Full Report
Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificial intelligence (AI) agents. RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming, functions as a Pytest-native safety and security testing framework for writing and running safety and security tests for AI agents, covering
Analysis Summary
# Tool/Technique: RAMPART and Clarity (Agentic AI Security Frameworks)
## Overview
Microsoft has introduced **RAMPART** (Risk Assessment and Measurement Platform for Agentic Red Teaming) and **Clarity** as open-source security tools designed to secure AI agents throughout their development lifecycle. While RAMPART focuses on programmatic safety and security testing (Red Teaming) via a Pytest-native framework, Clarity serves as a conceptual design tool to analyze failure modes and decision logic before code implementation.
## Technical Details
- **Type:** Security Testing Tool / Red Teaming Framework
- **Platform:** Cross-platform (Python/Pytest-based)
- **Capabilities:** Adversarial probing, safety violation detection, regression testing, and design-phase risk analysis.
- **First Seen:** May 20, 2026 (Public Release)
## MITRE ATT&CK Mapping
*Note: These tools are designed to simulate and defend against the following tactics applied to AI systems.*
- **[TA0002 - Execution]**
- [T1059 - Command and Scripting Interpreter] (Testing for injection points within AI agent logic)
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service] (Simulating and detecting data exfiltration via AI agents)
- **[TA0043 - Reconnaissance]**
- [T1592 - Gather Victim Host Information] (Probing AI agents to reveal system instructions or internal configurations)
## Functionality
### Core Capabilities
- **RAMPART (Testing Framework):**
- Provides a Pytest-native environment for writing security unit tests for AI agents.
- Utilizes adapters to connect the test suite to specific AI agent architectures.
- Automates "Adversarial Probing" to identify safety violations.
- **Clarity (Structured Analysis):**
- Functions as an "AI thinking partner" to guide developers through problem clarification.
- Tracks decision-making and failure analysis during the early design phases.
### Advanced Features
- **Cross-Prompt Injection Testing:** Specifically targets vulnerabilities where untrusted data (emails, web pages, files) reaches an AI system indirectly and manipulates its behavior.
- **Integration with PyRIT:** Builds upon the core logic of the Python Risk Identification Tool for advanced black-box and grey-box security discovery.
- **Mitigation Verification:** Allows developers to turn red-teaming findings into runnable engineering assets to verify that a fix works and prevents regressions over time.
## Indicators of Compromise
*As these are defensive/testing tools, traditional IOCs (Malware hashes/C2s) do not apply. However, behavioral indicators of a system under test by RAMPART include:*
- **Behavioral Indicators:**
- High frequency of unconventional or "jailbreak" style prompts directed at the LLM backend.
- Automated attempts to trigger data exfiltration through agent-connected tools (e.g., file system access, email integration).
- Repetitive probing of "system prompt" boundaries.
## Associated Threat Actors
- **Developer/Security Use:** Used by Microsoft AI Red Team and defensive developers.
- **Potential Misuse:** Adversaries may utilize these open-source frameworks to automate the discovery of vulnerabilities in third-party AI agents (Adversarial Red Teaming).
## Detection Methods
- **Behavioral Detection:** Monitor for "indirect prompt injection" patterns where external data sources (e.g., scanned PDFs or web scrapers) contain hidden instructions designed to hijack the agent's logic.
- **Audit Logs:** Review agent execution logs for "unintended tool use," such as an agent attempting to access unauthorized network sockets or sensitive files as a result of a test payload.
## Mitigation Strategies
- **Input Sanitization:** Implement strict filtering for data sources processed by AI agents to prevent cross-prompt injections.
- **Principle of Least Privilege:** Limit the agent's access to sensitive tools and databases to reduce the impact of a successful injection or exfiltration attempt.
- **Human-in-the-Loop:** For high-risk actions (e.g., sending emails or deleting files), require manual approval to mitigate unintended agent behavior.
## Related Tools/Techniques
- **PyRIT (Microsoft):** The predecessor focused on black-box risk identification for LLMs.
- **Prompt Injection:** The primary technique RAMPART is designed to detect and mitigate.
- **Garak:** An LLM vulnerability scanner.
- **Cyber-RT:** General framework concepts for AI red teaming.