Cisco publishes Foundry security spec

Cisco just published something more interesting than another AI demo. It open-sourced a specification for how to evaluate agentic AI systems for security — not just the model, but the whole setup around it. That matters because most teams are still doing the obvious bad version of this: point a frontier model at a codebase, ask it to find bugs, then drown in noisy output. Foundry is Cisco’s attempt to turn that chaos into a repeatable system. ### What did Cisco actually ship? Cisco published the Foundry Security Spec on May 12, 2026, in a public GitHub repository and paired it with a blog post explaining the idea. The company describes it as an open, model-agnostic and stack-agnostic blueprint for “agentic security evaluation” — basically, a way to structure AI agents so they can look for software vulnerabilities without behaving like an overconfident autocomplete. (blogs.cisco.com) ### Is this code or a standard? It’s much closer to a specification than a product release. Cisco is explicit that “the specification is the deliverable” and that there is no implementation code in the repo on purpose. The pitch is: bring your own frontier model and your own environment, then use Foundry as the architecture, guardrails, and operating rules. (blogs.cisco.com) ### What’s inside the spec? The core package has two main artifacts. One is the seed spec itself — version 0.1.0 — which lays out 8 core agent roles, 5 extension roles, a finding lifecycle, a coordination layer, and roughly 130 functional requirements. The other is a “constitution” — now at version 0.2.0 — with 11 principles Cisco says are non-negotiable because each one came from a real production failure its team already hit and fixed. (github.com) ### What problem is this trying to solve? The basic problem is verification. A raw LLM can generate lots of possible vulnerabilities, but that does not mean those findings are real, complete, or prioritized. Cisco’s spec says the job is to produce a bounded, verifiable, prioritized set of findings and to know when the evaluation is actually finished. That “know when you’re done” piece is load-bearing — otherwise the system just keeps talking. (blogs.cisco.com) ### Why does the constitution matter? Because agentic systems fail in boring, repeatable ways. One of the principles is “evidence over assertion,” which means a finding is supposed to be judged by checkable evidence, not model confidence. That sounds obvious, but it’s the whole trap with AI security tooling — confidence reads like competence until someone tries to reproduce the bug and nothing is there. (blogs.cisco.com) ### Why tie this to GitHub’s spec-kit? Cisco says Foundry is meant to be used with GitHub’s spec-kit workflow. In plain English, it wants teams to adapt the seed into their own clarified internal spec rather than copy-paste Cisco’s version directly. The repo even marks organization-specific decisions as things that still “need clarification,” which is a nice way of saying the hard parts depend on your infrastructure, threat model, and tolerance for risk. (github.com) ### So why publish this now? Because Cisco has been pushing hard on “agentic AI for security” for months, and this gives that strategy a concrete artifact. The company has already been framing 2026 as the year agentic applications move from concept to enterprise reality, while also warning that AI makes attackers faster. Foundry is Cisco trying to shape the rules of that next phase — and maybe become the vendor people associate with the safer version of it. (blogs.cisco.com) That last part is an inference, but it fits the broader pattern of Cisco’s recent AI security messaging. ### What’s the bottom line? Foundry will not magically standardize agentic AI security on its own. The repo is brand-new, the spec is still a seed, and adoption is the real test. But Cisco did put something concrete on the table: a public blueprint for turning AI vulnerability hunting from a clever prompt into an auditable system. In a market full of agent talk, that’s more substantial than it sounds. (github.com) (newsroom.cisco.com)