Cisco has taken a significant step toward standardizing the evaluation of agentic artificial intelligence in cybersecurity by open-sourcing its internally developed Foundry Security Specification. The specification is now available on GitHub, designed to integrate with the industry-wide spec-kit development workflows for AI agents. This move aims to provide customers and the broader industry with a common framework for evaluating and governing AI agents used in security operations, as agentic AI plays an increasingly central role in threat detection and response.
The need for a structured evaluation framework
As frontier large language models such as Anthropic's Mythos and OpenAI's GPT-5.5-Cyber become more capable of analyzing code and identifying vulnerabilities at machine speed, security teams face a new challenge: verifying the massive volume of findings these models produce. Without a structured process, teams often receive an overwhelming wall of unbounded, unverifiable output that mixes valid insights with hallucinations, leaving analysts unsure of what was missed or when the evaluation is complete. The Foundry Security Spec directly addresses this chaos by wrapping the AI model in orchestration, roles, and guardrails that enforce detection, validation, and coverage from the outset.
Core components of the Foundry Security Spec
The specification is published as two primary artifacts supported by a set of documents. The first artifact, the “spec,” defines eight core agent roles: orchestrator, indexer, cartographer, detector, validator, prioritizer, reporter, and auditor. It also includes five extension roles, a detailed finding lifecycle, a coordination substrate, and approximately 130 functional requirements. Each requirement comes with an inline rationale explaining why it exists, ensuring that every component serves a clear purpose in the evaluation pipeline. The second artifact, the “constitution,” establishes 11 firmly defined principles, each encoding a real production failure that was shipped, diagnosed, and fixed during internal development. These principles act as hard constraints on the system, preventing common pitfalls that arise during agentic AI security evaluations.
How it works in practice
The Foundry Security Spec is not tied to any specific model parameters, making it future-proof as AI models evolve. Whether using today’s frontier LLMs or more advanced reasoning agents, the core roles and functional requirements remain constant. The orchestrator coordinates the workflow, the indexer prepares codebases for analysis, the cartographer maps relationships and dependencies, the detector identifies potential vulnerabilities, the validator verifies findings, the prioritizer ranks them based on risk, the reporter generates auditable outputs, and the auditor tracks the provenance chain from detection through triage to publication. This structured approach ensures that every finding is bounded, prioritized, and verifiable, with a clear “done” signal defined by an operator-specified coverage floor and an economic yield threshold.
Safety guardrails at the substrate level
A critical design feature of Foundry is its approach to safety. Instead of relying solely on prompt engineering to prevent AI misbehavior, the specification imposes guardrails at the substrate level—the underlying infrastructure and coordination layer. This assumes that the model will, at some point, attempt to perform actions outside its intended scope. By constraining the AI at the substrate level, the system ensures that even if the model tries to do the wrong thing, its actions are limited and recorded. This provides a robust safety net for security evaluations, which are often high-stakes and require complete trust in the results.
Complementary open-source project: CodeGuard
The Foundry Security Spec works hand-in-hand with another Cisco-contributed open-source technology called Project CodeGuard. CodeGuard is a security framework that integrates secure-by-default rules into AI coding workflows. It offers a community-driven ruleset, translators for popular AI coding agents such as Cursor, GitHub Copilot, Codex, Windsurf, and Claude Code, and validators that help teams enforce security automatically throughout the coding lifecycle. Before code generation, rules guide the design and specification phases, steering models toward secure patterns. During code generation, rules prevent the introduction of vulnerabilities. After code generation, agents use rules for code review. Together, Foundry and CodeGuard provide a comprehensive ecosystem for secure AI-driven development and security evaluation.
Industry context and adoption
The release of Foundry reflects a growing recognition that agentic AI in cybersecurity requires standardized evaluation methodologies. As enterprises increasingly deploy AI agents to automate vulnerability detection, incident response, and threat hunting, the need for consistent, auditable, and verifiable processes becomes critical. Many organizations have attempted to use frontier LLMs informally by simply providing a report and asking the model to find bugs. The result is often unreliable. Foundry provides the scaffolding to transform such ad-hoc experiments into production-grade security evaluation systems that CISOs and auditors can trust. The specification is model-agnostic, meaning users do not need access to the latest frontier models to benefit; it can work with any capable LLM, ensuring broad accessibility.
Technical architecture and extensibility
The specification is designed to be extended and adapted to specific organizational needs. The eight core roles can be supplemented with extension roles for specialized tasks such as fuzzing, static analysis integration, or cloud infrastructure scanning. The functional requirements are detailed enough to guide implementation but abstract enough to allow flexibility in how each role is realized. The coordination substrate handles communication between agents, ensuring that findings are passed along the pipeline without loss or corruption. The finding lifecycle defines clear stages: detection, triage, validation, prioritization, reporting, and archival. Each stage leaves an auditable trace, so every decision can be reviewed and justified. This transparency is essential for compliance with regulations such as GDPR, HIPAA, and SOC 2, which require demonstrable control over security processes.
Real-world applications and use cases
Security teams can deploy Foundry to evaluate codebases for vulnerabilities, perform continuous security assessments during DevOps pipelines, or analyze third-party software for supply chain risks. For example, a team using Foundry with an orchestrator agent can scan a repository, have the detector agents identify potential flaws, validate them using the validator role, and generate a prioritized list of findings ready for remediation. The system knows when it has achieved sufficient coverage based on predefined thresholds, so analysts are not left wondering whether the evaluation is complete. This is a significant improvement over traditional manual code reviews or ad-hoc AI queries, which often produce incomplete or unverifiable results.
Community and collaboration
By open-sourcing the specification on GitHub, Cisco is inviting the security community to contribute, critique, and evolve the framework. This collaborative approach aligns with the ethos of cybersecurity as a “team sport,” where sharing knowledge and tools raises the bar for collective defense. The specification is designed to be used with GitHub’s spec-kit, which provides standardized workflows for AI agents. This integration reduces friction for teams already using GitHub for version control and CI/CD pipelines. Early adopters include several large enterprises and security vendors who have contributed feedback during the development phase. The open-source nature also enables researchers to study the specification, propose improvements, and create custom implementations for specific domains.
Future-proofing against model evolution
A common question raised by security professionals is whether Foundry will become obsolete as LLMs improve. The answer from its designers is no. The specification is built on functional requirements and roles, not specific model parameters. The need for an orchestrator to coordinate agents, a detector to find vulnerabilities, and a validator to confirm findings will remain regardless of how advanced the underlying AI becomes. As models gain new capabilities, the roles can be assigned more sophisticated tasks, but the fundamental structure remains stable. This ensures that investments in building Foundry-compatible tools and processes will not be wasted when the next generation of AI arrives.
The Foundry Security Spec represents a practical, production-ready approach to harnessing agentic AI for cybersecurity. It provides the guardrails, roles, and accountability that turn a powerful but unpredictable technology into a reliable security tool. By making it open source, Cisco has given the industry a foundation to build upon, accelerating the adoption of safe and effective AI-driven security evaluations.
Source: Network World News