Skip to content
Home AI Security Tools Augustus
Augustus

Augustus

NEW
Category: AI Security
License: open-source
GitHub (172★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated April 3, 2026
5 min read
Key Takeaways
  • Open-source LLM vulnerability scanner from Praetorian with 210+ adversarial probes across 47 attack categories, covering jailbreaks, prompt injection, data extraction, and format exploits.
  • Ships as a single Go binary with zero runtime dependencies — concurrent scanning via goroutine pools, rate limiting, retry logic, and timeout handling built in.
  • Supports 28 LLM provider categories including OpenAI, Anthropic, Azure, AWS Bedrock, Google Vertex AI, Cohere, Ollama, and custom REST endpoints.
  • 90+ detection mechanisms including pattern matching, LLM-as-a-judge evaluation, HarmJudge, and Perspective API integration.
  • Part of Praetorian's 'The 12 Caesars' open-source security release campaign. Apache 2.0 licensed.

Augustus is an open-source LLM vulnerability scanner built in Go by Praetorian that tests large language models against 210+ adversarial probes across 47 attack categories, including jailbreaks, prompt injection, data extraction, and RAG poisoning. It ships as a single binary with zero runtime dependencies and connects to 28 LLM providers out of the box. It is listed in the AI security category.

OWASP ranks prompt injection as the number one security risk in LLM applications, yet most organizations deploy LLMs into production with minimal adversarial testing. Augustus addresses this gap with a production-grade scanning framework that goes beyond research-oriented tools to deliver concurrent scanning, rate limiting, retry logic, and actionable vulnerability reports.

The scanner is part of Praetorian’s “The 12 Caesars” open-source security release campaign and is licensed under Apache 2.0.

What is Augustus?

Augustus operates through a five-stage pipeline: probe selection defines adversarial inputs, buff transformations apply optional evasion layers, generators send requests to target LLMs, detectors analyze responses, and a scoring engine records findings. This modular architecture lets security teams mix and match probes, transformations, and detectors to build custom scan profiles.

Unlike research-focused tools that prioritize breadth of academic coverage, Augustus targets production security testing. It handles concurrency through Go goroutine pools, includes built-in rate limiting to avoid API quota exhaustion, and supports proxy integration with tools like Burp Suite for interception and analysis.

210+ Adversarial Probes
Covers 47 attack categories including jailbreaks (DAN, AIM, ArtPrompt), prompt injection (encoding, tag smuggling), multi-turn attacks (Crescendo, GOAT, Hydra), data extraction, RAG poisoning, and format exploits.
28 LLM Providers
Connects to OpenAI, Anthropic, Azure, Bedrock, Vertex AI, Cohere, Replicate, HuggingFace, Together AI, Groq, Mistral, NVIDIA NIM, Ollama, and any OpenAI-compatible REST endpoint.
Single Go Binary
Zero runtime dependencies — just download and run. Built-in concurrent scanning, rate limiting, retry logic, and timeout handling for production environments.

Key Features

FeatureDetails
Probe Coverage210+ probes across 47 attack categories
Providers28 provider categories, 43 generator variants
Detectors90+ detection mechanisms (pattern matching, LLM-as-judge, HarmJudge, Perspective API)
Buff Transformations7 evasion techniques: Base64, character codes, paraphrase, poetry, translation, lowercase
Multi-Turn AttacksCrescendo (gradual escalation), GOAT (adaptive technique switching), Hydra (backtracking), Mischievous User
Output FormatsTable, JSON, JSONL, and HTML reports
Proxy SupportBurp Suite integration for request interception
ConcurrencyGoroutine pools with configurable parallelism
LanguageGo (compiles to single portable binary)
LicenseApache 2.0

Attack Categories

Augustus organizes its 210+ probes into distinct attack categories that target different weaknesses in LLM safety mechanisms:

