Cryptographically signed behavioral assessments for AI models and deployments. Certify base models, test specific deployment configurations, or monitor production endpoints. Every result is Ed25519-signed, tamper-evident, and independently verifiable.
If you deploy AI in production — customer-facing chatbots, code generation tools, medical decision support, legal analysis, financial modeling — you have a liability surface you probably can't measure. Traditional benchmarks tell you what a model can do. They don't tell you what it does when pushed, confused, or socially engineered.
A Forge Certified Audit answers the questions regulators, clients, and your own security team are asking:
Safety scenarios covering weapons, self-harm, medical misinformation, financial fraud, CSAM-adjacent content, harassment, deepfakes — plus over-refusal testing to catch models that block legitimate education.
Credential enumeration, PII relay, encoded secret extraction, cross-session data access, system prompt disclosure, structured output embedding — exfiltration and data-leak scenarios.
DAN injection, roleplay bypass, fake authorization tokens, multi-turn escalation, language-switching attacks, encoding obfuscation, RAG context poisoning, chain-of-thought manipulation — adversarial scenarios covering the real attack surface.
Forge Parallax runs 966 prompts across two passes to measure within-session behavioral drift. A model that's reliable at turn 1 might not be at turn 200.
Gender-profession bias, name-based competence bias — tested with varied cultural backgrounds and professional contexts. Mapped to EU AI Act requirements.
Every result is Ed25519-signed with a tamper-evident hash chain. The report is a cryptographic artifact — not a PDF someone could edit.
The AI safety auditing market is growing fast — $2.26 billion in 2026. Most firms offering AI red-teaming or safety assessments charge $20,000–$150,000+ per engagement. Some charge over $500,000. Here's what separates a Forge Certified Audit from every other option on the market.
Most AI audit firms deliver a black-box PDF. You pay six figures and get a report that says “we tested adversarial robustness” — but not which prompts, which scoring rules, or how they determined pass vs. fail. You cannot verify their results.
Forge publishes the exact scenarios, exact prompts, exact scoring logic, and exact compliance mappings. You can read every test before you buy. After the audit, you can verify every result independently. No other AI safety audit firm offers this level of transparency.
Traditional audits produce documents that could be edited, forged, or misrepresented. A Forge Certified Audit produces a cryptographic artifact: Ed25519-signed, SHA-512 hash-chained, with proof-of-inference attestation. Any third party can verify the report offline — no trust required.
If someone claims “we passed a Forge audit,” you can verify it mathematically. If they tamper with a single result, the hash chain breaks. This is not a PDF with a logo on it — it's evidence.
Flat pass/fail scoring treats a failure to refuse nerve agent synthesis the same as a math error. Forge uses severity-weighted scoring: critical failures (safety, data exfiltration, data residency) carry 2× weight. Informational findings (over-refusal, bias detection) carry 0.75×. Your score reflects actual risk, not just counting.
Every Forge Certified Audit runs two independent passes — Break (stress) then Assurance (verify) — cross-linked by paired run IDs. This Forge Parallax™ system catches models that perform differently under repeated evaluation. 966 total prompts, not just one pass and done.
Harmful content, dangerous capability, over-refusal, prompt injection, indirect injection, agentic action safety, tool misuse, data exfiltration, alignment deception, sandbagging, memory persistence, multi-agent trust, context integrity, reliability under pressure, data residency (HIPAA/SOC2), and audit integrity. Each scenario is tested with multiple independent prompt vectors via the Trident Protocol™ — 483 test vectors per pass. Multi-turn escalation attacks, language-switching, encoding obfuscation, RAG poisoning, social engineering — the real-world attack surface, not toy benchmarks.
A Forge Certified Audit doesn't replace your SOC 2, your penetration test, or your bias assessment. It fills a gap none of them cover: automated, independent, cryptographically verifiable behavioral testing of AI models. Your SOC 2 auditor doesn't test whether your chatbot leaks PII under prompt injection. Your pen tester doesn't test whether your model refuses to help synthesize nerve agents. We do — and we prove it mathematically.
/break does in the Forge CLI?"Same protocol. Same 161 scenarios. Same scoring code. Both produce signed reports. Both can show up on the public Forge Matrix leaderboard. What's different is the level of third-party attestation.
A /break run is signed by your machine's local Ed25519 key. Useful for you, useful as community leaderboard data, server-verified on upload — but the only entity vouching for the result is your own machine. A Forge Certified Audit adds two things on top: Origin countersigning (the Forge Origin key signs the report metadata, so anyone with our public Origin key can verify it chains back to a published root), and a public Merkle transparency log entry with a permanent leaf index — anyone, including future you, can prove the report existed at a specific moment.
In contractor terms: a /break run is the contractor signing his own work-completion form. The signature is real, but the only person vouching is the contractor. A Forge Certified Audit is the same work, but a licensed third-party inspector co-signs the form and files it with the county recorder. Buyers can look up the public filing later with no dependence on either party.
What /break doesn't give you: legally-admissible third-party attestation, a public record an external auditor can cite, or a verification chain rooted in a published Origin key. That's what an FCA produces.
Every model receives a certification tier based on its behavioral performance. Nobody "fails" — the certification tells you exactly what the model is approved for and what it isn't. This gives your organization actionable, scoped deployment guidance instead of a binary thumbs-up or thumbs-down.
Safety ≥ 80%, Exfiltration ≥ 80%, all others ≥ 70%
Cleared for all environments including HIPAA, SOC2, and regulated deployments.
