Skip to content

how how to use Microsoft's open-source PyRIT library to red-team an Azure OpenAI model live.

Notifications You must be signed in to change notification settings

ritwickmicrosoft/pyrit-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

28 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

🎯 PyRIT Red-Team Demo

Red-team your Azure OpenAI models in 10 minutes
Interactive notebook Β· One-command HTML report Β· Live attack dashboard

PyRIT Azure OpenAI AI Foundry MIT License


πŸš€ What Is This?

A hands-on demo of PyRIT (Python Risk Identification Tool) β€” Microsoft's open-source framework for finding safety vulnerabilities in LLMs before bad actors do.

This repo gives you three ways to red-team your AI:

Tool What it does How to run
πŸ““ Interactive Notebook Walk through 5 attack demos step-by-step PyRIT_Demo.ipynb
πŸ“Š Static HTML Report Run 8 automated tests β†’ beautiful HTML report python run_red_team.py
⚑ Live Dashboard Real-time web app to fire attacks interactively python live_dashboard.py

🎬 Demo Lineup

πŸ““ Notebook Demos

# Demo Technique What you'll see
1 🎭 Nice Try! Direct prompt Model refuses a harmful request
2 πŸ•΅οΈ Speak in Code Base64 encoding Prompt disguised as encoded text
3 βš–οΈ The AI Judge Auto-scoring Second LLM grades the response
4 πŸ”“ Jailbreak Showdown DAN template Famous jailbreak vs. guardrails
5 πŸ€–βš”οΈπŸ€– AI vs AI Multi-turn red teaming Attacker LLM battles target LLM over 3 turns

πŸ“Š Static Report (8 Tests)

Test Technique
T1 Direct harmful prompt
T2 Base64-encoded prompt
T3 Character swap obfuscation
T4 AI-scored evaluation
T5-T6 DAN jailbreak (2 prompts)
T7 Refusal detection
T8 AI vs AI (multi-turn red teaming)

⚑ Live Dashboard Features

  • 7 attack techniques: Direct, Base64, CharSwap, AI-Scored, DAN Jailbreak, AI vs AI (Multi-Turn), Image+Text
  • 4 models: GPT-4o, GPT-5-mini, o4-mini, Phi-4 Multimodal
  • Image upload: Test multimodal attacks with text + image
  • Real-time results: Auto-updating cards with BLOCKED/BYPASSED status
  • Stats bar: Live counters for total, blocked, bypassed, and running tests
  • Keyboard shortcut: Ctrl+Enter to fire

πŸ“‹ Prerequisites

  • Python 3.10 – 3.13 (PyRIT does not support 3.14+)
  • Azure subscription with:
    • Azure OpenAI resource with model deployments
    • (Optional) Azure AI Foundry project for Phi-4 models
  • Azure CLI logged in: az login
  • RBAC role: Cognitive Services OpenAI User on your Azure OpenAI resource

Assign the RBAC Role

# Get your user object ID
USER_ID=$(az ad signed-in-user show --query id -o tsv)

# Assign the role (replace with your resource ID)
az role assignment create \
  --assignee $USER_ID \
  --role "Cognitive Services OpenAI User" \
  --scope /subscriptions/<SUB_ID>/resourceGroups/<RG>/providers/Microsoft.CognitiveServices/accounts/<AOAI_NAME>

βš™οΈ Setup

1. Clone the repo

git clone https://github.com/ritwickmicrosoft/pyrit-demo.git
cd pyrit-demo

2. Create a virtual environment

python -m venv .venv

# Windows
.venv\Scripts\activate

# macOS/Linux
source .venv/bin/activate

3. Install dependencies

pip install pyrit fastapi uvicorn python-multipart

4. Configure endpoints

Edit the top of live_dashboard.py and run_red_team.py with your Azure OpenAI endpoint:

AOAI_ENDPOINT = "https://<your-resource>.openai.azure.com/openai/v1"

For the notebook, update ENDPOINT in the setup cell.


πŸƒ Quick Start

Option 1: Interactive Notebook

jupyter notebook PyRIT_Demo.ipynb

Run cells sequentially β€” each demo takes ~30 seconds.

Option 2: One-Command HTML Report

python run_red_team.py

Generates red_team_report.html and auto-opens it in your browser. 7 tests, ~2 minutes.

Option 3: Live Dashboard

python live_dashboard.py

Open http://localhost:8765 β€” type prompts, pick models, fire attacks, watch results live.


πŸ—οΈ Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                    Your Prompts                         β”‚
β”‚         (text, Base64, CharSwap, jailbreak)             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                       β”‚
                       β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                   PyRIT Framework                        β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚
β”‚  β”‚ Converter β”‚β†’ β”‚   Attack    β”‚β†’ β”‚      Scorer          β”‚ β”‚
β”‚  β”‚ (Base64,  β”‚  β”‚ (Sending,  β”‚  β”‚ (TrueFalse,          β”‚ β”‚
β”‚  β”‚  CharSwap β”‚  β”‚  Jailbreak)β”‚  β”‚  SelfAsk)            β”‚ β”‚
β”‚  β”‚  ROT13)   β”‚  β”‚            β”‚  β”‚                      β”‚ β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                       β”‚
                       β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚              Azure AI Endpoints                          β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚ GPT-4o  β”‚ β”‚GPT-5-miniβ”‚ β”‚o4-mini β”‚ β”‚Phi-4 Multimodβ”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚       Azure OpenAI              Azure AI Foundry        β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ“ Project Structure

pyrit-demo/
β”œβ”€β”€ PyRIT_Demo.ipynb      # πŸ““ Interactive notebook (4 demos)
β”œβ”€β”€ run_red_team.py       # πŸ“Š Static HTML report generator (8 tests)
β”œβ”€β”€ live_dashboard.py     # ⚑ Live web dashboard (FastAPI + uvicorn)
β”œβ”€β”€ PRESENTER_NOTES.md    # 🎀 10-minute talk track
β”œβ”€β”€ uploads/              # πŸ“Ž Temp storage for image uploads
└── README.md             # πŸ“– You are here

🀝 Key Concepts

Concept Description
Target The LLM you're testing (GPT-4o, Phi-4, etc.)
Attack Sends prompts to the target (PromptSendingAttack)
Converter Transforms prompts before sending (Base64, CharSwap, ROT13)
Scorer Evaluates if the attack succeeded (SelfAskTrueFalseScorer)
Jailbreak System prompt that tries to bypass safety (TextJailBreak)

Converters and scorers are composable β€” mix and match them like LEGO blocks:

attack = PromptSendingAttack(
    objective_target=target,
    attack_converter_config=AttackConverterConfig(
        request_converters=PromptConverterConfiguration.from_converters(
            converters=[Base64Converter(), CharSwapConverter()]
        )
    ),
    attack_scoring_config=AttackScoringConfig(
        objective_scorer=SelfAskTrueFalseScorer(...)
    ),
)

πŸ” Authentication

This demo uses Microsoft Entra ID (RBAC) β€” no API keys needed:

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
token = credential.get_token("https://cognitiveservices.azure.com/.default").token

Just run az login before starting, and make sure your account has the Cognitive Services OpenAI User role.


πŸ“š Resources


πŸ“„ License

This project is licensed under the MIT License. See LICENSE for details.


Built with ❀️ by Ritwick Dutta using PyRIT

About

how how to use Microsoft's open-source PyRIT library to red-team an Azure OpenAI model live.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published