Microsoft has open-sourced two tools aimed at bringing security discipline to AI agent development: Clarity, a structured design review tool, and RAMPART, a continuous testing framework.
The release comes from Microsoft’s AI Red Team, the company’s internal unit that stress-tests its own AI systems, and both tools have been used internally before being open-sourced.
RAMPART: A test harness
RAMPART is built on top of PyRIT, Microsoft’s existing open-source red-teaming library, and is designed to slot into the CI pipeline.
Developers write pytest tests that describe adversarial scenarios (e.g., prompt injection attack) and the framework runs them automatically on every code change.
“Each test connects to the agent through a thin adapter, orchestrates an interaction, and evaluates observable outcomes. Tests return a clear pass or fail signal and can be gated in CI just like any other integration test. When a new tool or data source is added to the agent, the corresponding safety test can be added in the same pull request,” Ram Shankar Siva Kumar, founder of Microsoft’s AI Red Team, explained.
RAMPART is primarily a test harness, which means that each developer gets to add adapters, connectors and datasets to suit their needs. And, because AI systems are probabilistic, RAMPART supports running the same test multiple times and setting a pass threshold.
Kumar says that the tool has already been used by Microsoft’s AI incident response team to remediate real world incidents.
“They took a reported vulnerability, generated 100 variants of the vulnerability via RAMPART and used it to test the potency of each of these variants,” he told Help Net Security.
“Engineers then applied mitigations to all variants, and tested if the mitigations work via RAMPART. What we found is that work that would have taken Microsoft experts weeks can now be done in hours with RAMPART.”
Clarity: A sounding board
Clarity addresses a different part of the problem: design decisions that may become costly down the line.
“[Clarity] guides engineers through structured conversations covering problem clarification, solution exploration, failure analysis, and decision tracking,” Kumar explained.
“It asks the kinds of questions that experienced architects, product managers, and safety engineers would ask, the ones that are easy to skip when a team is excited about building something new.”
The output of the conversation is written as human-readable markdown files committed to a .clarity-protocol/ directory, and so developers can review them at will.
“The failure analysis deserves a closer look, because it goes well beyond what a single reviewer would typically catch. Multiple AI ‘thinkers’ independently examine the system from different angles, including security, human factors, adversarial scenarios, and operational concerns. The team then works through the results together with Clarity, grouping related failures, tracing causal chains, and building management plans,” Kumar added.
Open-source tools
Microsoft has a track record of open-sourcing its internal AI security tooling.
It published Counterfit in 2021 and PyRIT in 2024. The latter now has over a hundred external contributors, and is routinely updated, both by Microsoft and the community.
“We are releasing RAMPART and Clarity because these have been battle tested with Microsoft engineers,” Kumar told Help Net Security.
“Given the speed of AI world, we are sharing these tools with the community today because we want these early projects to benefit everyone.”
RAMPART and Clarity are available now on GitHub.
See also: AI red teaming agents change how LLMs get tested
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
