HONEST COMPARISON

ATR vs garak — detection rules vs adversarial testing

garak generates adversarial prompts to probe LLM weaknesses pre-deployment. ATR detects malicious patterns in agent runtime traffic. garak finds vulnerabilities in models; ATR catches exploits against agents. Both are needed. ATR rules pass garak's test corpus at 97.1% recall.

NVIDIA garak is the leading open-source LLM red-teaming framework. It runs probes — encoding tricks, persona attacks, jailbreaks, output poisoning — against a target LLM and reports which attacks succeeded. garak is for pre-deployment validation: "before we ship this model, what attacks work against it." It does not run in production traffic.

ATR is the runtime detection layer. Once an LLM is deployed in an agent, ATR rules inspect every prompt, every tool call, every retrieved document, every model output for known attack patterns. ATR runs at sub-millisecond per rule and blocks or alerts in real time. The two tools complement each other: garak finds what the model is vulnerable to, ATR catches when attackers actually try it.

Feature comparison

Feature

ATR (Agent Threat Rules)

NVIDIA garak

When it runs

Runtime (every request)

Pre-deployment (lab testing)

What it produces

Block / alert / quarantine verdicts

Test report (success rate per probe)

Sample size

344 detection rules

Hundreds of probe types

Garak benchmark recall

97.1% on 666-sample corpus

—

Integration

PanGuard Guard, Microsoft AGT, Cisco AI Defense

CLI tool, GitHub Actions

Maintainer

PanGuard AI + community

NVIDIA

License

MIT

Apache 2.0

Green highlights which side is stronger for that feature. "context" (amber) means "depends on use case, neither wins overall".

When to choose ATR (Agent Threat Rules)

You need real-time detection in production. You are running AI agents that interact with users, tools, and external content. You need to block exploits before they execute, not discover them in post-mortem.

When to choose NVIDIA garak

You are evaluating an LLM before deployment. You need to know what attacks succeed against your model so you can patch, retrain, or harden the system prompt. You want a research-grade test suite with reproducible probes.

Bottom line

Use both. Run garak in CI before any model change ships. Run ATR in production against every request. garak finds what to fix; ATR catches what was missed. ATR's public benchmark against garak's corpus (97.1% recall on 666 samples) measures that overlap honestly.

References

Reviewed byAdam Lin·Last reviewed2026-05-12