From Internal Red Team Tools to Open AI Agent Safety Platforms
Microsoft’s AI Red Team has open-sourced two internal tools, RAMPART and Clarity, aiming to make AI agent safety a routine engineering task rather than a theoretical debate. The immediate focus is on developers and security teams building agents that can use tools, access business systems, and act on live data. Instead of relying solely on policy documents or ad hoc reviews, teams can now inspect and extend the actual safety tooling that Microsoft uses on its own systems. RAMPART provides a structured way to test how agents behave under attack, while Clarity serves as a design-time guide for identifying risky assumptions before code is written. Together, they anchor AI safety development in repeatable processes, bringing practices like AI agent safety tools, red-team testing CI/CD integration, and pre-code design reviews into everyday workflows.
RAMPART: Embedding Red-Team Testing into CI/CD Pipelines
RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) is built on Microsoft’s PyRIT toolkit and uses pytest to turn attack simulations into repeatable tests. Developers define adversarial scenarios—such as prompt injection attempts or unsafe tool use—and connect them to AI agents via thin adapters. These tests execute automatically on every code change, returning clear pass or fail results that can gate releases just like traditional integration tests. Because AI models are probabilistic, the RAMPART framework testing approach supports statistical trials, for example requiring an action to remain safe in 80 percent of runs instead of accepting a single clean outcome. Incident responders can also replay discovered vulnerabilities, generate dozens of variants, and validate whether mitigations hold up over hundreds of runs and multi-turn conversations. This makes red-team testing CI/CD-friendly and keeps safety checks aligned with evolving code and tools.
Turning Incidents into Continuous Safety Regression Tests
A key design goal of RAMPART is to ensure that every discovered weakness becomes a permanent regression test in the AI safety development lifecycle. When a security researcher or internal team finds a flaw, engineers can encode that attack vector in RAMPART, generate large numbers of variants, and test an entire agentic application for similar weaknesses. Microsoft’s AI incident response team has used the framework in this way, leveraging automated variant generation and repeated trials to compress weeks of manual testing into hours. Once mitigations are in place, the same tests verify that fixes hold across multiple variations and conversational contexts, not just a single reported case. Because RAMPART is a test harness rather than a closed product, teams can add their own adapters, connectors, and datasets, aligning attack simulations with their specific tools, data sources, and business processes.
Clarity: Structured Design Reviews Before Code Is Written
While RAMPART focuses on runtime behavior, Clarity targets the earliest phase of AI agent safety: design and planning. Framed as a structured design review agent, Clarity guides teams through systematic conversations about problem definition, solution options, and failure modes before any production code is written. It prompts engineers to articulate assumptions, think through tool and data access, and consider how an agent might fail in real environments. The tool also encourages decision tracking, giving teams an auditable record of why certain choices were made and which risks were accepted or mitigated. In practice, this makes Clarity agent planning a sounding board that mirrors the questions senior architects or safety engineers might ask, especially around tool access and side effects. By surfacing issues early, Clarity reduces the likelihood that hidden design flaws will only be discovered once agents are already interacting with live systems.
Democratizing AI Agent Safety for the Wider Developer Community
By open-sourcing both tools, Microsoft aims to democratize AI agent safety tools and move the field toward shared, inspectable engineering controls. Outside teams can examine how RAMPART encodes attack scenarios, extend the framework for their own agents, and contribute new tests or fixes. Similarly, Clarity’s structured questioning can be adapted to different domains, pushing safety considerations into product planning rather than leaving them for late-stage audits. Ram Shankar Siva Kumar, founder of Microsoft’s AI red team, argues that the industry needs fewer philosophical arguments and more concrete mechanisms like these to manage risk. While independent evaluations will still need to validate Microsoft’s claims about speed and coverage, the release signals a shift toward integrating AI safety development directly into standard software pipelines. For teams building tool-using agents, the combination of Clarity planning and RAMPART testing offers a practical blueprint for safer deployments.