Overview
Microsoft has open-sourced two tools — RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) and Clarity — designed to shift AI security testing left, embedding adversarial probing and design-time risk analysis directly into the development lifecycle. Announced on 20 May 2026, the release reflects growing recognition that AI agents present unique attack surfaces that cannot be adequately addressed through post-deployment red teaming alone.
The tools complement Microsoft’s existing Python Risk Identification Tool (PyRIT), which has been available for over two years and targets black-box discovery by security researchers after a system is deployed. RAMPART is positioned as the engineering-time counterpart, enabling developers to write and run structured tests as the agent is being built.
Technical Analysis
RAMPART is a Pytest-native framework, meaning it integrates directly with the Python testing ecosystem. Security and safety tests are authored as standard test cases, and the tool evaluates agent responses against expected safety boundaries. Key threat scenarios it is designed to surface include:
- Cross-prompt injection: Untrusted content reaching an AI agent indirectly via processed data sources such as emails, files, or web pages, allowing an attacker to hijack agent behaviour without direct model access.
- Data exfiltration: An agent being manipulated into leaking sensitive information through its tool calls or outputs.
- Behavioural regressions: Unintended changes in agent behaviour introduced during iterative development that weaken prior safety properties.
The only integration requirement is an adapter connecting the target agent to the RAMPART test suite, keeping the adoption barrier low.
Clarity operates earlier in the lifecycle as a structured AI-assisted design review. It prompts developers and product managers to articulate problem definitions, challenge design assumptions, and formally capture decisions — particularly around agent capabilities and tool access scope — before implementation begins.
Framework Mapping
- AML.T0051 (LLM Prompt Injection) and LLM01 (Prompt Injection): RAMPART’s explicit coverage of cross-prompt injection addresses the most prevalent and high-impact attack vector against deployed AI agents.
- AML.T0057 (LLM Data Leakage) and LLM06 (Sensitive Information Disclosure): Data exfiltration test scenarios directly target this risk category.
- LLM08 (Excessive Agency): Clarity’s focus on agent tool access during design time maps directly to preventing agents from being granted more capability than necessary.
- LLM07 (Insecure Plugin Design): Adapter-based integration and tool access scoping address risks arising from poorly bounded agent-tool interfaces.
Impact Assessment
The primary beneficiaries are engineering teams building agentic AI systems who currently lack structured mechanisms to validate safety properties during development. Without tooling like RAMPART, security testing often occurs only at red team review stages — late in the cycle when remediation is costly. The indirect beneficiaries are end users and organisations whose data is processed by such agents. The tools do not address runtime production monitoring, so they complement rather than replace deployment-time controls.
Mitigation & Recommendations
- Adopt RAMPART in CI/CD pipelines to ensure adversarial test suites run on every agent code change, catching regressions early.
- Use Clarity at project kickoff to formally document and pressure-test agent design assumptions, particularly around tool permissions and trust boundaries.
- Convert existing PyRIT findings into RAMPART test cases to institutionalise red team learnings as living engineering artefacts.
- Apply least-privilege principles to agent tool access, using Clarity’s structured review to challenge any capability that is not strictly necessary.
- Treat cross-prompt injection as a first-class threat in any agent that processes external data sources, and validate mitigations with explicit RAMPART test cases.