Why it matters for testing
Microsoft's open-source RAMPART framework lets QA teams write safety and security tests for AI agents using standard pytest syntax — and gate those tests in CI/CD just like any other integration test. This closes the gap between how teams test traditional software and how they (mostly don't) test the AI agents now embedded in their products.
Intro
You've got a rigorous test suite. Unit tests, integration tests, maybe even some contract tests. But somewhere in your pipeline, an AI agent is making decisions — routing requests, generating code, calling APIs, interacting with users — and the odds are high that none of those behaviors have a corresponding test.
That's the problem Microsoft's AI Red Team set out to fix with RAMPART, open-sourced on May 20, 2026.
The AI development/news
RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) is a pytest-native framework for safety and security testing of agentic AI applications. Built on Microsoft's internal PyRIT toolkit — the same tools Microsoft uses to red-team its own AI systems before shipping — RAMPART is now publicly available on GitHub and ready to integrate into existing CI pipelines.
The framework was released alongside a companion tool called Clarity, which helps teams design agent architectures with safety boundaries built in from the start. Together, they represent Microsoft's push to make AI safety engineering a first-class development practice rather than a post-launch audit.
RAMPART works by letting developers write standard pytest test cases that simulate adversarial and edge-case scenarios against an AI agent: prompt injection attacks, out-of-scope tool use, behavioral drift under adversarial input, and a broad catalog of harm categories. Each test connects to the agent through a thin adapter, runs the scenario, and evaluates observable outcomes with pass/fail assertions that CI can act on.
Current testing landscape
Testing AI agents today is mostly ad hoc. Teams run manual red-teaming exercises occasionally, rely on human evaluation for agent behavior, or use bespoke eval scripts that live outside the main test suite and rarely get updated. The challenge is fundamental: traditional test assertions check for deterministic outputs, but AI agents are probabilistic — the same input can produce different outputs across runs.
This probabilistic nature has caused most teams to skip structured safety testing entirely. A 2026 benchmark across 37 commercial LLMs found hallucination rates between 15% and 52% in live conditions. Despite this, most engineering teams shipping LLM features are testing them less rigorously than they test their login forms.
The impact
RAMPART directly addresses three things that have made agentic safety testing hard to operationalize:
The pytest integration. By using pytest as its foundation, RAMPART slots into existing CI pipelines, test runners, and reporting tooling without requiring new infrastructure. Teams that already run pytest in GitHub Actions or Jenkins can add RAMPART test files the same way they add any other test module.
Statistical trial support. Rather than forcing a single-run pass/fail decision on probabilistic outputs, RAMPART lets teams set policies like "this action must be safe in at least 80% of runs." It runs multiple trials and evaluates the aggregate, which is the correct approach for stochastic systems.
Structured threat model coverage. RAMPART ships with a catalog of test scenarios covering adversarial attacks (prompt injection, jailbreaks), benign failures (off-topic responses, tool misuse), and harm categories. Teams start with the catalog and extend it with scenarios drawn from their own threat models.
Practical applications
For QA teams, RAMPART opens several concrete testing paths that were previously friction-heavy or absent:
Prompt injection regression tests. Write a test that sends a crafted user message designed to override agent instructions, then assert the agent doesn't comply. Gate this in CI so any prompt change that weakens the guardrail breaks the build.
Tool use boundary enforcement. If your agent has access to a file system tool but should only read from specific directories, write a test that attempts an out-of-scope write and assert the agent refuses. This is the agentic equivalent of authorization testing.
Behavioral consistency across releases. Run the RAMPART suite against each new model version or prompt revision. Any safety regression shows up as a failing test before it reaches production.
Adversarial user simulation. RAMPART's integration with PyRIT means teams can run automated red-team scenarios at scale — hundreds of adversarial prompt variations — rather than relying on humans to think of edge cases manually.
Tools/frameworks to watch
- RAMPART — github.com/microsoft/RAMPART — pytest-native AI agent safety testing
- Clarity — Released alongside RAMPART; helps design agent architectures with safety constraints baked in
- PyRIT — Microsoft's Python Risk Identification Toolkit, the underlying engine RAMPART builds on
- Langfuse — Open-source LLM observability platform; pairs well with RAMPART by linking production traces to the exact prompt versions that generated them
- jcode — Emerging GitHub-trending framework specifically for testing code-generating AI agents
Conclusion
The release of RAMPART signals a maturation in how the industry thinks about AI quality assurance. Safety testing for AI agents is no longer a research exercise or a compliance checkbox — it's a software engineering practice with the same tooling expectations as any other test discipline.
For QA professionals, this is both a responsibility shift and an opportunity. The teams that build structured, CI-gated safety test suites for their AI agents now will be the ones who can confidently ship agentic features later. RAMPART gives you the framework. The threat model is yours to define.
References
- Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow — Microsoft Security Blog
- GitHub: microsoft/RAMPART
- Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development — The Hacker News
- RAMPART: CI Safety for Agentic AI — DevOps.com
- AI & LLM App Testing 2026: Tools, Evaluation, Compliance — Vervali
- QA Trends for 2026: AI, Agents, and the Future of Testing — Tricentis