Sectum AI vs Cisco AI Defense (Robust Intelligence)
TL;DR. Cisco announced the acquisition of Robust Intelligence in August 2024 and shipped the technology as Cisco AI Defense — an end-to-end enterprise AI security platform spanning algorithmic red-teaming, AI asset inventory, and runtime guardrails / AI firewall. Pricing is per-AI-applications-protected on a Cisco enterprise sales motion. Sectum AI is a focused, independent verifier with an Apache-2.0 open-source evidence layer that produces cryptographically-attestable, control-mapped audit packs. The two solve overlapping problems with very different shapes: an enterprise platform on one side, a focused independent attester on the other.
The two products
Cisco AI Defense (cisco.com/products/security/ai-defense)
Category: end-to-end enterprise AI application security platform — algorithmic red-teaming + AI firewall + runtime guardrails.
Acquisition: Cisco’s acquisition of Robust Intelligence was announced in August 2024; terms not disclosed. General availability of the integrated Cisco AI Defense product followed in 2025-2026.
Capability surface:
- AI asset inventory across distributed environments.
- Automatic algorithmic red-teaming of models, MCP servers, and AI components — finds vulnerabilities pre-prod (this is the core Robust Intelligence capability).
- Runtime guardrails to protect AI applications against active threats.
- AI firewall concept — traffic-layer enforcement for AI-specific risks.
- End-to-end AI lifecycle coverage: development through deployment.
Pricing (Gartner Peer Insights reviews):
- Priced per “AI applications protected” + usage + deployment model.
- Enterprise sales motion through the Cisco channel.
- Advanced support and services priced separately.
- Specific price points not publicly available.
Buyer: Cisco enterprise customers expanding security spend into AI; organizations building production AI applications wanting a single enterprise vendor with existing Cisco network/security footprint.
Sectum AI (sectum.ai)
Category: multi-tenant AI verification — focused, independent, with a fully open evidence layer.
License: Apache 2.0 OSS core. Sectum Cloud is the commercial hosting and scheduled-runs layer. The evidence layer — substrate, attack catalog, adapters, evidence chain, and sectum-ai verify — is fully open in both the OSS and the hosted product, by design.
Method: marker substrate. Provisions synthetic tenants, plants cryptographic canary markers, records a hashed ground-truth manifest, runs 11 cross-tenant probe classes across 13 surfaces, produces a tamper-evident evidence pack (RFC 3161 TSA + Sigstore Rekor + in-toto envelope, control-mapped audit PDF, machine-readable evidence.json).
For: CISOs, DPOs, and audit firms working on multi-tenant AI products. The flagship engagement is a GDPR Article 17 erasure attestation. See pricing.
The categorical difference: enterprise platform vs. focused independent attester
| Cisco AI Defense | Sectum AI | |
|---|---|---|
| Core problem | Securing the AI estate broadly (asset inventory + red-team + runtime) | Verifying the multi-tenant boundary across the data plane |
| Scope | End-to-end AI security platform (asset inventory + red-team + runtime) | Focused multi-tenant verifier with auditor-grade evidence |
| Distribution | Cisco enterprise sales | Direct, and available to audit firms reselling to their clients |
| Evidence model | Reports inside the Cisco console | RFC 3161 TSA + Sigstore Rekor + in-toto envelope + control-mapped audit PDF + evidence.json |
| Independent verification | Trust the platform vendor’s report | sectum-ai verify <pack> — any third party can re-check it, without Sectum AI |
| Flagship engagement | — | GDPR Article 17 erasure attestation |
| Multi-tenant boundary | Not the focus | The category |
| For | Cisco enterprise security | Multi-tenant AI SaaS CISOs, DPOs, and audit firms |
The two most important rows are “core problem” and “independent verification.” Cisco AI Defense secures the AI estate broadly and its findings live in the Cisco console — trust Cisco to tell you the AI is safe. Sectum AI verifies one specific thing — the tenant boundary across the data-plane surfaces — and emits an attestation anyone can re-check with sectum-ai verify, without the vendor in the room. Different problem, different artifact, different trust model.
Why “independence” matters here
The wave of acquisitions in 2024-2026 (Cisco→Robust Intelligence; Palo Alto Networks→Protect AI; OpenAI→Promptfoo) is consolidating AI security into hyperscaler / network-security incumbents. That’s a real signal — the category is now a strategic line item. But it changes the trust shape for the buyer:
- A Cisco AI Defense report tells the buyer Cisco says your AI is safe — the finding lives in Cisco’s console and the buyer trusts Cisco’s report.
- An auditor or DPO who needs to prove multi-tenant isolation to a regulator wants evidence that doesn’t depend on trusting a single vendor.
Sectum AI’s evidence chain — RFC 3161 timestamps from an independent TSA, Sigstore Rekor transparency-log inclusion proofs, in-toto envelope structure, manifest hashes the auditor can validate — is designed for an audit posture that doesn’t require vendor trust. Anyone can install the OSS sectum-ai verify, point it at a pack, and validate the chain end-to-end. Mutating a single byte makes verify exit 4 with [FAIL] lines explaining which check failed.
