Meet Rampart and Clarity, Microsoft’s new red team combo AI agents

On Wednesday, Microsoft released two new red teaming tools—Rampart and Clarity—,meant to help developers design more secure agentic software and assist incident responders in the face of ongoing breaches.

Rampart is built on top of PyRIT, an existing open automation framework Microsoft developed for red teaming generative AI systems. But while PyRIT scans already-built systems for security flaws, Rampart is made to continuously test code for vulnerabilities during the development process, encoding both adversarial and benign testing scenarios into the software development pipeline to flag exploitable bugs and dependencies.

Microsoft said Rampart was built to focus on cross-prompt injection attacks, where “an agent retrieves or processes potentially poisoned content from documents, emails, tickets, and other data sources that manipulate behavior indirectly.” It also confirms fixes or exploits work as intended through multiple rounds of testing, as opposed to tools that perform “single shot validation.”

The second tool, Clarity, can be run as a desktop app, a web interface or directly embedded into a coding agent to provide real time security engineering guidance to developers at the outset of a project. It can categorize and track different business objectives related to the code and highlight downstream security implications along with more secure by design alternatives.

Ram Shankar Siva Kumar, who founded Microsoft’s AI red team in 2019, told CyberScoop that the company has seen internal security benefits from using the tools, but believesRampart and Clarity’s growth depends on contributions from other developers outside the Microsoft ecosystem.

In the fast-moving world of AI, where vibe coding, rogue AI agents and a steady churn of new model releases create fresh security implications nearly every week, Siva Kumar said it was important to begin building foundational, AI-centric security processes into the software development pipeline.

“When you hear a lot of talk about AI safety and security, it seems to be a lot of philosophical debates,” he said. “You’ll see frameworks, you’ll see white papers, and I think we’re really past that time, now. We really need to start thinking of AI safety as an engineering discipline and trying to bring security where the developers are.”

Rampart’s potential utility to defenders goes beyond just securing software development pipelines. It can also be used during an active incident response to speed up or automate red teaming for hot fixes, patching and remediation.

Microsoft has used Rampart when investigating reported vulnerabilities in their own products. Siva Kumar said the tool was able to help condense a week’s worth of manual work-  replicating the vulnerability, identifying different variants of the same bug, then patching and re-testing those variants to ensure they’re no longer exploitable – into hours.Clarity, meanwhile, acts as a security adviser for software projects, prompting developers to consider potential risks in their design decisions and their downstream security consequences. . With the rise of AI-generated code and agents, and execution becoming cheaper, this kind of proactive guidance is increasingly important.

“You’re going to be able to create apps, create MCP servers to pull things out from the internet,” said Siva Kumar. “The question is should you be doing it? and Clarity is a step in that direction. It is asking ‘hey, should you be doing this in the first place?’”