Cisco open-sources agentic AI security spec

Cisco has turned over an internally developed specification for agentic AI security evaluation to the GitHub open-source community. The Foundry Security Spec is meant to be used with GitHub’s spec-kit, which is an industry-wide set of development workflows that can be used with different AI agents. The idea is to help customers and the industry create a common framework for evaluating and governing AI agents used in cybersecurity, according to Anthony Grieco, senior vice president and chief security officer at Cisco. “I’ve said this for many years: Cybersecurity is a team sport,” Grieco said in a prerecorded video about the news. “We’ve all got to come together and work together for a better collective defense. This is one really demonstrable way where we’re trying to raise the bar for everybody and share our knowledge, through this. And so giving folks access to this felt really important.” While frontier models identify vulnerabilities at machine-speed, most security teams haven’t built a great process or have enough manpower to verify findings, and that’s where Foundry comes in, Grieco said. “Every security team with access to a frontier LLM has tried the same thing at least once: toss a report at the model and ask it to ‘find the bugs.’ The result is usually a wall of unbounded, unverifiable output that mixes sharp insights with hallucinated findings, with no way to know what was missed or when you’re actually done,” wrote Omar Santos, a distinguished engineer at Cisco focusing on AI security, cybersecurity research, incident response, and vulnerability disclosure, in a blog post about Foundry. “A full agentic system like Foundry Security Spec is the antidote to that chaos: it wraps the model in orchestration, roles, and guardrails so that detection, validation, and coverage are designed up front instead of improvised in a chat window. The difference is stark—one is an interesting demo; the other is a security evaluation system you can defend in front of your CISO and your auditors,” Santos wrote. “It’s really also important to note, users don’t have to wait for Mythos or the GPT-5.5 Cyber access to make use of this [protective software infrastructure surrounding an AI model] harness. It’s model agnostic,” Grieco said. According to Santos, Foundry Security Spec is the scaffolding that turns a frontier LLM from “an interesting demo against your codebase” into a security evaluation system that produces: * A bounded, prioritized, verifiable set of findings. * A clear “done” signal and the conjunction of an operator-defined coverage floor and an economic yield threshold. * An auditable provenance chain from detection through triage, validation, and publication. * Safety guardrails that assume the model will, at some point, try to do the wrong thing; and constrain it at the substrate, not the prompt. Foundry is published as two main artifacts and a set of supporting documents. The “spec” artifact includes eight core agent roles, such as orchestrator, indexer, cartographer, and detector; five extension roles; the finding lifecycle; the coordination substrate; and roughly 130 functional requirements, each with an inline rationale explaining why it exists, according to Grieco. The “constitution” artifact incudes 11 firmly defined principles, each of which encodes a real production failure we shipped, diagnosed, and fixed, Grieco stated. A common question is whether this spec will become obsolete as LLMs evolve, Santos noted. “The answer is it was designed not to be,” he wrote. “Foundry Security Spec is built on functional requirements and roles, not specific model parameters. Whether you are using today’s frontier models or the more complex reasoning agents of tomorrow, the need for an orchestrator, a detector, and a validator will remain constant. The spec is designed to be the stable harness that keeps your security evaluation consistent, regardless of the ‘engine’ under the hood.” The Foundry specification works hand-in-hand with another Cisco-contributed open-source technology, CodeGuard. Project CodeGuard is a security framework that builds secure-by-default rules into AI coding workflows, according to Cisco. It offers a community-driven ruleset, translators for popular AI coding agents, and validators to help teams enforce security automatically. “Project CodeGuard is designed to integrate seamlessly across the entire AI coding lifecycle. Before code generation, rules can be used for the design of a product and for spec-driven development. Customers can use the rules in the “planning phase” of an AI coding agent to steer models toward secure patterns from the start. During code generation, rules can help AI agents to prevent security issues as code is being written. After code generation, AI agents like Cursor, GitHub Copilot, Codex, Windsurf, and Claude Code can use the rules for code review,” Santos wrote in a 2025 blog post when the project was introduced.