Cisco open-sources agentic AI security spec
Cisco has open-sourced an internally developed specification for evaluating the security of agentic AI systems. The Foundry Security Spec is now available on GitHub, designed to work with GitHub’s spec-kit, an industry-wide set of development workflows for AI agents. The goal is to help customers and the broader industry create a common framework for evaluating and governing AI agents used in cybersecurity.
Anthony Grieco, senior vice president and chief security officer at Cisco, stressed the collaborative nature of cybersecurity: “I’ve said this for many years: Cybersecurity is a team sport. We’ve all got to come together and work together for a better collective defense. This is one really demonstrable way where we’re trying to raise the bar for everybody and share our knowledge.” By open-sourcing Foundry, Cisco aims to give organizations access to a proven methodology that has been used internally, rather than forcing every team to reinvent the wheel.
The challenge of securing AI agents
Agentic AI systems—autonomous agents that can plan, execute, and adapt tasks—are increasingly deployed in cybersecurity to detect and respond to threats at machine speed. However, most security teams lack a robust process to verify the outputs of these agents. Frontier LLMs (large language models) such as Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber can identify vulnerabilities rapidly, but their results often mix genuine insights with hallucinated findings. Without a structured evaluation framework, teams cannot know what was missed or when the analysis is truly complete.
Omar Santos, distinguished engineer at Cisco focusing on AI security, explained the problem: “Every security team with access to a frontier LLM has tried the same thing at least once: toss a report at the model and ask it to ‘find the bugs.’ The result is usually a wall of unbounded, unverifiable output that mixes sharp insights with hallucinated findings, with no way to know what was missed or when you’re actually done.” The Foundry Security Spec is designed to be the antidote—a full agentic system that wraps the model in orchestration, roles, and guardrails so that detection, validation, and coverage are built in from the start.
What the Foundry Security Spec includes
The Foundry specification is published as two main artifacts plus supporting documents. The “spec” artifact defines eight core agent roles: orchestrator, indexer, cartographer, detector, and others, plus five extension roles. It also describes the finding lifecycle, the coordination substrate, and roughly 130 functional requirements—each with an inline rationale explaining why it exists. The “constitution” artifact includes 11 firmly defined principles, each of which encodes a real production failure that Cisco shipped, diagnosed, and fixed.
The spec is model agnostic, meaning it does not depend on specific LLM parameters. Grieco noted: “Users don’t have to wait for Mythos or the GPT-5.5 Cyber access to make use of this harness. It’s model agnostic.” This ensures that whether an organization uses today’s frontier models or future reasoning agents, the stable harness of Foundry keeps security evaluation consistent.
According to Santos, Foundry transforms a frontier LLM from “an interesting demo against your codebase” into a security evaluation system that produces:
- A bounded, prioritized, verifiable set of findings.
- A clear “done” signal determined by an operator-defined coverage floor and an economic yield threshold.
- An auditable provenance chain from detection through triage, validation, and publication.
- Safety guardrails that constrain the model at the substrate level, not just the prompt, assuming the model will at some point try to do the wrong thing.
Integration with Project CodeGuard
The Foundry specification works hand-in-hand with another Cisco-contributed open-source technology called CodeGuard. Project CodeGuard is a security framework that builds secure-by-default rules into AI coding workflows. It offers a community-driven ruleset, translators for popular AI coding agents (such as Cursor, GitHub Copilot, Codex, Windsurf, and Claude Code), and validators to help teams enforce security automatically. CodeGuard integrates across the entire AI coding lifecycle: before code generation, rules steer models toward secure patterns; during generation, they prevent security issues; and after generation, they enable automated code review.
The combination of Foundry and CodeGuard provides a comprehensive approach to AI security. Foundry evaluates the agent’s output at a higher level—ensuring that the detection and validation process is rigorous—while CodeGuard enforces security rules at the code level. Together, they address the two fundamental challenges of using AI in cybersecurity: verifying that the AI’s findings are correct and ensuring that the AI itself does not introduce new vulnerabilities.
Why open-sourcing matters
By releasing Foundry under an open-source license, Cisco is contributing to a growing movement toward shared security standards in the AI industry. The spec is designed to be used with GitHub’s spec-kit, which is already an industry-wide set of development workflows for AI agents. This alignment makes it easier for organizations to adopt Foundry without adding complexity to their existing toolchains.
The open-source nature also invites community contributions. Santos wrote that the spec is “designed not to be” obsolete as LLMs evolve: “Foundry Security Spec is built on functional requirements and roles, not specific model parameters. Whether you are using today’s frontier models or the more complex reasoning agents of tomorrow, the need for an orchestrator, a detector, and a validator will remain constant.” This forward-looking design ensures that the spec remains relevant as AI capabilities advance.
Broader implications for the industry
The release of Foundry comes at a time when enterprise adoption of agentic AI is accelerating. According to industry reports, the global market for AI in cybersecurity is expected to exceed $60 billion by 2028, with agentic systems playing a central role. However, the lack of standardized evaluation frameworks has been a significant barrier to trust and adoption. Cisco’s contribution addresses this gap by providing a proven methodology that can be adopted across organizations of all sizes.
Grieco emphasized that the spec is not just for large enterprises: “Every security team with access to a frontier LLM can benefit from Foundry. It gives them a way to defend their evaluations in front of their CISO and their auditors.” This is particularly important as regulatory scrutiny of AI-based security tools increases. The European Union’s AI Act and similar legislation in other regions require that AI systems used in critical infrastructure be transparent and auditable. Foundry’s provenance chain and documented functional requirements help organizations meet these compliance demands.
In addition, the spec encourages a cultural shift in how security teams approach AI evaluation. Instead of treating LLMs as black boxes that produce unreliable outputs, teams can adopt a structured, role-based approach that mirrors traditional software development practices. The orchestrator role, for example, is responsible for managing the entire evaluation workflow, while the detector role focuses on identifying specific vulnerability patterns. This division of labor reduces cognitive load and improves consistency.
Cisco’s move also highlights the importance of community-driven standards in the cybersecurity industry. Past efforts such as the MITRE ATT&CK framework and the OWASP Top 10 have shown that open, collaborative specifications can dramatically improve security posture across the board. Foundry follows in that tradition, providing a common language for discussing and implementing agentic AI security.
Looking ahead, the success of Foundry will depend on its adoption by both vendors and end users. Cisco has already committed to using the spec internally and is encouraging partners and customers to contribute to its evolution. The GitHub repository includes detailed documentation, examples, and contribution guidelines to lower the barrier to entry. As more organizations adopt agentic AI for security, the need for a unified evaluation framework will only grow. Foundry provides a solid foundation for that effort, combining Cisco’s deep expertise in networking and security with the transparency and flexibility of open source.
Source: Network World News