What is static analysis for AI agents?

Static analysis for AI agents examines agent code and configuration without executing it, detecting logic flaws like infinite loops, prompt injection paths, and missing guardrails. Unlike runtime monitoring or observability, static analysis catches issues before deployment—acting as a pre-flight check for your agents.

What is agent readiness?

Agent readiness refers to verifying that AI agents are production-ready before deployment. This includes checking for logic flaws (infinite loops, recursion risks), security issues (prompt injection, unconstrained tools), and compliance requirements. Inkog provides the pre-flight check that answers: is this agent ready to ship?

How does Inkog detect infinite loops in AI agents?

Inkog uses static analysis to trace control flow through your agent code, identifying cycles and recursion patterns that could cause infinite loops. It detects missing exit conditions, unbounded retries, and circular tool chains—before you ship to production.

How does Inkog detect prompt injection?

Inkog uses static analysis to trace data flow from user inputs to LLM prompts, identifying injection points where untrusted data enters prompt templates without proper sanitization. It detects both direct and indirect prompt injection patterns in LangChain, CrewAI, and other frameworks.

What AI agent frameworks does Inkog support?

Inkog supports 15+ AI agent frameworks including LangChain, LangGraph, CrewAI, AutoGen, PydanticAI, Google ADK, OpenAI Agents, and visual builders like n8n, Flowise, and Langflow. One scanner works across all frameworks.

What is MCP server auditing?

MCP (Model Context Protocol) server auditing examines the tools and servers that provide capabilities to AI agents. Inkog scans MCP servers for logic flaws, missing authorization checks, and security risks before you install them—ensuring your agent's tools are production-ready.

Is Inkog compliant with EU AI Act?

Yes, Inkog generates compliance reports aligned with EU AI Act requirements including Article 14 (human oversight), Article 15 (accuracy and robustness), and Article 12 (record-keeping). It also maps findings to NIST AI RMF and OWASP LLM Top 10.

How is Inkog different from observability tools?

Observability tools like LangSmith monitor agents after deployment, showing you what went wrong. Inkog is a pre-flight check—it finds logic flaws before you ship. We're pre-commit, not post-mortem. We're complementary to observability, not a replacement.

How is Inkog different from guardrails?

Guardrails add runtime checks that can block or modify agent behavior in production. Inkog analyzes your code statically—we fix the code itself, not add runtime overhead. We help you ship agents that don't need guardrails to catch infinite loops.

Back to Labs

Security

Mar 10, 20268 min read

Promptfoo Alternative: What the OpenAI Acquisition Means for AI Agent Security

OpenAI acquired Promptfoo. What changes for teams that need vendor-independent AI agent security, and how static analysis fills the gaps eval frameworks leave open.

Inkog TeamSecurity Research

On March 9, 2026, OpenAI acquired Promptfoo — the open-source eval and red-teaming framework with 11.5K GitHub stars and 248 contributors. The deal reportedly valued Promptfoo at ~$86M.

This is a market validation event. OpenAI spending that kind of money on AI security tooling means the category is real, the demand is growing, and teams are actively looking for solutions.

That's good for everyone building in this space — including us.

What Promptfoo Does Well

Credit where it's due. Promptfoo built an excellent tool for testing LLM outputs:

Eval suites that run prompts against models and measure response quality
Red-team generation that creates adversarial inputs to test model robustness
Model comparison across providers (OpenAI, Anthropic, open-source)
A strong community — 248 contributors and thousands of production deployments

If you need to test what your model says, Promptfoo is a proven choice. The 11.5K stars were earned.

What the Acquisition Means

Three things are now true:

The category is validated. OpenAI investing in AI security tooling at this price signals that this is a real, growing market — not a niche.
Promptfoo is now part of OpenAI Frontier. The open-source project continues under MIT license, but the development roadmap will align with OpenAI's priorities. Teams using non-OpenAI providers should consider what that means long-term.
Teams want options. Vendor-independent, comprehensive security tooling is now a real buying criteria — especially for organizations running multi-provider architectures.

The Distinction: Model Testing vs Agent Security

This is the key difference, and it matters more than any feature comparison:

Promptfoo tests what the model outputs. It evaluates responses — are they accurate? Consistent? Resistant to adversarial prompts?

