Full Report
Redmond open sources two tools for building and maintaining safer agents
Analysis Summary
# Tool/Technique: RAMPART & Clarity (AI Safety Frameworks)
## Overview
RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) and Clarity are open-source security tools developed by Microsoft to facilitate the secure development and "red teaming" of agentic AI systems. RAMPART is an automated testing framework designed to be embedded into CI/CD pipelines to identify vulnerabilities in AI agents, while Clarity is a pre-development architecture agent used to identify safety risks before code is written.
## Technical Details
- **Type:** Attack Tool / Red Teaming Framework
- **Platform:** Python-based (utilizes `pytest`), integrated into CI/CD pipelines
- **Capabilities:** Automated red teaming, prompt injection simulation, vulnerability variance generation, and architectural risk assessment.
- **First Seen:** May 20, 2026 (Public Release)
## MITRE ATT&CK Mapping
*Note: As these are defensive/red-teaming tools, they map to tactics used to simulate or mitigate these threats.*
- **[TA0002 - Execution]**
- [T1059 - Command and Scripting Interpreter] (Validation of agent tool-use)
- **[TA0040 - Impact]**
- [T1499 - Endpoint Denial of Service] (Simulating model resource exhaustion)
- **[MITRE ATLAS - Researching AI Red Teaming Techniques]**
- [AML.T0015 - Adversarial Prompt Injection]
- [AML.T0016 - Indirect Prompt Injection]
## Functionality
### Core Capabilities
- **Automated Red Teaming (RAMPART):** Built on the PyRIT (Python Risk Identification Tool) toolkit, it automates the testing of Generative AI systems via `pytest`.
- **CI/CD Integration:** Allows developers to run security tests as part of the build process, ensuring new code doesn't introduce vulnerabilities.
- **Vulnerability Variant Discovery:** Can take a single attack vector and automatically generate dozens or hundreds of variations to test the robustness of a mitigation.
- **Statistical Safety Trials:** Supports probabilistic testing (e.g., verifying an agent behaves safely in >80% of multi-turn trials).
### Advanced Features
- **Multi-turn Conversation Support:** Simulates complex, long-running interactions between a user and an agent to find hidden state-based exploits.
- **Architectural Sounding Board (Clarity):** An AI agent that simulates the roles of safety engineers and architects to "interrogate" a proposed feature's safety before development.
- **Remediation Validation:** Provides a repeatable environment to verify if a security patch survives diverse adversarial perturbations.
## Indicators of Compromise
*These tools are legitimate security software; however, researchers should look for their usage in specific environments.*
- **File Names:**
- `RAMPART` (Sub-components typically in Python environments)
- `clarity-agent`
- **GitHub Repos:**
- `github[.]com/microsoft/RAMPART`
- `github[.]com/microsoft/clarity-agent`
- **Behavioral Indicators:** High volumes of automated, adversarial-themed queries to internal LLM endpoints during CI/CD build phases (indicating active red teaming).
## Associated Threat Actors
- **Internal Red Teams:** Used by Microsoft’s AI Red Team and incident responders.
- **DevSecOps Professionals:** Employed for securing agentic AI deployments.
## Detection Methods
- **Behavioral detection:** Monitoring for rapid-fire "multi-turn" conversations and known prompt injection patterns (e.g., "Ignore previous instructions") appearing in testing environments.
- **Log Analysis:** Reviewing PyRIT and RAMPART logs for test failures related to "Unapproved Tool Use" or "Policy Violation."
## Mitigation Strategies
- **Pipeline Hardening:** Require RAMPART success scores (e.g., 90% safety threshold) before allowing an agent to be deployed to production.
- **Architectural Review:** Use Clarity to identify logic flaws in agent permissions and tool access early in the SDLC.
- **Boundary Setting:** Use the framework to define strict boundaries for AI tool calls (e.g., ensuring an agent cannot access a database it wasn't designed for).
## Related Tools/Techniques
- **PyRIT:** The underlying Python Risk Identification Tool for Generative AI.
- **Prompt Injection:** The primary attack technique these tools are designed to simulate and defend against.
- **Adversarial Machine Learning:** The broader field of study encompassing these tools.