LangWatch launches open-source tool for AI red-teaming
LangWatch has launched LangWatch Scenario, an open-source framework for automated red-teaming and AI penetration testing aimed at organisations running AI applications in production.
The Amsterdam-based software company says the framework tests AI agents, including customer service bots and data analytics tools, against attacks that standard testing methods can miss. It is aimed at sectors such as banking, insurance and software, where AI systems may handle sensitive data or interact with critical business processes.
Rather than relying on a single prompt or one-off penetration test, LangWatch Scenario simulates multi-turn attacks. The approach is intended to reflect how attackers gradually build trust with an AI system over a longer exchange before trying to extract information or trigger unsafe behaviour.
The framework runs a sequence of scenarios, starting with low-risk interactions and moving to more complex requests and authority-based prompts. A second model evaluates how the exchange is developing and adjusts the attack path during the test.
According to LangWatch, this method can expose hidden or invisible risks in AI applications. These weaknesses may not appear in conventional tests because the model only fails after several rounds of conversation.
Rogerio Chaves, Co-founder and Chief Technology Officer at LangWatch, said the company is trying to address that gap. "An AI agent that rejects every single prompt gives you a false sense of security. In practice, cybercriminals do not work with a single direct question. They have dozens of relaxed conversations, build trust, and when the agent is in a cooperative mode after twenty turns, a request that would have been rejected in turn one suddenly becomes no problem at all," he said.
Testing method
Scenario uses what LangWatch calls the Crescendo strategy, a four-phase escalation process. It begins with exploratory conversation, moves through hypothetical questions and authority-based claims such as compliance checks, and ends with direct pressure on the target system.
At each stage, the framework assesses whether the AI agent is becoming more susceptible to disclosure or unsafe action. LangWatch says this structure is intended to give development teams a clearer picture of where an application becomes vulnerable in practice.
The software can be integrated into existing development and continuous integration workflows, allowing teams to run repeated tests as they update models, prompts and product features rather than treating security review as a one-off exercise.
The launch comes as companies face greater scrutiny over the risks linked to AI systems. Much of the public discussion has focused on visible issues such as deepfakes, disinformation and privacy, but LangWatch argues that a separate problem lies within the AI applications businesses build for their own operations.
These systems can include internal assistants, customer-facing chatbots and analytics agents with access to company data. Because they are tailored to specific tasks and connected to business systems, they can create openings that generic model testing may not identify.
Customer base
LangWatch says companies including Backbase, Buy It Direct, Ask Vinny, Visma, Skai and PagBank already use its broader platform and are extending that use to automated red-team testing. It did not disclose commercial terms or customer deployment figures for the new framework.
Scenario is being released as open-source software, a move that could broaden its use among internal engineering teams and external security researchers. Open-source distribution may also allow organisations to inspect, adapt and extend the testing approach for their own AI environments.
Manouk Draisma, Co-founder and Chief Executive Officer at LangWatch, said the risk is not limited to dramatic one-off breaches. "It is rarely about a single spectacular hack. It is about patience and context. A cybercriminal who interacts calmly and systematically with an AI agent for twenty minutes can extract sensitive information that a direct attack would never reveal. LangWatch Red-Teaming makes these hidden risks visible before damage occurs," she said.