Inkog secures what the agent does. It analyzes and attacks agent logic — architecture, tool interactions, data flows, delegation chains, runtime behavior, and compliance posture.

These are different layers of the stack:

| Layer | What's tested | Tool | |---|---|---| | Model output | Response quality, adversarial robustness | Promptfoo (evals) | | Agent logic | Architecture, tool chains, data flows, oversight | Inkog (security platform) | | Runtime behavior | Live prompt filtering, guardrails | Lakera, Invariant Labs |

An eval framework can tell you the model produced SQL in response to a prompt. It can't tell you that user input flows through three files and reaches cursor.execute() unsanitized.

What Agent-Level Security Catches

Agent vulnerabilities exist in the logic layer — between the model and the real world. These aren't model output problems. They're architectural problems:

Infinite loops and resource exhaustion. An agent calls a tool, which triggers the agent again, which calls the tool again. No eval catches this — it requires tracing the control flow graph.

Tainted data flows. User input flows through an LLM call, into a tool parameter, through a database query, across file boundaries. Inkog traces these paths across hundreds of files with cross-file taint tracking.

python

# File: api/routes.py
user_query = request.json["query"]
result = agent.process(user_query)

# File: agents/processor.py (different module)
def process(self, query):
    sql = f"SELECT * FROM docs WHERE content LIKE '%{query}%'"
    return self.db.execute(sql)
    # ^^^ SQL injection — user input reaches execute() unsanitized
    # Visible only with cross-file data flow analysis

MCP tool poisoning. A tool description contains hidden instructions that redirect the agent's behavior. Inkog audits MCP server configurations for privilege escalation and description manipulation.

Missing oversight on destructive operations. An agent can delete files, send emails, or execute financial transactions with no human approval step. Inkog detects missing oversight by analyzing the agent architecture.

Multi-agent delegation cycles. Agent A delegates to Agent B, which delegates back to Agent A. No eval catches circular delegation — it requires analyzing the delegation graph.

These are agent problems, not model problems. Testing model outputs won't find them.

Inkog's Approach: Analyze, Then Attack

Inkog is a full AI agent security platform with three layers:

Static analysis — Scans source code without executing it. Traces data flows, maps agent architecture, detects structural vulnerabilities across 15+ frameworks.
Semantic analysis — Understands agent purpose, maps tool interactions, explains why findings matter in the context of what the agent is designed to do.
Dynamic testing — Attacks the agent to find vulnerabilities that static analysis alone can't surface. Tests runtime behavior, not just code structure.

All three layers work together. The static analysis maps the architecture. The semantic analysis provides context. The dynamic testing validates the findings.

Results map to EU AI Act, NIST AI RMF, and OWASP LLM Top 10 — structured SARIF output that integrates with GitHub Security, CI/CD pipelines, and compliance workflows.

Vendor Independence Matters

Promptfoo is now part of OpenAI. The open-source project continues, but the product roadmap will align with OpenAI's platform strategy.

Inkog is vendor-independent:

Works with any LLM provider (OpenAI, Anthropic, open-source, Azure, Google)
Analyzes agent code regardless of which model it calls
Apache 2.0 licensed, independently maintained
No model API access required — Inkog scans code, not model responses

For teams running multi-provider architectures, or teams that want their security tooling independent of their model provider, this distinction matters.

Getting Started

Inkog is free, open source, and takes 30 seconds:

bash

npx @inkog-io/cli scan .

For EU AI Act compliance:

bash

npx @inkog-io/cli scan . --policy eu-ai-act

For CI/CD integration:

yaml

- uses: inkog-io/inkog@v1
  with:
    path: .
    severity: high

Different Tools for Different Layers

The Promptfoo acquisition validates that AI security is a real market. Teams need real tools — not just model testing, but comprehensive agent security.

Promptfoo tests what the model says. Inkog secures what the agent does. They're different scopes, different depths, and different layers of the stack.

If you need vendor-independent, comprehensive AI agent security — architecture analysis, dynamic testing, data flow tracing, MCP auditing, compliance reporting — see how Inkog compares to Promptfoo.