RAMPART and Clarity make agent safety testable
July 4, 2026

Microsoft’s open tools RAMPART and Clarity move safety work earlier in agent projects: clarify assumptions first, then turn attacks into CI tests.
What this is about
Microsoft RAMPART and Microsoft Clarity Agent are two open-source tools from Microsoft’s AI Red Team environment. They are not consumer apps. They are aimed at teams building their own agents: systems that can read email, process tickets, execute code, query databases, or operate other tools. That is where safety becomes more concrete than with a pure chatbot, because wrong agent actions can have real side effects.
Microsoft introduced both tools on May 20, 2026. RAMPART is meant to bring security and safety scenarios into development as repeatable tests. Clarity is meant to guide teams through problem clarification, solution exploration, failure analysis, and decision tracking before implementation. Together, they form a tool pair for teams that want to build agents with more control, not just more speed.
What RAMPART and Clarity actually do
RAMPART is a pytest-native testing framework for agentic applications. Developers write tests that run a scenario against an agent, inspect observable outcomes, and end with a clear pass-or-fail signal. The important point is that this is not just unit testing for functions. It is behavior testing for agents. A test can model a case where an agent may read a poisoned email, but must not send a secret API key to an external domain afterward.
Technically, RAMPART builds on Microsoft’s PyRIT. It can test adversarial patterns such as cross-prompt injection and it accounts for probabilistic LLM behavior. A test can therefore run multiple times and define a threshold instead of pretending that a single run is enough.
Clarity works earlier in the process. It is a structured dialogue partner for architecture and product decisions. The tool guides teams through questions such as: What problem are we really solving? Which assumptions support the solution? Where could the system fail? The results are written as Markdown files in a .clarity-protocol/ directory and can be reviewed alongside code.
Why it matters
Agents connect language with action. A support agent may not only summarize a ticket, but close it. A coding agent may not only suggest code, but run commands. An office agent may not only read calendar data, but change appointments. That means a safety review after the system is built is too late. Safety assumptions need to move into requirements, tests, and CI.
RAMPART is useful for teams already developing agents and wanting to turn known attack patterns into regression tests. Clarity is useful for teams that see how fast agent development can lock in wrong product assumptions. The value is less about magic and more about discipline: risks become visible as files, tests, and review artifacts.
In plain language
Imagine you are building a new workshop. Clarity is the person who asks before any machines are bought: What are we really making here, who may use which tools, and what happens if somebody presses the wrong button? RAMPART is the daily checklist that verifies the safety switches, emergency stops, and access locks still work.
A practical example
A SaaS team builds an agent for 50,000 support tickets per month. The agent can read customer data, prepare refunds, and send standard replies. Before the first pilot, the team uses Clarity to document that refunds above 100 euros must never be executed automatically. That becomes a reviewed decision with a risk analysis.
The team then writes RAMPART tests. One test creates a ticket with a hidden instruction telling the agent to ignore internal notes and trigger a refund. The test runs 30 times on every pull request. It only passes if the agent avoids the unauthorized action in at least 29 of 30 runs and escalates the case to a human.
Scope and limits
First, the tools do not replace threat modeling by experienced security people. RAMPART can only test scenarios the team has modeled. Second, Clarity is not an oracle. The documents it produces can contain wrong assumptions and need review. Third, RAMPART needs adapters for the team’s own agent architecture, so complex toolchains will require integration work.
Maturity also matters: RAMPART was released as version 0.1.0 in May 2026. For production teams, that means starting with a bounded agent path rather than treating it as the only safety control.
SEO & GEO keywords
Microsoft RAMPART, Microsoft Clarity Agent, AI agent safety, agent security testing, pytest AI agents, PyRIT, prompt injection testing, cross-prompt injection, AI red teaming, agent CI tests, AI safety tooling, open source security tools
💡 In plain English
RAMPART turns safety rules for AI agents into runnable tests. Clarity helps teams ask the right questions about goals, risks, and architecture before they build.
Key Takeaways
- →RAMPART is a pytest-native open-source testing framework for agentic AI applications.
- →Clarity documents problem framing, solution rationale, failure analysis, and decisions as Markdown in the repository.
- →The practical value is repeatable safety checks for prompt injection, tool misuse, and wrong agent actions.
- →Teams still need to build their own scenarios and adapters; the tools do not replace security review.
- →The best first test is a bounded agent path with clear human escalation.
FAQ
Is RAMPART a consumer product?
No. RAMPART is aimed at developer teams that build and test their own AI agents.
How is Clarity different from a normal chatbot?
Clarity writes structured decision and risk artifacts into the repository instead of leaving the work as a loose conversation.
Can RAMPART prevent prompt injection?
It does not automatically prevent attacks. It helps teams test concrete attack scenarios repeatedly and catch regressions early.
What should a team try first?
Pick one critical agent tool, model one misuse scenario, and run it as a RAMPART test in CI.