In June, Adversa AI confirmed shell injection bypasses in 10 of 11 popular open-source AI coding agents. Two weeks ago, researchers demonstrated that Claude Code and Codex can be hijacked via instructions hidden in README files. Last week, CISA added the first AI agent vulnerability to its Known Exploited Vulnerabilities catalog. The pattern is clear: AI agents are reaching production without the safety discipline developers apply to every other component they ship. Microsoft released two open-source tools in May to fix that. RAMPART and Clarity give engineers a pytest-native path to test AI agents for adversarial failure modes before they cause damage. Most developers have not heard of either.
RAMPART: Safety Tests That Run in CI #
RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) is a pytest-native framework for writing and running safety and security tests on AI agents. The key word is pytest-native. There is no new toolchain to learn. If you write integration tests today, you already know how to use RAMPART.
The framework connects to your agent through a thin adapter, orchestrates an interaction, and evaluates observable outcomes — tool calls, outputs, side effects. Tests return a clear pass or fail and can gate PRs just like any other integration test. Microsoft built RAMPART on top of PyRIT, their existing red-teaming automation framework, with a critical audience shift: PyRIT was built for security researchers auditing finished systems; RAMPART is built for engineers writing the system right now. Red team findings become RAMPART tests. Those tests run on every commit. Findings stop recurring.
Two features make RAMPART worth using over writing your own eval scripts. First, evaluators are composable — rather than a single binary signal, you can combine them with boolean logic to express nuanced safety conditions. Second, RAMPART supports statistical trials. Because LLM behavior is probabilistic, a test that passes once proves nothing. RAMPART lets you set policies like “this action must be safe in at least 80 percent of runs” and runs the scenario the number of times needed to confirm it statistically.
Cross-Prompt Injection: The Attack RAMPART Is Built to Catch #
RAMPART’s primary focus is cross-prompt injection — and if you are shipping AI agents that process external content, this should be your primary concern too. The attack pattern: your agent retrieves a document, email, ticket, or web page. That content contains a hidden instruction. The agent follows it.
The examples in production are not theoretical. An email summarization agent receives a message with a hidden instruction to forward all emails to an attacker. A customer support agent processing a ticket gets told to issue a full refund. A code review agent reading a repository README executes a script embedded in a comment. OWASP data shows prompt injection appears in over 73 percent of production AI deployments and triggers unauthorized actions in 31 percent of evaluated agent scenarios — while current detection tools catch only 23 percent of sophisticated attempts.
RAMPART lets you write parametrized tests covering this attack class, run them against your agent with every code change, and fail the build if the agent acts on injected instructions. That is exactly the discipline most AI agent development workflows are missing.
Clarity: Design for Safety Before Writing a Line of Code #
Clarity is not a testing framework. It is a structured design protocol that runs before you write any code. The premise: most AI agent safety failures are architectural — they result from design decisions made early that were never stress-tested against adversarial scenarios.
The protocol guides engineers through four stages: problem clarification, solution exploration, failure analysis (where multiple independent “thinkers” examine the system from security, human-factors, and adversarial angles), and decision tracking. Outputs are written to a .clarity-protocol/
directory in your repo as plain markdown files — committed, reviewed in pull requests, and diffed like source code. The decisions live next to the code they govern.
Clarity runs as a desktop app, a web UI, or embedded directly in a coding agent. For teams already using Claude Code or Cursor, the embedded path means running Clarity is one less context switch before starting any new agent project.
How to Get Started #
Both tools are open source. RAMPART is at microsoft/RAMPART on GitHub with full documentation at microsoft.github.io/RAMPART. Clarity lives at microsoft/clarity-agent. Microsoft’s original announcement on the Security Blog covers both in detail.
A practical starting point: run Clarity on your next agent project before writing any implementation. Add RAMPART tests covering prompt injection, data exfiltration, and behavioral regression. Wire them into CI and treat failures like failing integration tests — block the merge until they pass.
This Is Table Stakes, Not Optional #
Shipping an AI agent without safety tests is the 2026 equivalent of shipping an API without integration tests — except the AI agent also has access to your email, your cloud credentials, and your filesystem. The GuardFall research made this concrete: 10 of 11 agents could be manipulated by attacks documented in security research for decades, because the implicit assumption was that the agent would behave correctly without verification.
RAMPART and Clarity do not replace threat modeling, access scoping, or runtime monitoring. What they do is bring the same development discipline the rest of software engineering already has — test it, gate on it, fix it when it breaks — to AI agent behavior. That is a lower bar than it sounds. It is also a bar most teams are currently not clearing.