Cisco Releases Open-Source Spec for Agentic AI Security

Cisco is open‑sourcing a specification it uses to evaluate how AI agents behave in security workflows. The Foundry Security Spec aims to give organizations a shared, model‑agnostic framework for assessing and governing agentic AI in cybersecurity. It is published on GitHub under the CiscoDevNet org and is built to work with GitHub’s spec‑kit, which provides common development workflows for AI agents.

The idea is to turn ad‑hoc “paste‑a‑report‑and‑ask‑the‑LLM‑to‑find‑all‑the‑bugs” experimentation into a structured security evaluation system. Cisco’s senior vice president and chief security officer, Anthony Grieco, notes that frontier models can surface vulnerabilities extremely fast, but many teams still lack processes, manpower, or confidence to verify what the models claim. Foundry is meant to close that gap.

Why “Chat‑Driven” AI Falls Short in Security

Distinguished Cisco engineer Omar Santos explains that most security teams that have tried frontier LLMs for bug hunting have ended up with a “wall” of unbounded, hard‑to‑verify output. In those cases, it is difficult to tell which findings are valid, which are hallucinated, and what has been missed—and there is no clear “done” signal for the analysis.

A full agentic system like Foundry Security Spec, in contrast, wraps the model in orchestration, roles, and guardrails. Detection, prioritization, and validation are designed upfront, not improvised inside a chat window. Santos describes the difference as one between “an interesting demo” and a security evaluation system that can actually be defended in front of a CISO or auditors.

What the Spec Actually Provides

The project is published as two main artifacts plus supporting documentation. The “spec” artifact describes:

• 8 core agent roles (e.g., orchestrator, indexer, cartographer, detector).

• 5 extension roles.

• A defined finding lifecycle.

• A coordination substrate (how agents talk to each other).

• Roughly 130 functional requirements, each with inline rationale explaining why it exists.

The “constitution” artifact lists 11 principles, each derived from a real production failure that Cisco’s teams encountered, diagnosed, and fixed. Together, these artifacts form a scaffolding that turns a frontier LLM into a security evaluation system that produces:

• A bounded, prioritized, verifiable set of findings.

• A clear “done” signal tied to an operator‑defined coverage floor and an economic yield threshold.

• An auditable provenance chain from detection through triage, validation, and publication.

• Safety guardrails that assume the model may at some point “do the wrong thing” and constrain it at the system level, not just via prompts.

Cisco emphasizes that Foundry is model‑agnostic: it does not depend on specific frontier models such as Anthropic’s Mythos‑series or OpenAI’s GPT‑5.5‑Cyber‑focused variants. Teams can adopt the harness even without access to those cutting‑edge agents.

Designed to Stay Relevant

Santos stresses that the spec is built to remain useful as models evolve. Instead of tying itself to particular model parameters, it is based on functional roles and requirements. The need for an orchestrator, a detector, and a validator, he argues, will persist regardless of how the underlying “engine” changes.

This means that as organizations move from current frontier LLMs to more complex reasoning agents, the Foundry framework is intended to stay a stable, reusable harness for AI‑driven security evaluations.

How It Fits with CodeGuard

Foundry is meant to work alongside another Cisco‑backed open‑source effort, Project CodeGuard. CodeGuard is a security framework for AI‑assisted coding that embeds secure‑by‑default rules into the development workflow. It includes a community‑driven ruleset, translators for popular AI coding agents (like GitHub Copilot, Cursor, Claude Code, and others), and validators that help enforce those rules automatically.

Santos explains that CodeGuard can be used throughout the AI coding lifecycle:

• Before generation, rules help shape designs and specifications toward secure patterns.

• During generation, they guide AI agents away from insecure idioms.

• After generation, the same rules can be used in AI‑powered code review workflows.

Together, Foundry and CodeGuard form a kind of “protective shell” around AI‑based tooling: one focuses on how agents are organized and governed in security evaluations, the other focuses on how they write and review code in the first place.