Stop Shipping AI You Haven't Actually Tested

We run structured evals, red-team campaigns, and regression pipelines for LLM apps and agentic systems - typically stood up in under two weeks.

Duration: 2-week sprint or Ongoing managed engagement Team: 1 AI QA Engineer + 1 Eval Specialist

You might be experiencing...

My LLM outputs look fine in demos but behave unpredictably in production - I have no systematic way to catch regressions when I change the prompt or swap the model.
My RAG pipeline retrieves plausible-looking chunks but the final answer still hallucinates facts - I can't tell whether the failure is in retrieval, context assembly, or the generation step.
I don't trust my eval set - it was thrown together quickly, leaks into training data, and doesn't cover the adversarial inputs real users will try.
Every time I upgrade the model version or tighten the system prompt, I have no CI gate to tell me whether quality went up or down before I ship.

QA for LLM apps and AI agents is a different discipline from traditional software testing. Your system is non-deterministic by design - the same input can produce different outputs across runs, model versions, and prompt iterations. That makes the usual “assert exact output” approach useless. What you need instead is a structured eval pipeline that scores behavior across a representative dataset, catches regressions before they ship, and surfaces adversarial failure modes before real users find them.

The four failure categories we see most often in production LLM systems: hallucination and grounding failures in RAG (the model ignores retrieved context and confabulates instead); prompt injection via user input or tool outputs (an attacker steers the model by embedding instructions in data the model reads); eval-set leakage and coverage gaps (your test set was built from the same distribution as your training data and misses the long-tail inputs that cause real incidents); and agent trajectory failures (the agent calls the wrong tool, loops indefinitely, or exceeds cost budgets on complex multi-step tasks).

We use DeepEval and RAGAS for metric-driven eval, Promptfoo for adversarial red-teaming, and LLM-as-judge scoring for dimensions that resist numeric metrics. Everything runs in your CI pipeline so prompt and model changes are gated automatically.

For teams that need deeper model-layer testing - fine-tune validation, embedding quality audits, or dataset curation - our sister practice aiml.qa specializes in that layer, and our AI/ML QA service brings that model-layer testing to the same engagement. Our managed QA service wraps eval, red-teaming, and automation into a continuous quality program if your team needs ongoing coverage rather than a sprint.

Engagement Phases

Days 1-4

Baseline Eval and Attack Surface Mapping

We instrument your LLM app with DeepEval or RAGAS metrics (faithfulness, answer relevancy, context precision, context recall for RAG; task success rate and hallucination score for agents). We build a curated golden dataset from your production logs - sampling diverse intents, edge cases, and known failure modes. We also run an initial Promptfoo red-team sweep to map prompt injection vectors, jailbreak exposures, and system-prompt leakage before touching anything else.

Days 5-9

Eval Pipeline Construction and Regression Gating

We wire the eval suite into your CI pipeline as a blocking gate. Pull requests that touch prompts, retrieval config, chunking logic, or model version run the full eval suite automatically. We configure LLM-as-judge scoring for dimensions that resist metric capture - tone, format compliance, and domain correctness. For agentic systems, we add trajectory-level checks: did the agent call the right tools in the right order, did it terminate correctly, did it stay within cost and latency budgets?

Days 10-14

Red-Team Campaign and Hardening

We run a structured adversarial campaign - prompt injection via user input and indirect injection via tool outputs, jailbreak attempts across the OWASP LLM Top 10 surface, and grounding-failure probes designed to surface hallucinations the metric suite misses. Findings feed directly into guard-rail recommendations (input/output validators, refusal classifiers, tool-call allow-listing) and a hardened prompt template. We hand off a documented test plan your team can re-run on each major release.

Deliverables

Golden eval dataset (100-200 examples) covering happy path, edge cases, and adversarial inputs - curated from production logs and annotated with expected outputs
DeepEval or RAGAS eval suite wired into CI with per-metric thresholds and a pass/fail gate on every prompt or model change
Promptfoo red-team report covering prompt injection, indirect injection, jailbreak vectors, and system-prompt leakage with severity ratings
Agent trajectory test harness covering tool selection accuracy, tool-call parameter validation, loop termination, and cost/latency budgets per run
Hardening recommendations: guard-rail spec, refusal classifier guidance, chunking and retrieval tuning notes, and a re-runnable test playbook

Before & After

MetricBeforeAfter
Regression detection on prompt changesCaught manually in code review, if at allEvery PR with prompt or model changes runs the full eval suite automatically before merge
Hallucination and grounding failure visibilitySpotted reactively from user complaints post-launchFaithfulness and context recall scores surface grounding failures in the pipeline before they reach users
Red-team coverageAd-hoc manual testing by developers, no structured adversarial scenariosSystematic Promptfoo campaign covers prompt injection, indirect injection, and OWASP LLM Top 10 vectors

Tools We Use

DeepEval RAGAS Promptfoo LLM-as-judge (GPT-4o / Claude) pytest + CI integration

Frequently Asked Questions

We don't have a golden dataset yet. Can you still run evals?

Yes - building that dataset is part of Phase 1. We sample your production logs (or seed a synthetic set if you're pre-launch), annotate expected outputs with your domain experts, and establish the baseline before any gating starts. <strong>A well-curated golden dataset of 100-200 examples is usually enough to catch the regressions that matter most.</strong>

We use RAG. How do you isolate whether the failure is in retrieval or generation?

We score each component separately using RAGAS metrics: <strong>context precision and context recall</strong> tell you whether retrieval is pulling the right chunks; <strong>faithfulness and answer relevancy</strong> tell you whether the LLM is grounding its answer in what was retrieved. That breakdown makes it much easier to direct fixes - retrieval config, chunking strategy, or prompt engineering.

We're switching model providers. How do we know if quality changes?

That's exactly what the CI eval gate handles. We run your golden dataset against both the old and new model, compare metric distributions, and flag regressions before the switch goes to production. <strong>Prompt injection and jailbreak behavior often changes significantly across model versions</strong>, so we also re-run the red-team suite on each upgrade.

Our agent calls multiple tools and the trajectories vary. How do you test that?

We build trajectory-level tests that check the sequence of tool calls, not just the final output. For each scenario we define: which tools should be called, acceptable parameter ranges, whether the agent should loop or terminate, and latency/cost budgets per run. <strong>Trajectory tests catch a class of agent bugs - wrong tool order, missing tool calls, infinite loops - that output-only evals miss entirely.</strong>

How much does this cost?

Scope varies based on the complexity of your LLM app, number of tools in your agent, and whether you need ongoing managed coverage or a one-time sprint. <strong>Book a discovery call</strong> at /contact/ and we'll scope it precisely for your stack.

Ship Quality at Speed. Remotely.

Book a free 30-minute discovery call with our QA experts. We assess your testing gaps and show you how an AI-augmented QA team can accelerate your releases.

Talk to an Expert