Cisco has open-sourced its internally developed Foundry Security Spec for agentic AI security evaluation. The specification is now available on GitHub as part of the spec-kit ecosystem, which provides development workflows for AI agents. The move aims to help customers and the broader industry establish a common framework for evaluating and governing AI agents used in cybersecurity.
The Foundry Security Spec is designed to address a critical gap in AI security: while frontier large language models can identify vulnerabilities at machine speed, most security teams lack efficient processes or sufficient manpower to verify those findings. Anthony Grieco, senior vice president and chief security officer at Cisco, emphasized the collaborative nature of cybersecurity: “Cybersecurity is a team sport. We’ve all got to come together and work together for a better collective defense. This is one really demonstrable way where we’re trying to raise the bar for everybody and share our knowledge, through this.”
Omar Santos, a distinguished engineer at Cisco focusing on AI security, noted that many teams have attempted to use LLMs for vulnerability detection but often end up with unverifiable outputs mixed with hallucinations. “A full agentic system like Foundry Security Spec is the antidote to that chaos: it wraps the model in orchestration, roles, and guardrails so that detection, validation, and coverage are designed up front instead of improvised in a chat window,” Santos wrote in a blog post. He contrasted this with a simple demo, stating that Foundry produces a security evaluation system defensible before a CISO and auditors.
The Foundry Security Spec is model-agnostic, meaning it works with various frontier models including Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber. Grieco highlighted that users don't need to wait for specific model access to benefit from the spec. The specification publishes two main artifacts: a spec artifact and a constitution artifact. The spec artifact includes eight core agent roles—orchestrator, indexer, cartographer, detector, triager, validator, reporter, and monitor—plus five extension roles. It also defines the finding lifecycle, coordination substrate, and roughly 130 functional requirements, each with an inline rationale explaining its purpose. The constitution artifact contains 11 firmly defined principles, each encoding a real production failure that was shipped, diagnosed, and fixed.
The roles are designed to work together seamlessly. The orchestrator manages the overall evaluation workflow, the indexer prepares codebases for analysis, the cartographer maps dependencies and attack surfaces, the detector scans for vulnerabilities, the triager prioritizes findings, the validator confirms or rejects detections, the reporter generates auditable outputs, and the monitor ensures safety guardrails are maintained. The spec emphasizes a bounded, prioritized, and verifiable set of findings, a clear “done” signal based on coverage floor and economic yield threshold, and an auditable provenance chain from detection through publication.
Safety is a core component. The guardrails assume that the model will at some point attempt to do the wrong thing, so constraints are applied at the substrate level rather than relying solely on prompt engineering. This substrate approach includes runtime monitoring, sandboxing, and permission boundaries that prevent the AI agent from executing unauthorized actions. The spec’s functional requirements cover areas such as input validation, output filtering, resource limits, and logging.
Santos also addressed concerns about obsolescence: “Foundry Security Spec is built on functional requirements and roles, not specific model parameters. Whether you are using today’s frontier models or the more complex reasoning agents of tomorrow, the need for an orchestrator, a detector, and a validator will remain constant. The spec is designed to be the stable harness that keeps your security evaluation consistent, regardless of the ‘engine’ under the hood.”
The Foundry specification works in conjunction with another Cisco-contributed open-source technology called Project CodeGuard. CodeGuard is a security framework that builds secure-by-default rules into AI coding workflows. It offers a community-driven ruleset, translators for popular AI coding agents such as Cursor, GitHub Copilot, Codex, Windsurf, and Claude Code, and validators to help teams enforce security automatically. CodeGuard integrates across the entire AI coding lifecycle: before code generation, during the planning phase, during code generation, and after code generation for code review. Together, Foundry and CodeGuard provide a comprehensive approach to AI security—Foundry for evaluation and governing of agents, and CodeGuard for embedding security into the development process itself.
The open-source release of Foundry Security Spec is part of Cisco’s broader strategy to drive industry standards in AI security. Cisco has been investing heavily in AI-related products and acquisitions, including the recent purchase of Astrix to secure AI agents. The company’s vision is to create an ecosystem where security tools and practices become more consistent, verifiable, and auditable. This release reflects Cisco’s commitment to raising the bar for collective defense and sharing knowledge across the industry.
Agentic AI refers to systems that can autonomously plan and execute tasks, such as scanning code for vulnerabilities, patching systems, or responding to incidents. However, without proper evaluation and governance, these agents can introduce risks, including false positives, missed detections, and unintended actions. The Foundry spec provides a structured methodology to ensure agentic systems operate within defined boundaries, produce verifiable results, and maintain audit trails.
The spec is already being tested internally at Cisco and has been used in trials with select customers. Early feedback indicates that it helps teams move from ad hoc AI experiments to production-ready security evaluations. The open-source nature of the spec allows any organization to adopt, modify, and contribute to it, fostering a collaborative development cycle.
In summary, Cisco’s move to open-source the Foundry Security Spec marks a significant step toward standardizing the evaluation of agentic AI in cybersecurity. By providing a model-agnostic framework with clear roles, requirements, and guardrails, Cisco aims to enable security teams to harness the power of frontier LLMs while maintaining control and verifiability. The integration with Project CodeGuard further extends the reach to AI coding workflows, creating a holistic security posture for AI-driven development and operations.
Source: Network World News