Microsoft open-sources Rampart framework

Microsoft on May 20 released RAMPART, an open-source framework for safety and security testing of AI agents, as the company pushed more of its red-teaming tooling into public developer workflows. The framework is built on top of PyRIT, Microsoft’s Python Risk Identification Toolkit for generative AI, which the company first open-sourced in February 2024. In a Microsoft Security Blog post, Ram Shankar Siva Kumar said the new tooling is aimed at systems that can retrieve records, write code and take actions across connected business software, rather than only answer questions. ### What exactly did Microsoft release? Microsoft’s May 20 post introduced two open-source tools at once: RAMPART and Clarity. The company described RAMPART as a testing framework that brings red-teaming techniques directly into the development workflow for agentic AI, while Clarity is positioned as a tool for checking software-engineering assumptions around those systems. (microsoft.com) GitHub describes RAMPART as “a pytest-native safety and security testing framework for agentic AI applications.” The repository says developers can use it to write and run tests covering adversarial attacks, benign failures and a range of harm categories, with evaluation-driven assertions that fit into Python testing patterns already used in software teams. ### How does RAMPART relate to PyRIT? PyRIT was released by Microsoft in February 2024 as an open automation framework for red-teaming generative AI systems. (microsoft.com) Microsoft said at the time the toolkit was intended to help security professionals and machine-learning engineers identify risks proactively in generative AI products. (github.com) RAMPART’s documentation says it uses PyRIT “under the hood” for large-language-model interaction, prompt normalization and conversation memory, while avoiding PyRIT-specific types in its public API. Microsoft’s concept documentation also frames RAMPART as a higher-level system for organizing attacks, probes, evaluators and execution workflows on top of the older toolkit. ### Why is Microsoft framing this around agents rather than chatbots? (microsoft.com) Microsoft’s May 20 blog post says enterprise AI systems now go beyond answering prompts and increasingly access email, customer-record systems and code-execution environments. Siva Kumar wrote that the company built the tools because AI safety needs to become “a continuous engineering discipline rather than a periodic checkpoint.” (github.com) Microsoft has been making a similar argument in its Azure AI Foundry materials. A Microsoft Learn page on the AI Red Teaming Agent says generative-AI red teaming is about simulating adversarial users to probe both content-safety and security risks, and the service supports “agentic risks” in addition to more familiar model harms. ### What does “pytest-native” change for developers? (microsoft.com) Pytest is one of the standard testing frameworks in Python software development, and Microsoft’s use of that format places safety checks inside the same test infrastructure teams use for application code. The RAMPART repository says the framework is designed to be structured and developer-friendly, with tests that can be written and run alongside existing engineering workflows. (learn.microsoft.com) The GitHub documentation shows Microsoft separating concepts such as attacks, probes and evaluators, which lets teams define an adversarial scenario, run it repeatedly and assert against the outcome. That structure is aimed at making safety tests more repeatable than one-off manual red-team exercises. ### Where does this fit in Microsoft’s broader AI safety stack? Microsoft has already integrated PyRIT-based red-teaming into Azure AI Foundry’s AI Red Teaming Agent, which the company says can automate scans, simulate probing and generate reports on model or application risk. (github.com) The new RAMPART release extends that same family of methods into an open-source package developers can run in their own engineering environments. (github.com) GitHub shows the RAMPART repository is already public, and Microsoft’s Security Blog says both RAMPART and Clarity are available now. PyRIT’s public repository also continues to receive updates, with releases listed as recently as last month, indicating Microsoft is still actively developing the underlying toolkit that RAMPART builds on. (microsoft.com) (devblogs.microsoft.com)