Skip to main content
CybersecurityHacking

Microsoft Bolsters AI Security with Open-Source RAMPART and Clarity Tools

Developer working on laptop surrounded by notes and diagrams in a collaborative workspace.

"We wanted to give product managers and engineers a way to pressure-test their assumptions at the start of a project, when changing course is cheap and the right conversation can save months of rework," Ram Shankar Siva Kumar, a Data Cowboy and founder of Microsoft's AI Red Team, said in a blog shared with The Hacker News.

RAMPART: a Pytest-native framework for agentic red teaming

Microsoft has open-sourced RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming, a Pytest-native safety and security testing framework designed for AI agents. The tool lets developers write and run safety and security tests that cover adversarial and benign issues across a range of harm categories. Test cases can be written to attack or probe an AI agent for specific classes of failure — for example, unintended behavioral regressions or data exfiltration — and RAMPART evaluates outcomes and reports the results.

Cross-prompt injection and other concrete test targets

The company highlighted concrete threats RAMPART can surface. One example is cross-prompt injection, where untrusted data reaches an AI system indirectly via a data source such as an email, a file, or a web page that the agent processes. Developers can also use RAMPART test cases to model attacks or benign edge cases that might cause an agent to behave unsafely. According to Microsoft, RAMPART requires only an adapter that connects an agent to the test suite, lowering the surface area for teams to integrate tests early in development.

Clarity: an "AI thinking partner" before code is written

Alongside RAMPART, Microsoft released Clarity, which it describes as a "structured sounding board" to help teams arrive at design decisions before writing a single line of code. Clarity is framed as an "AI thinking partner that pushes back," guiding developers through problem clarification, solution exploration, failure analysis, and decision tracking. Microsoft positioned Clarity as a way to capture and interrogate design intent and assumptions at the outset of a project.

PyRIT lineage and the shift from post‑build to in‑build testing

RAMPART builds on PyRIT (Python Risk Identification Tool), which Microsoft released more than two years ago as a way to test AI systems. The company drew an explicit distinction between the two: "Where PyRIT is optimized for black-box discovery by security researchers after the system is built, RAMPART is built for engineers as the system is being built," Siva Kumar said. That distinction signals a deliberate shift in focus from finding vulnerabilities after deployment to surfacing risks during design and development.

Microsoft's stated aims: reproducibility, verifiable mitigations, and living artifacts

Microsoft said a secondary motivation for these open-source releases is operational: to make incidents reproducible, mitigations verifiable, and to scale learning from red teaming by turning exercises into runnable engineering assets. Siva Kumar framed the combined approach — RAMPART plus Clarity plus PyRIT — as a way to "move AI safety from a one-time review to a set of living artifacts that developers can use throughout the lifecycle." The company also invoked a practical example: addressing whether an agent should have access to a tool early in development so that such design decisions are handled before the system is built.

What this means for product managers, engineers, and security researchers

  • Product managers and engineers: Microsoft positions Clarity as a tool to pressure-test assumptions and capture design intent early, allowing teams to discuss trade-offs before code commits and to record decision rationale that can be revisited during development.
  • Engineers integrating agents: RAMPART provides a Pytest-native path to integrate targeted safety and security tests as part of development workflows; all that is required to run tests is an adapter that connects an agent to the suite.
  • Security researchers: Microsoft contrasts RAMPART with PyRIT, noting PyRIT remains optimized for black-box discovery after systems are built, while RAMPART is intended for in‑build testing — a delineation that preserves roles for both pre-deployment engineering work and post-deployment security research.

Microsoft has published these tools as open-source assets aimed at shifting safety work earlier in the software lifecycle, making red-team findings runnable, and preserving the reasoning behind design choices. Whether teams adopt RAMPART and Clarity and how those artifacts change day-to-day engineering and red‑teaming practices will be the next measure of impact.

Source: https://thehackernews.com/2026/05/microsoft-open-sources-rampart-and.html