Secure Spec Overview

Secure Spec reviews your agents' plans against your rules via a hook into the planning lifecycle.

It keeps your code secure by ensuring that coding agents deterministically consider and apply your security requirements at planning time, before code is generated.

Secure Spec works with Cursor and Claude and needs a little further testing in Copilot.

Benefits

Key behaviours customers benefit from:

• Deterministic by design — Secure Spec runs using Hooks which means the LLM doesn't have a choice in whether to call it or whether to listen.
• Scoped to what's changing — rules apply only to the projects and files the plan actually touches, so agents aren't distracted by irrelevant policies.
• No redundant re-evaluation — if a plan is revised but covers the same files as before, Secure Spec recognises this and skips re-checking, keeping the agent fast.
• Resilient by design — if Secure Spec can't reach a rule or a check fails, the plan still proceeds; security guidance augments the agent rather than blocking it.
• Always up-to-date — evaluations run against the exact commit the agent is planning from, so guidance matches the real state of your codebase.

How does it work?

Secure Spec works by intelligently analysing the plan, extracting the files it's going to change, and matching those changes to the parts of your codebase they affect. Secure Spec then identifies which of your organisation's security rules apply to that specific work:

• A plan touching authentication code gets auth rules.
• A plan touching database queries gets injection rules.

Then it evaluates each one against the plan in parallel for fast feedback.

Only the rules that are genuinely relevant to the proposed changes are surfaced back to the agent, with tailored guidance for the plan at hand. The agent sees precise directives, not a generic policy dump.