Testing Tools

Microsoft RAMPART: The Open-Source Framework That Brings Red-Team Safety Testing Into Your CI/CD Pipeline

Why it matters for testing

Microsoft's open-source RAMPART framework makes safety and security testing of agentic AI a first-class citizen in CI/CD — not a post-hoc audit. For QA engineers, this means prompt injection attacks, unsafe tool use, and behavioral boundary violations can now be caught in the same pipeline as functional regressions.


Intro

You're running an agentic AI system in production. It reasons, it calls tools, it takes actions on behalf of users. Your functional tests pass. But what about the time a crafted prompt tricks it into deleting files it shouldn't touch? Or when it silently steps outside its approved behavioral boundaries?

Traditional testing has no answer for this. Microsoft's newly open-sourced RAMPART does.

The AI development/news

On May 20, 2026, Microsoft's AI Red Team — the internal unit that stress-tests all of Microsoft's AI products — open-sourced RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) alongside a companion tool called Clarity.

RAMPART is a pytest-native safety and security testing framework built on top of Microsoft's existing PyRIT toolkit. It lets engineering teams embed automated red-team tests directly into their CI/CD pipelines, simulating real-world attack scenarios — prompt injection, privilege escalation, unsafe tool invocation — and verifying that agents stay within their approved behavioral envelopes.

Clarity is a design-time companion: a structured review tool that acts as a "living artifact," documenting an agent's intent, risks, and expected behaviors before code is written, keeping safety specs in sync with the evolving system.

Both tools have been used internally at Microsoft across production AI agent deployments before being released to the public.

Current testing landscape

Right now, most teams testing AI agents fall back on one of three approaches:

  1. Functional end-to-end tests — verify the agent returns the right answer for known inputs, but say nothing about adversarial robustness.
  2. Manual red-teaming — security researchers probe the system after it's built, generating findings that are expensive and slow to feed back into development.
  3. Eval harnesses — evaluate output quality at a point in time, but aren't integrated into every merge or build.

None of these run automatically on every code push. None catch a regression the moment a new model version or a prompt-template change subtly widens the agent's attack surface. The feedback loop is measured in weeks, not minutes.

The impact

RAMPART closes that loop. Because it's pytest-native, it slots directly into any CI/CD pipeline that already runs Python tests — no new tooling category to evaluate, no custom integration to build.

The key shift is probabilistic pass/fail thresholds. Because LLMs are non-deterministic, a single-run assertion ("did the agent refuse this prompt?") is too fragile. RAMPART lets teams write policies like "this action must be safe in at least 80% of runs across N trials" — a statistically meaningful safety gate that respects the nature of the underlying models.

Teams write tests against their own threat model: each test connects to the agent via a thin adapter, orchestrates an interaction, and evaluates observable outcomes. This means safety tests live in the same repo, are version-controlled alongside application code, and are owned by the engineers building the system — not handed off to a separate security team months later.

Practical applications

For teams building AI agents today:

  • Prompt injection suites: Write RAMPART tests covering every external data source your agent consumes (emails, documents, web pages) as potential injection vectors. Gate merges on a minimum safe-response rate.
  • Tool-use boundary tests: Assert that the agent never invokes restricted tools (e.g., file deletion, external network calls) when it shouldn't — even under adversarial prompting.
  • Regression detection: When you upgrade the underlying LLM or change your system prompt, run the full RAMPART suite to detect behavioral drift before it reaches production.
  • Compliance documentation: RAMPART's structured test output and Clarity's design artifacts together form an audit trail — useful for teams operating under AI governance frameworks like the EU AI Act.

Tools/frameworks to watch

  • RAMPART — the framework itself; pytest-native, open source, MIT licensed.
  • Clarity — RAMPART's design-time companion for documenting agent intent and risk.
  • PyRIT — Microsoft's underlying open-source red-teaming toolkit that RAMPART builds on.
  • Playwright MCP — for browser-based agent testing, pairs well with RAMPART for end-to-end agentic test coverage.
  • QA Wolf — for natural-language-driven test generation in Playwright, complements safety-focused RAMPART tests with functional coverage.

Conclusion

The shift RAMPART represents is significant: safety testing for AI agents moves from a quarterly red-team exercise into continuous, developer-owned, pipeline-gated practice. As agentic systems proliferate — in dev tooling, customer service, internal automation — this kind of early, automated, probabilistic safety verification will become as standard as a linting step. QA engineers who learn to write and maintain RAMPART test suites now are positioning themselves at the intersection of two of the fastest-growing disciplines in software: agentic AI and adversarial testing.

The question isn't whether your AI agent needs this kind of testing. It's whether you catch the failure in CI or in production.

References

Latest from the blog

See all →