By ByteBot
Your AI agent can read your email, browse the web, execute code, and take actions in your connected systems — all based on instructions that include whatever is in the data it processes. The odds are near-certain you have zero automated tests for what happens when those instructions are malicious. Microsoft open-sourced two tools on May 20 to fix that: RAMPART and Clarity.
The Test Suite You Never Wrote
Here is the problem nobody wants to say out loud: traditional unit and integration tests are useless against prompt injection. They check code paths. Prompt injection does not touch a code path — it hijacks the model behavior at the semantic layer, in plain text, through data your agent trusted.
This is not hypothetical. In early May, Microsoft published an analysis of two critical CVEs in Semantic Kernel — an agent framework with 27,000 GitHub stars. CVE-2026-26030 used unsafe string interpolation in a filter function to break out into Python eval(). CVE-2026-25592 exploited an internal function accidentally exposed to the model as a callable tool, allowing write access to the Windows Startup folder. Both were triggered by crafted natural-language inputs, not malformed network packets. Both would have sailed through any standard test suite.
Google researchers logged a 32% increase in malicious prompt injection payloads embedded in web content between November 2025 and February 2026. Your agents are fetching that web content. Prompt injection is now an OWASP Tier-1 risk — and most teams are still treating it as a theoretical edge case.
RAMPART: Safety Tests That Feel Like Normal Tests
RAMPART — Risk Assessment and Measurement Platform for Agentic Red Teaming — is Microsoft open-source answer. It is a pytest-native safety testing framework built on top of PyRIT, Microsoft existing red-teaming library. The design decision here is deliberate and important: it integrates into the same CI pipeline where you run your integration tests, using the same test runner, with the same pass/fail gates.
A RAMPART test describes an adversarial scenario — say, a document retrieval workflow where retrieved content contains a prompt injection payload. RAMPART takes that scenario and automatically generates up to 100 attack variants, running each dozens to hundreds of times to account for the probabilistic nature of LLM responses. You set a threshold: this action must be safe in at least 80% of runs. If it falls below that, the build fails. The safety regression is caught before it ships.
Ram Shankar Siva Kumar, the founder of Microsoft AI Red Team, put it plainly: Work that would have taken Microsoft experts weeks can now be done in hours with RAMPART. His team used it internally to test mitigations for a single vulnerability vector across close to 100 variants, running 300 trials each. That kind of coverage was previously inaccessible to any team without a dedicated red team on retainer.
The deeper innovation is not the automation — it is the ownership model. Previously, agent safety was a periodic checkpoint: security specialists ran red teaming exercises after the system was built, findings went into a report, and most of those findings aged out before the next review cycle. RAMPART turns those findings into permanent regression tests that engineers own, run, and maintain like any other code. As Kumar framed it: Where PyRIT is optimized for black-box discovery by security researchers after the system is built, RAMPART is built for engineers as the system is being built.
RAMPART is available on GitHub under the MIT license.
Clarity: Before You Write the First Line
RAMPART tests what you built. Clarity questions what you are about to build. It is a structured design review tool — available as a desktop app, web UI, or embedded directly in coding agents — that runs a team through adversarial design questions before implementation begins.
Clarity deploys multiple AI thinkers that examine a proposed system independently from security, human factors, and operational angles. Outputs land in a .clarity-protocol/ directory as plain markdown, committed to git, reviewed in pull requests, and tracked for staleness when the problem statement changes. This is design documentation that does not rot in a wiki — it lives next to the code and alerts teams when it goes stale.
A developer proposes real-time collaborative document editing. Clarity pushes back: Does this actually require real-time, or would near-real-time suffice? What happens when the agent has write access to a shared document that a second agent is also reading? These are the questions experienced architects ask and junior developers skip. Clarity surfaces them before the architecture is load-bearing. The Clarity repository is also MIT-licensed on GitHub.
The Broader Shift
RAMPART and Clarity do not exist in isolation. Anthropic Project Glasswing flagged over 23,000 vulnerabilities in open-source software using Claude Mythos Preview. OpenAI Daybreak platform brings AI-powered vulnerability scanning to enterprise organizations. The entire security industry is recalibrating around the reality that AI both writes more code and introduces a new class of attack surface that existing tooling cannot address.
Kumar summarized the direction all of this is converging on: It is high time we stop talking about AI safety as a philosophy and start thinking about AI safety as an engineering discipline.
RAMPART is the first open-source, developer-first, CI-native safety framework for AI agents from a major vendor. The official announcement covers the full feature set. Shipping an AI agent without coverage for its behavioral attack surface is not a calculated risk — it is just untested code, and the documented attack vectors are only growing.
