In a significant move for the cybersecurity industry, Cisco has open-sourced its internal Foundry Security Specification, a framework designed to standardize how AI agents are evaluated for security tasks. The specification, now available on GitHub, aims to help organizations validate vulnerabilities identified by frontier large language models (LLMs) such as Anthropic's Mythos and OpenAI's GPT-5.5-Cyber, addressing the common problem of unverifiable and hallucinated outputs that plague manual AI-driven security assessments.

The Foundry Security Spec is built around GitHub's spec-kit, which provides development workflows compatible with various AI agents. Cisco's chief security officer, Anthony Grieco, emphasized the collaborative nature of the effort, stating that cybersecurity is a team sport and that sharing knowledge through open-source can raise the bar for collective defense. The specification is intended to be model-agnostic, meaning it can be used with any frontier LLM, not just those from major providers.

The genesis of Foundry lies in the common experience of security teams attempting to use AI models to find code vulnerabilities. As Omar Santos, distinguished engineer at Cisco noted, without proper structure, these attempts often produce a 'wall of unbounded, unverifiable output' that mixes genuine insights with hallucinations. Foundry wraps the AI model in orchestration, roles, and guardrails, turning it from an interesting demo into a robust security evaluation system that can be defended before a CISO or auditor.

The specification is published as two primary artifacts: the 'spec' artifact and the 'constitution' artifact. The spec artifact defines eight core agent roles (orchestrator, indexer, cartographer, detector, etc.) and five extension roles, along with a finding lifecycle, coordination substrate, and approximately 130 functional requirements, each with an inline rationale. The constitution artifact contains 11 principles derived from real production failures that Cisco has encountered and fixed.

One of the key challenges Foundry addresses is the unbounded nature of AI output. By establishing a bounded, prioritized, verifiable set of findings, a clear 'done' signal based on operator-defined coverage and yield thresholds, an auditable provenance chain, and safety guardrails that constrain the model at the substrate level, Foundry ensures that security evaluations are systematic and defensible. Santos emphasized that the spec is designed to remain relevant even as LLMs evolve, since it is based on functional requirements and roles rather than model-specific parameters.

Foundry works in conjunction with another Cisco open-source project, CodeGuard, which provides a security framework for AI coding workflows. CodeGuard offers a community-driven ruleset, translators for popular AI coding agents (like Cursor and GitHub Copilot), and validators that enforce security automatically throughout the coding lifecycle—from design and planning to code generation and review.

The importance of such a specification cannot be overstated in the current AI landscape. As more organizations adopt AI agents for cybersecurity tasks—from vulnerability detection to incident response—there is a growing need for standardized evaluation and governance. Without such frameworks, organizations risk relying on unverified AI outputs that could lead to missed vulnerabilities or false positives. Cisco's Foundry spec aims to provide a common language and methodology that cuts across different AI models and platforms.

Cisco has long been a player in both networking and cybersecurity, and its investment in AI security reflects a broader industry trend. The move to open-source Foundry is part of Cisco's strategy to foster community-driven standards, similar to its contributions in areas like network automation and intent-based networking. The spec has already garnered attention from security professionals who see it as a practical tool for bringing order to the chaotic world of AI-driven security testing.

From a technical standpoint, Foundry's architecture is designed to be extensible. The core agent roles can be customized to fit an organization's specific security evaluation needs, and the spec's constitution principles can be adapted as new failure modes are discovered. This flexibility is crucial in a field where AI models are rapidly advancing and where new attack vectors and vulnerabilities emerge constantly.

The open-sourcing of Foundry is also timely given the increasing regulatory scrutiny around AI. Governments and industry bodies worldwide are developing guidelines for responsible AI use, and having standardized security evaluation frameworks will help organizations demonstrate compliance. Cisco's specification could serve as a de facto standard for evaluating AI agents in cybersecurity, much like the OWASP Top 10 has become for web application security.

In practice, security teams using Foundry can feed their codebase into an orchestrated AI agent system that performs systematic vulnerability detection, validation, and prioritization. The spec ensures that every finding is accompanied by an auditable trail, from detection through triage and validation to publication. This provenance chain is essential for incident response teams and for meeting audit requirements.

Another significant aspect of Foundry is its focus on safety guardrails. The spec explicitly acknowledges that AI models will sometimes attempt to do something unintended, and it constrains them at the 'substrate' level rather than relying solely on prompts. This substrate-level constraint is more robust and less susceptible to prompt injection or jailbreaking attacks. The safety mechanisms are baked into the orchestration layer, ensuring that even if the model generates harmful instructions, they are not executed without passing through multiple validation checkpoints.

Cisco's initiative builds on a growing recognition that AI agents need to be secured not only from external attacks but also from their own potential misbehavior. The Foundry spec is one of the first comprehensive attempts to codify how that security should be evaluated. It draws on Cisco's extensive experience in network security and its deep understanding of the challenges posed by large-scale AI deployments.

The news comes at a time when Cisco is also making other strategic moves in AI security, such as acquiring Astrix, a startup focused on securing AI agents. The combination of internal development and targeted acquisitions positions Cisco as a leading provider of AI security infrastructure. The open-source nature of Foundry ensures that smaller organizations and startups can also benefit from enterprise-grade evaluation capabilities.

Looking ahead, the Foundry specification is expected to evolve as the community contributes feedback and new use cases. The GitHub repository will serve as the primary venue for collaboration, and Cisco has committed to maintaining and updating the spec based on real-world experiences. This open development model is similar to how Kubernetes evolved from an internal Google project to a cloud-native standard.

For security teams that have struggled with the 'wild west' of AI-generated vulnerability reports, Foundry offers a structured, repeatable approach. It reduces the noise and increases the signal, allowing security professionals to focus on the most critical issues. The spec also facilitates communication between teams by providing a common vocabulary and set of expectations for what an AI security evaluation should deliver.

In summary, Cisco's open-sourcing of the Foundry Security Specification marks an important step toward standardizing AI security evaluation. By providing a model-agnostic, extensible framework with strong safety guardrails, Cisco is addressing a critical gap in the cybersecurity landscape. The spec joins a broader ecosystem of tools and frameworks aimed at making AI more secure, and its impact will likely be felt across industries as organizations seek to deploy AI agents with confidence.

Source: Network World News