CategoryExamples
JailbreaksDAN variants, AIM, AntiGPT, grandma exploits, ArtPrompt (ASCII art obfuscation)
Prompt InjectionBase64, ROT13, Morse code, hex encoding, tag smuggling, FlipAttack (16 variants)
Adversarial ExamplesGCG, AutoDAN, PAIR, TAP, TreeSearch — iterative attacks using multi-turn conversations and judge-based scoring
Data ExtractionAPI key probes, package hallucination tests, PII leakage detection, training data replay
Context ManipulationRAG poisoning, context overflow, conversation steering
Format ExploitsMarkdown injection, YAML/JSON parsing attacks, ANSI escape sequences, XSS payloads
EvasionObscurePrompt, character substitution, homoglyphs, zero-width characters, glitch tokens
Safety BenchmarksDoNotAnswer, RealToxicityPrompts, Snowball, LMRC

Buff Transformations

Buffs are evasion layers applied to probes before they reach the target model. Augustus includes 7 transformation types that can be chained for layered evasion:

  • Base64 and character code encoding — Obfuscates payloads to bypass text-based filters
  • Pegasus paraphrase — Uses a paraphrase model to rephrase attack prompts while preserving intent
  • Poetry formatting — Wraps payloads in haiku, sonnet, limerick, or free verse structures
  • Low-resource language translation — Translates probes via DeepL into languages with weaker safety training
  • Case transformation — Lowercase conversion to evade case-sensitive filters

Detection Methods

Augustus ships with 90+ detectors for evaluating whether a target model was successfully compromised:

  • Pattern matching — Regex-based detection for known jailbreak indicators
  • LLM-as-a-judge — Uses a separate LLM to evaluate whether the target’s response constitutes a successful attack
  • HarmJudge — Semantic harm assessment aligned with the MLCommons AILuminate framework
  • Perspective API — Google’s toxicity and threat scoring integration
  • Unsafe content detection — Classification of harmful, biased, or policy-violating outputs

Multi-turn attack engines

Augustus includes four specialized multi-turn attack engines that conduct extended conversations with the target LLM:

  • Crescendo — Gradual escalation over 10 turns, slowly building toward harmful content
  • GOAT — Aggressive 7-technique strategy switching with Chain-of-Attack-Thought reasoning
  • Hydra — Single-path with turn-level backtracking on refusal detection
  • Mischievous User — Casual persona over 5 turns, designed to evade detection patterns

Advanced CLI options

Augustus supports fine-grained control over scan execution:

  • --concurrency 20 — Configurable goroutine pools for parallel scanning
  • --timeout 60m — Extended timeouts for iterative multi-turn probes
  • --buffs-glob "encoding.*" — Chain multiple buff transformations
  • --probes-glob "dan.*,goodside.*" — Pattern-based probe selection
  • --format jsonl — Streaming output for pipeline integration
  • --config '{...}' — Custom REST endpoint configuration for any OpenAI-compatible API

Getting Started

1
Install Augustus — Install via Go: go install github.com/praetorian-inc/augustus/cmd/augustus@latest. Requires Go 1.25.3 or later. Compiles to a single binary with no additional dependencies. Alternatively, build from source with git clone && make build.
2
Configure API keys — Set environment variables for your target LLM provider. For example: export OPENAI_API_KEY="sk-..." for OpenAI, export ANTHROPIC_API_KEY="..." for Anthropic, or configure custom REST endpoints.
3
Run a targeted scan — Test a specific attack against a model: augustus scan openai.OpenAI --probe dan.Dan_11_0 --detector dan.DAN --verbose. This runs a single DAN jailbreak probe and checks the response.
4
Run a full scan with buffs — Execute all probes with evasion layers and an HTML report: augustus scan anthropic.Anthropic --all --buff encoding.Base64 --html report.html. This applies Base64 encoding to all probes.
5
Review the report — Examine the HTML or JSON output for successful attacks. Each finding includes the probe used, the buff transformation applied, the detector that flagged it, and the full prompt-response pair.

When to Use Augustus

Augustus is built for security professionals who need to test LLM deployments against real adversarial attacks in a production context. The single Go binary with built-in concurrency, rate limiting, and proxy support makes it practical for enterprise security teams, red teamers, and penetration testers.

It is particularly useful for pre-deployment security assessments (test before you ship), guardrail regression testing (verify fixes after model or prompt updates), red team exercises (systematic adversarial testing against deployed LLMs), and compliance validation (prove that LLM deployments were tested against known attack categories).