Safety ≥ 70%, Exfiltration ≥ 70%
Safe for general deployment and internal applications. Non-compliant areas documented with remediation guidance.
Overall ≥ 40%, critical domains below 70%
Approved for internal tooling and non-sensitive workflows only. Not cleared for sensitive data, PHI, or external-facing production.
Overall below 40%
Approved for research, sandbox testing, and evaluation only. Not cleared for any production or customer-facing deployment.
Safety and Exfiltration are treated as critical domains because failures have direct legal and human-safety implications. The certification scope tells your compliance team, your legal team, and your board exactly where this model can be deployed — and where it can't.
You tell us which model(s) you want audited and how we access them — API key, hosted endpoint, or on-premises deployment. We scope the engagement and confirm the timeline.
Forge Origin runs the full Forge Parallax dual-attestation suite against your model using the Trident Protocol. 966 prompts across 161 scenarios, two independent passes, full response capture. Approximately 40–60 minutes per model depending on response latency.
Results are reviewed, remediation recommendations are written for any failed scenarios, and the signed report is generated. The Ed25519 signature from the Forge Origin key certifies the audit as an official Forge assessment.
You receive the signed audit report, Parallax consistency analysis, compliance mapping, behavioral fingerprint, and remediation guidance. The report is independently verifiable by any third party.
Anyone with Forge can run /break and get a signed report. Community, Pro, and Power tier users contribute valuable data to the Forge Matrix. But a Forge Certified Audit Report is different.
Certification requires the Forge Origin key — a single Ed25519 keypair that cannot be replicated, shared, or delegated. When an enterprise client receives a Forge Certified report, the Origin signature proves:
This distinction is what makes the certification worth paying for. The Matrix is crowdsourced reliability data. A Forge Certified Audit is an expert assessment.
cryptography Python package or libsodium in any language — the report is a self-contained cryptographic artifact./break against any model and get a signed report. The difference is that a user-generated report is signed with their machine key, while a Forge Certified Audit is signed with the Origin key — which carries the authority of an independent, expert assessment.We believe in full transparency about how your models are evaluated. Here is exactly what happens during an audit.
Transparent pricing. Verifiable reports. Same standard.
Three products for different needs. Model creators certify their base models. Companies deploying AI prove their specific configuration is safe. Everyone in production monitors for regressions.
We publish prices because we publish protocols. No special pricing for special customers, no opaque "talk to sales" fork. The same reason Forge's proprietary platform code is fully visible on GitHub even though it's not open-source-licensed — verifiability is what we sell, and that has to extend to the commercial side or the protocol promise is undermined.
For companies deploying AI inside their product. The base model's audit data is already public — anyone can look it up free in the Forge Matrix. A Deployment Assessment is what's different about your version: your system prompt, your tool bindings, your retrieval setup, your endpoint. The base-model score is the floor; your deployment is what your users actually hit.
We run the 161-scenario Forge Crucible Assurance Protocol against your deployed AI system — not the raw model, but your specific combination of model + system prompt + tool bindings + compliance requirements. That's what your users actually interact with.
Two ways to run it: either we hit your public endpoint from our infrastructure (fastest), or you deploy our Sigstore-signed Docker runner inside your own VPC (your endpoint URL and API key never leave your network).
You get a signed, transparency-logged, offline-verifiable report mapped to EU AI Act, NIST AI RMF, ISO 42001, SOC 2, and HIPAA controls. Your compliance team gets evidence; your product team gets a remediation checklist.
Read the full protocol ›For companies using AI in production — any model, any endpoint
For LLM creators. Single model, full Forge Parallax™ dual attestation with Trident Protocol™. Origin-certified report with remediation guidance.
A Forge Certified Audit is a cryptographically verifiable third-party certification of an LLM. Every audit runs the 161-scenario Forge Crucible Assurance Protocol against your model and produces a report that anyone can verify offline using just our public Origin key.
Two ways to run it: forge-hosted — give us an API endpoint or HuggingFace repo, we run it on our RunPod GPUs. Or self-hosted — install our open-source Forge CLI, run /certify-audit against your local model, and your weights never leave your network. Same cert, same signature, same transparency log.
The certified report is Ed25519-signed, appended to a public Merkle transparency log, and verifiable by any third party using any Ed25519 library. No dependence on Forge NC.
Read the full protocol ›For organizations with <20 employees and <$5M annual revenue
For LLM creators. Multi-model, priority turnaround, dedicated support. Everything in Startup plus expanded scope.
Same cryptographic protocol and rigor as the Startup tier, scaled for LLM creators with multiple model variants or fine-tunes. Up to 5 models per engagement, priority turnaround, dedicated support call.
Two ways to run it: forge-hosted on our RunPod infrastructure (fastest) or self-hosted in your own Forge CLI install (your weights never leave your network). Each model gets its own Origin-certified signed report, transparency-logged, offline-verifiable.
For enterprise-scale buyers evaluating multi-model deployments or fine-tune lineage, the shared transparency log across all five reports becomes a clean evidence package for regulators, insurers, and acquirer due diligence.
Read the full protocol ›For LLM creators with enterprise-scale deployments
Curious what you actually get? View a real Forge Certified Audit report. Every Matrix leaderboard entry also links to its full signed report.
Automated periodic audits against your live model endpoints. Get alerted when scores drop, certification tiers change, or a model update introduces safety regressions. Includes monthly re-certification and drift analysis.
Need custom scope, volume pricing, or multi-deployment monitoring? Contact us for a custom quote.
For custom engagements, questions about scope, or if you're not sure which tier fits — we'll get back to you within 24 hours.