AI payload mutation
│ ├── summarize-run/route.ts # AI run summarization
│ └── auth/ # Auth endpoints (login/logout/status)
├── components/
│ ├── sidebar.tsx # Navigation + targets + run/stop
│ ├── target-config.tsx # Target CRUD + model dropdown
│ ├── attack-modules.tsx # Payload browser
│ ├── results-dashboard.tsx # Results + analysis display
│ ├── report-generator.tsx # Verbose report export
│ ├── chain-builder.tsx # Multi-step chain editor
│ ├── session-manager.tsx # Export/import sessions
│ ├── payload-editor.tsx # Custom payloads + AI generation
│ ├── comparison-dashboard.tsx # Multi-target comparison
│ ├── adaptive-runner.tsx # Adaptive follow-up attacks
│ ├── vulnerability-heatmap.tsx # Category × severity heatmap
│ ├── regression-runner.tsx # Baseline regression testing
│ ├── scoring-config.tsx # Custom scoring rubrics
│ └── ui/ # shadcn/ui components
└── lib/
├── store.ts # Zustand store (persisted)
├── types.ts # TypeScript interfaces
├── llm-client.ts # Multi-provider LLM client
├── analysis.ts # Context-aware heuristic engine
├── adaptive.ts # Weakness analysis + follow-ups
├── scoring.ts # Custom scoring rubric engine
├── chains.ts # Attack chain definitions
├── variants.ts # 20 payload transforms
├── export.ts # Structured data export (JSON/CSV/SARIF)
├── persistence.ts # Session export/import
├── auth.ts # Auth logic (HMAC sessions, credential validation)
├── use-auth.ts # React hook for auth status
├── rate-limit.ts # Sliding window rate limiter
├── uuid.ts # ID generation utility
└── attacks/
├── index.ts # Payload aggregation + queries
├── injection.ts # 40 prompt injection payloads
├── jailbreak.ts # 40 jailbreak payloads
├── extraction.ts # 40 data extraction payloads
├── bypass.ts # 40 guardrail bypass payloads
├── tool-abuse.ts # 22 tool abuse payloads
├── multi-turn.ts # 21 multi-turn escalation chains
└── encoding.ts # 18 encoding bypass payloads
Auth is opt-in via environment variables. When PINCER_USERNAME and PINCER_PASSWORD are both set, all routes are protected by session-based auth with HMAC-signed cookies.
# .env or .env.local
PINCER_USERNAME=admin
PINCER_PASSWORD=your-secure-passwordSet PINCER_AUTH_DISABLED=true to explicitly disable even when credentials are set. See .env.example.
All API routes are rate-limited via in-memory sliding window (always active, resets on restart):
| Tier | Routes | Limit |
|---|---|---|
auth |
/api/auth/* |
5 req / 60s |
attack |
/api/attack, /api/chain, /api/generate-adaptive |
10 req / 60s |
api |
All other /api/* |
30 req / 60s |
Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After) included on all API responses.
npm test # Single run (Vitest + jsdom)
npm run test:watch # Watch mode
npm run test:coverage # With coverage report| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router + Turbopack) |
| UI | React 19 + Tailwind CSS 4 + shadcn/ui |
| Language | TypeScript (strict mode) |
| State | Zustand 5 with persist middleware |
| Icons | Lucide React |
| Toasts | Sonner |
| Theme | Dark mode with custom OKLCH color tokens |
MIT — see LICENSE file for details.
Built for authorized AI security research and red teaming.
🦞 RedPincer — crack open those guardrails