Braintrust Confirms AWS Breach, Tells Every Customer to Rotate API Keys

Braintrust logo with a red breach-warning shield, AWS cloud icon with a broken padlock, and an API-key rotation diagram — illustrating the May 2026 AI evaluation platform incident affecting downstream customers.

Braintrust, the AI evaluation platform last valued at $800 million in February 2026, confirmed a security breach this week and asked every customer to rotate any API keys stored in its systems. The company said the breach was contained to a single AWS account, that only one customer was confirmed impacted, and that there is “no evidence of broader exposure.” The blanket rotation request applies anyway. That contradiction tells you everything about why this incident matters.

Braintrust is not a household name, but it is the kind of platform that enterprise AI teams quietly depend on. It calls itself an “operating system for engineers building AI software” and is used by AI ops teams to monitor, test, and run evals against their production models. To do that, customers store API keys for their AI providers (OpenAI, Anthropic, model APIs) inside Braintrust. The breach hit those stored keys.

This is the AI-stack version of the CircleCI 2023 breach: a single mid-stack tool that holds production credentials for the entire industry, getting compromised in a way that forces every downstream customer to rotate.

What We Know About the Breach

From Braintrust's customer notification email and the company's spokesperson:

  • Vector: One AWS account belonging to Braintrust was compromised.
  • Data accessed: API keys stored by customers for accessing cloud-based AI models (OpenAI, Anthropic, etc.).
  • Scope: One customer confirmed impacted; no evidence of broader exposure.
  • Action requested: Every customer rotate stored keys as a precaution.
  • Containment: Compromised AWS account locked down. Access audited and restricted across related systems. Internal secrets rotated.
  • Notification: Customers received the breach email Monday, May 5, 2026.

The contradiction in Braintrust's public messaging — “there is no evidence of a breach” in one statement vs. confirmed incident in the customer email — appears to be a wording mismatch between the customer-facing comms and the press response. We expect a fuller post-mortem in the next 7-14 days.

Why Every Customer Has to Rotate Even If Only One Was Impacted

This is the part of the story that matters for everyone running AI in production. When a vendor stores your API keys, even if only one customer's stored keys were demonstrably exfiltrated, you cannot rule out that yours were touched and not yet used. The conservative posture is: rotate everything, today. Anyone who waits for “confirmed breach of MY keys” is waiting until the keys have been used at scale.

For Braintrust customers, the rotation list typically includes:

  • OpenAI API keys — rotate at platform.openai.com → API keys
  • Anthropic API keys — rotate at console.anthropic.com → API Keys
  • Other model provider keys (Cohere, Mistral, Together, etc.)
  • Any service-to-service tokens stored in Braintrust as variables

The Bigger Pattern: Mid-Stack AI Tools Are the New Attack Surface

Braintrust is the third “mid-stack AI ops” vendor breach in 18 months. The pattern is consistent: a fast-growing startup ($80M Series B in February for Braintrust) acquires enterprise customers faster than its security org can keep up, and the customer trust required for the platform to function (storing prod API keys, prod data samples, model weights, evaluation datasets) becomes a single high-value target.

The CircleCI 2023 incident set the template. When one CI/CD vendor was compromised, every customer had to rotate every secret in every CI pipeline. Hundreds of thousands of teams. The blast radius was the entire startup ecosystem. The Braintrust breach is more contained — fewer customers, smaller surface — but the structural lesson is the same: when your business model is “customers give us their production secrets so we can help them ship faster,” you become the highest-value target in the chain.

My Take

The genuinely interesting question is not whether Braintrust did a good job containing this. It probably did. The interesting question is whether AI eval platforms — and AI ops platforms more broadly — should require customers to store provider API keys at all. The architectural alternative exists: customers run a thin local agent that holds the keys and Braintrust never sees them. That is how some observability stacks (Datadog Synthetics, Sentry's PII-hashing) work for sensitive workloads. It is operationally heavier and the product UX is worse, but it kills the breach blast radius.

The reason most AI ops platforms don't ship this: it makes the “just paste your key and start evaluating” demo flow worse. That demo flow is how Braintrust grew from seed to $800M valuation in two years. The same friction-free key-paste that powered growth is what now requires every customer to rotate. The honest read is that this is a foundational design choice, not an incident. Until AI eval platforms re-architect to never see customer keys, every Braintrust-class platform is one AWS account compromise away from triggering the same all-customer-rotate exercise. Customers pricing their procurement decisions accordingly is the natural next move.

The other thing worth flagging: Braintrust customers almost certainly include named AI labs and large fintechs whose names won't be in the public post-mortem. The blast radius this week is smaller than CircleCI's was in 2023, but the customer-list quality is, in some senses, higher. A breach that affects ten Fortune 500 AI engineering teams is more economically meaningful than a breach affecting a thousand startups. Braintrust's incident response over the next two weeks will set the template for how the AI ops layer handles this category of incident going forward.

Frequently Asked Questions

What is Braintrust?
Braintrust is an AI evaluation platform that helps engineering teams monitor, test, and run evals against AI models in production. It was last valued at $800 million following an $80 million Series B funding round in February 2026.

What data was compromised in the Braintrust breach?
According to Braintrust, one of the company's AWS accounts was breached. The data at risk includes customer-stored API keys for cloud-based AI providers like OpenAI and Anthropic. Only one customer is confirmed impacted, but every customer has been asked to rotate keys as a precaution.

Should I rotate my API keys if I use Braintrust?
Yes. Even if you have not received a direct confirmation that your keys were specifically compromised, the company is asking every customer to rotate stored API keys. Treat this as a mandatory action, not optional.

How is this similar to the CircleCI 2023 breach?
Both involve a mid-stack developer-tools vendor that stored production credentials being compromised, requiring every customer to rotate every stored secret. The structural risk is the same: when one vendor holds your production keys, one breach forces a system-wide rotation.

Is Braintrust still operational?
Yes. The company says the incident has been contained, the compromised AWS account is locked down, and access has been audited and restricted across related systems. Customers can continue using the platform, but should rotate keys immediately.

The Bottom Line

Braintrust's AWS account got compromised, every customer needs to rotate their stored API keys, and the company will likely publish a fuller post-mortem in the next two weeks. The bigger question for the AI ops industry is whether the “customers paste their keys for friction-free demos” design pattern remains viable after the third such incident in 18 months. The architectural alternative — local agent or BYO-key-vault — exists, but it makes onboarding harder. We will see whether security pressure or growth pressure wins.

Related Reading

Sources