Cisco has taken a significant step toward standardizing the evaluation of agentic artificial intelligence (AI) in cybersecurity by releasing its internally developed Foundry Security Spec to the open-source community via GitHub. The specification, created by Cisco's security team, is designed to work with GitHub's spec-kit, an industry-standard set of development workflows that can be used with various AI agents. The goal is to help organizations and the broader industry establish a common framework for evaluating and governing AI agents used in cybersecurity operations.
Anthony Grieco, senior vice president and chief security officer at Cisco, emphasized the collaborative nature of cybersecurity. In a prerecorded statement, he noted, “Cybersecurity is a team sport. We’ve all got to come together and work together for a better collective defense. This is one really demonstrable way where we’re trying to raise the bar for everybody and share our knowledge, through this. And so giving folks access to this felt really important.” His remarks underscore the industry’s growing realization that siloed approaches to AI security are no longer sustainable.
The Foundry Security Spec addresses a critical pain point: while frontier large language models (LLMs) such as Anthropic's Mythos and OpenAI's GPT-5.5-Cyber can identify vulnerabilities at machine speed, most security teams lack the processes and manpower to verify the findings. The result is often a flood of unverified outputs mixed with hallucinations. Omar Santos, a distinguished engineer at Cisco focusing on AI security, explained that “every security team with access to a frontier LLM has tried the same thing at least once: toss a report at the model and ask it to ‘find the bugs.’ The outcome is a wall of unbounded, unverifiable output that mixes sharp insights with hallucinated findings, with no way to know what was missed or when you’re actually done.”
Foundry changes that by wrapping the LLM in a structured system of orchestration, roles, and guardrails. Santos described it as “the antidote to that chaos” because it ensures that detection, validation, and coverage are designed up front rather than improvised in a chat window. The specification produces a bounded, prioritized, and verifiable set of findings, a clear “done” signal based on operator-defined coverage and economic yield thresholds, an auditable provenance chain from detection through publication, and safety guardrails that constrain the model at the substrate level, not just the prompt.
The Foundry Security Spec is published as two main artifacts. The “spec” artifact includes eight core agent roles—orchestrator, indexer, cartographer, detector, and others—five extension roles, a finding lifecycle definition, the coordination substrate, and roughly 130 functional requirements, each with an inline rationale. The “constitution” artifact contains 11 firmly defined principles, each encoding a real production failure that Cisco experienced, diagnosed, and fixed. Importantly, the spec is model agnostic, meaning organizations don’t need to wait for access to the latest frontier models to use it.
The specification is designed to remain relevant as LLMs evolve. Santos noted that it is built on functional requirements and roles, not specific model parameters. “Whether you are using today’s frontier models or the more complex reasoning agents of tomorrow, the need for an orchestrator, a detector, and a validator will remain constant. The spec is designed to be the stable harness that keeps your security evaluation consistent, regardless of the ‘engine’ under the hood.” This forward-looking design makes Foundry a potential foundation for long-term industry standards.
Foundry Security Spec also works hand-in-hand with another Cisco open-source project, CodeGuard. CodeGuard is a security framework that builds secure-by-default rules into AI coding workflows. It offers a community-driven ruleset, translators for popular AI coding agents like Cursor, GitHub Copilot, and Claude Code, and validators to enforce security automatically. CodeGuard integrates across the entire AI coding lifecycle, from planning and spec-driven development to code generation and review. Together, Foundry and CodeGuard provide a comprehensive approach to AI security in both development and evaluation phases.
The release of Foundry comes at a time when agentic AI—AI systems that can autonomously plan and execute actions—is rapidly being adopted across industries. These agents introduce new security challenges because they can interact with systems, modify code, and make decisions without human oversight. Traditional security evaluation methods, often manual and ad hoc, are insufficient for the speed and complexity of modern AI agents. A standardized framework like Foundry can help organizations assess whether an AI agent is safe to deploy, how it handles edge cases, and whether it produces reliable results.
Cisco’s move to open-source the spec is also a strategic play to influence industry standards. By providing a mature, battle-tested framework developed internally, Cisco positions itself as a leader in AI security governance. Other vendors and enterprises can adopt, modify, and contribute to the spec, fostering a collaborative ecosystem. This approach mirrors successful open-source security projects like the Open Web Application Security Project (OWASP) and the MITRE ATT&CK framework, which have become de facto standards through community adoption.
In practice, the Foundry spec defines how an AI agent should be orchestrated to perform security tasks like vulnerability detection, triage, and validation. For example, the orchestrator role coordinates the workflow, the indexer preprocesses codebases or reports, the cartographer maps the attack surface, and the detector uses the LLM to find potential issues. Each role has clear responsibilities and interfaces, and the finding lifecycle ensures that every detection is tracked from initial report to verified publication. The safety guardrails prevent the agent from performing harmful actions, such as executing risky commands or accessing sensitive data without authorization.
The spec also emphasizes auditability. Every step in the evaluation process is logged, creating a provenance chain that can be reviewed by auditors and CISOs. This is critical for regulated industries like finance and healthcare, where AI decisions must be explainable and defensible. The “done” signal—based on coverage thresholds and economic yield—provides a clear endpoint, preventing the analysis from running indefinitely or producing false positives.
Cisco is not the only company working on AI security evaluation frameworks. Rivals like Microsoft and Google have also published guidelines for responsible AI, and startups like Protect AI and Robust Intelligence offer commercial tools. However, Cisco’s open-source approach with a detailed spec and constitution sets it apart. By publishing the spec on GitHub and integrating with spec-kit, Cisco makes it easy for developers and security professionals to incorporate Foundry into their existing workflows without vendor lock-in.
The timing of the release is also noteworthy. AI agents are being embedded into security operations centers (SOCs) to automate incident response, threat hunting, and vulnerability management. Without a robust evaluation framework, organizations risk deploying agents that make mistakes, hallucinate findings, or even introduce new vulnerabilities. Foundry provides a safety net, ensuring that AI agents are tested under realistic conditions before they are allowed to operate in production environments.
In the broader context, the Foundry Security Spec represents a maturation of AI security practices. Early adopters of AI agents often relied on prompts and manual oversight to evaluate outputs. As agentic AI becomes more autonomous, structured evaluation becomes a necessity. Cisco’s initiative may accelerate the adoption of best practices across the industry, benefiting everyone from small startups to large enterprises. The spec is available now on GitHub under an open-source license, and Cisco encourages contributions from the community to refine and expand its capabilities.
Source: Network World News