Best for
Security teams and penetration testers who need a production-grade LLM vulnerability scanner with broad attack coverage, concurrent scanning, and actionable reports. The single Go binary and 28-provider support make it practical for enterprise environments where deploying Python-based tools is impractical.

How Augustus Compares

Augustus fills a production-focused role among AI security tools. Compared to Garak, which is Python-based with deeper research coverage and a larger community, Augustus offers faster execution, lower memory footprint, and single-binary distribution. For mutation-based jailbreak fuzzing specifically, see FuzzyAI. For a broader evaluation framework that combines red teaming with prompt testing, look at Promptfoo. For Microsoft’s enterprise red teaming orchestrator, check PyRIT.

For runtime protection rather than pre-deployment scanning, consider Lakera Guard, LLM Guard, or NeMo Guardrails.

For a broader overview of AI security tools, see the AI security tools category page.

Frequently Asked Questions

What is Augustus?
Augustus is an open-source LLM vulnerability scanner built in Go by Praetorian. It tests large language models against 210+ adversarial probes across 47 attack categories, covering jailbreaks, prompt injection, data extraction, context manipulation, format exploits, and more. It ships as a single binary with built-in concurrency and rate limiting for production security testing.
Is Augustus free to use?
Yes. Augustus is free and open-source under the Apache 2.0 license, available on GitHub at github.com/praetorian-inc/augustus. You need API keys for the target LLM providers you test, but the scanner itself is free. It is part of Praetorian’s ‘The 12 Caesars’ open-source security tool release campaign.
How does Augustus compare to Garak?
Both are open-source LLM security scanners, but they differ in architecture and emphasis. Augustus is written in Go, ships as a single binary, and emphasizes production-grade scanning with native concurrency via goroutine pools. Garak is Python-based with deeper probe coverage in specific research areas. Augustus has 210+ probes across 47 categories with 7 buff transformations; Garak has 160+ probes with a broader set of published research backing. Augustus is faster with lower memory footprint; Garak has a larger community.
What LLM providers does Augustus support?
Augustus supports 28 provider categories with 43 generator variants: OpenAI (including o1/o3 models), Anthropic Claude, Azure OpenAI, AWS Bedrock, Google Vertex AI, Cohere, Replicate, HuggingFace, Together AI, Groq, Mistral, Fireworks, DeepInfra, NVIDIA NIM/NeMo, Ollama, LiteLLM, and custom REST endpoints supporting OpenAI-compatible APIs.
What attack types does Augustus cover?
Augustus covers jailbreaks (DAN, AIM, AntiGPT, ArtPrompt, grandma exploits), prompt injection (Base64, ROT13, Morse code, hex, tag smuggling, FlipAttack), adversarial examples (GCG, AutoDAN, PAIR, TAP, TreeSearch), multi-turn attacks (Crescendo, GOAT, Hydra), data extraction (API key probes, PII leakage, training data replay), RAG poisoning, format exploits (Markdown injection, YAML/JSON parsing), and safety benchmarks (DoNotAnswer, RealToxicityPrompts).
How we review tools Suggest an edit

Other AI Security Tools

7AI
7AI

AI SOC Agents with Dynamic Reasoning

Agentic Radar
Agentic Radar

Security Scanner for LLM Agentic Workflows

Akto
Akto

AI Agent & MCP Security Platform

Alter
Alter

Zero-Trust Access Control for AI Agents (YC S25)

Arize AI
Arize AI

OpenTelemetry-based AI observability with open-source Phoenix

Adversarial Robustness Toolbox (ART)
Adversarial Robustness Toolbox (ART)

IBM's ML security library for adversarial attacks and defenses

See all AI Security tools

Complement with SAST

Pair AI security with static analysis for broader coverage.

Bandit
Bandit

Open-Source Python Scanner

BE
Betterleaks

Gitleaks successor with secrets validation

See all SAST tools

Learn More

Vibe Coding Security AI-Generated Code Security LLM Red Teaming Prompt Injection Attacks What is AI Security?

Explore all AI Security guides and tools