OpenAI acquires Promptfoo to secure AI agents

Images

×

Image Credits:Alex Wong / Getty Images techcrunch.com

Tim Fernholz techcrunch.com

Aerial view of the Pentagon techcrunch.com

techcrunch.com

The OpenAI logo is seen displayed on a smartphone screen. techcrunch.com

Image Credits:Periwinkle Image Credits:Periwinkle

Image Credits:Periwinkle Image Credits:Periwinkle

Image Credits:Periwinkle Image Credits:Periwinkle

Image Credits:Periwinkle Image Credits:Periwinkle

Sarah Perez techcrunch.com

‹ ›

OpenAI buys Promptfoo to secure AI agents, the company says automated red-teaming will be built into its enterprise platform, a new market forms around guarding systems that act on their own.

OpenAI said Monday it is acquiring Promptfoo, a two-year-old security startup whose tools test large language models for vulnerabilities and adversarial manipulation, according to TechCrunch. The technology will be integrated into OpenAI Frontier, the company’s enterprise offering for “agentic” systems that can carry out tasks across digital workflows.

Promptfoo, founded in 2024 by Ian Webster and Michael D’Angelo, sells an open-source testing interface and library used by more than a quarter of Fortune 500 companies, TechCrunch reports. The startup has raised $23 million and was valued at $86 million after a July 2025 round, according to Pitchbook figures cited by the outlet; OpenAI did not disclose the purchase price. OpenAI says Promptfoo will enable automated red-teaming of agent workflows, continuous monitoring for risk and compliance, and security evaluation of agentic behaviour—an admission that the new product category expands the attack surface.

The timing matches a broader shift: software is being sold not just as a tool but as an operator. As agents gain permissions—email, calendars, files, payment rails, internal dashboards—mistakes and prompt-injection attacks stop being embarrassing chat outputs and become actions that move money, leak data, or change records. The security pitch therefore changes from “filter harmful content” to “prove the system didn’t do something it shouldn’t,” which is closer to audit, logging, and incident response than to traditional AI safety rhetoric.

In parallel, social media infrastructure is moving in the opposite direction: away from a single operator and toward modular hosting. Berlin-based startup Periwinkle is building a managed service that lets users run a Bluesky-compatible identity and data store on their own domain using the AT Protocol, TechCrunch reports. Instead of trusting a platform to hold posts, follows and profiles, users can place that data on a Personal Data Server (PDS) that Periwinkle updates, backs up and monitors. Plans start at $4 per month, with larger tiers and enterprise offerings, and a free trial tier.

Together, the two developments point to the same bottleneck: control shifts to whoever runs the infrastructure that makes autonomy practical. For AI agents, the constraint is security validation and monitoring that enterprises can show to regulators, customers and insurers. For decentralised social systems, the constraint is managed hosting that turns “you can self-host” into “you actually will.” Both create recurring revenue streams around compliance, uptime guarantees and risk transfer—services that become more valuable as the underlying systems become harder for ordinary users, and even ordinary companies, to understand.

OpenAI is buying the tool that checks its agents’ behaviour, while Periwinkle is selling the service that keeps users’ social identities online. In both cases, the promise of autonomy still ends with someone else running the dashboards.