Interactive tool
Scanner Picker
Describe what you're protecting, your deployment constraints, the threats you care about, and where the scanner has to plug in — get a ranked shortlist of LLM security scanners with a capability matrix, license/cost, and a side-by-side compare of the top three.
Reviewed May 2026. Hard constraints (deployment, budget) knock out tools that can't satisfy them; the rest are scored on how well they fit your target, threat, integration point and language. Every result shows a capability matrix and a transparent pick if / skip if.
Full capability matrix
✓ = primary, documented capability · ◐ = partial / possible but not its main job · ✗ = out of scope.
| Scanner | Host | Prompt injection | Jailbreak | Data exfil / leakage | PII | Toxic content | Supply chain | License / cost |
|---|---|---|---|---|---|---|---|---|
| garak ↗ | Self-host | ✓ | ✓ | ◐ | ◐ | ✓ | ✗ | Free / OSS |
| PyRIT ↗ | Self-host | ✓ | ✓ | ◐ | ◐ | ✓ | ✗ | Free / OSS |
| promptmap ↗ | Self-host | ✓ | ◐ | ◐ | ✗ | ✗ | ✗ | Free / OSS |
| Rebuff ↗ | Self-host | ✓ | ◐ | ◐ | ✗ | ✗ | ✗ | Free / OSS (self-host) |
| LLM Guard ↗ | Self-host | ✓ | ◐ | ✓ | ✓ | ✓ | ✗ | Free / OSS |
| Vigil ↗ | Self-host | ✓ | ◐ | ◐ | ✗ | ✗ | ✗ | Free / OSS |
| Promptfoo ↗ | Self-host | ✓ | ✓ | ◐ | ◐ | ✓ | ✗ | Free OSS / paid enterprise |
| Giskard ↗ | Self-host | ✓ | ◐ | ◐ | ◐ | ✓ | ✗ | Free OSS / paid hub |
| DeepTeam (DeepEval) ↗ | Self-host | ✓ | ✓ | ◐ | ◐ | ✓ | ✗ | Free OSS / paid platform |
| NeMo Guardrails ↗ | Self-host | ◐ | ✓ | ◐ | ◐ | ✓ | ✗ | Free / OSS |
| Guardrails AI ↗ | Self-host | ◐ | ◐ | ◐ | ✓ | ✓ | ✗ | Free OSS / paid hub |
| Llama Guard 3 ↗ | Self-host | ◐ | ✓ | ✗ | ✗ | ✓ | ✗ | Free weights (self-host compute) |
| Prompt Guard (86M) ↗ | Self-host | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | Free weights (self-host compute) |
| ShieldGemma ↗ | Self-host | ◐ | ✓ | ✗ | ✗ | ✓ | ✗ | Free weights (self-host compute) |
| Microsoft Presidio ↗ | Self-host | ✗ | ✗ | ◐ | ✓ | ✗ | ✗ | Free / OSS |
| Lakera Guard ↗ | API | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | Commercial (API; free tier) |
| OpenAI Moderation API ↗ | API | ✗ | ◐ | ✗ | ✗ | ✓ | ✗ | Free (with API account) |
| Azure AI Content Safety ↗ | API | ✓ | ✓ | ◐ | ✗ | ✓ | ✗ | Commercial (consumption) |
| ModelScan ↗ | Self-host | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | Free / OSS |
| picklescan ↗ | Self-host | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | Free / OSS |
| Granica Screen (PII) ↗ | API | ✗ | ✗ | ◐ | ✓ | ✗ | ✗ | Commercial |
| Robust Intelligence (Cisco AI Defense) ↗ | API | ✓ | ✓ | ✓ | ✓ | ✓ | ◐ | Commercial (enterprise) |
| HiddenLayer AISec Platform ↗ | API | ✓ | ✓ | ◐ | ◐ | ◐ | ✓ | Commercial (enterprise) |
| Protect AI Recon ↗ | API | ✓ | ✓ | ◐ | ◐ | ✓ | ◐ | Commercial |
How ranking works & caveats
Capability ratings are our practitioner reading of each tool's documented, in-scope functionality as of the review date — "partial" means it can be made to work but isn't the tool's primary job. Licenses and hosting models change; verify against the upstream project before committing.
Deployment and budget are hard filters — an API-only tool is removed when you require self-host or air-gap, and commercial tools are removed under an OSS-only budget. Remaining tools earn points for matching your threat focus (heaviest weight), protected target, integration point and language/SDK. See the scanner overview and false-positive cost analysis.