For a multi-tenant AI SaaS facing a regulator’s Article 17 inquiry or an SOC 2 auditor’s CC6.x questions, vendor-attested evidence is structurally weaker than cryptographically-verifiable evidence. Cisco AI Defense’s reporting model fits the enterprise-platform buyer; Sectum AI’s evidence model fits the auditor and DPO use case.
Surface coverage
| Surface | Cisco AI Defense | Sectum AI |
|---|---|---|
| AI asset inventory | ✓ (core capability) | — (Sectum AI doesn’t inventory; it verifies what’s configured) |
| Algorithmic red-teaming of LLMs / models / MCP servers | ✓ (Robust Intelligence’s core) | partial (Sectum AI’s probes test cross-tenant behavior, not general adversarial robustness) |
| Runtime AI firewall | ✓ (Cisco’s core strength) | — (Sectum AI doesn’t block live traffic) |
| Vector DB direct (cross-tenant integrity) | partial (asset inventory + red-team) | ✓ (Pinecone, pgvector, Weaviate, Chroma live adapters) |
| Semantic cache | partial | ✓ (Class 4 + live Redis adapter) |
| KV cache (timing side channel) | — | ✓ (Class 5 — statistical Cohen’s d effect-size test) |
| Embedding inversion across tenants | — | ✓ (Class 6) |
| Agent / MCP confused-deputy + token passthrough | partial (Cisco AI Defense tests MCP servers) | ✓ (Class 7 — per-finding evidence) |
| Persistent agent memory cross-tenant | — | ✓ (Class 8) |
| LoRA / fine-tune cross-tenant influence | — | ✓ (Class 9) |
| Multi-turn benign extraction (Silent Leaks / IKEA) | — | ✓ (Class 10) |
| RAG poisoning | — | ✓ (Class 3) |
| GDPR Article 17 erasure verification | — | ✓ (Class 11 — the Erasure Attestation engagement) |
| Observability backends (Langfuse / LangSmith / Phoenix) | — | ✓ (live adapters) |
Cisco AI Defense’s coverage is broad across the AI security lifecycle — asset inventory + red-team + runtime. Sectum AI’s coverage is deep on the multi-tenant boundary — 13 surfaces, 11 probe classes, manifest-grounded zero-FP detection. The coverages run perpendicular; both can live on the same multi-tenant AI stack.
When to use Cisco AI Defense
- You’re a Cisco shop and want a single security vendor across network + endpoint + cloud + AI.
- You need AI asset inventory as a foundational capability — knowing what AI components exist across the environment.
- You want runtime AI firewall — a Cisco-platform-style traffic-layer enforcement point for AI-specific risks.
- You operate at enterprise scale where Cisco’s sales / support motion is the right fit.
- You want one platform across the full AI lifecycle (development → testing → deployment → runtime).
When to use Sectum AI
- You need to prove multi-tenant isolation with auditor-acceptable, cryptographically-attestable evidence — regardless of which AI platform vendor you’re on.
- You’re facing a GDPR Article 17 erasure obligation and need post-deletion AI-surface attestation for a DPO or regulator.
- You’re preparing for SOC 2 / ISO 27001 / HIPAA on a multi-tenant AI product and need per-finding control mappings (OWASP / ATLAS / NIST) in your audit evidence.
- You want independently-verifiable evidence — a pack that doesn’t depend on trusting Sectum AI or any other vendor (
sectum-ai verifyis the OSS verifier; anyone can run it). - You want an open-source evidence layer — the evidence chain in the OSS produces the same artifacts the hosted product does.
- You don’t operate inside the Cisco ecosystem and want to remain vendor-neutral on AI security.
Using both
A Cisco AI Defense customer running a multi-tenant AI SaaS can absolutely use Sectum AI alongside — they’re not substitutable:
- Cisco AI Defense handles asset inventory + runtime guardrails + red-team coverage at the platform level.
- Sectum AI produces the cryptographically-attestable, control-mapped, multi-tenant isolation evidence pack the auditor / DPO requires.
Cisco’s reporting answers “is our AI estate healthy?” — useful for the security operations team. Sectum AI’s pack answers “can you prove tenant A’s data didn’t reach tenant B, with a chain of custody an auditor or regulator will accept?” — required for the audit and DPO motions.
Honest positioning
Cisco AI Defense is an enterprise platform for AI security — the right pick for a Cisco shop wanting a unified vendor across the AI lifecycle. Sectum AI is an independent evidence-first verifier — the right pick when the buyer specifically needs cryptographically-attestable multi-tenant isolation evidence and doesn’t want to depend on a single vendor’s continued operation. The two don’t substitute; they sit on different parts of the same stack.
The trust-model difference is the most important distinction: Cisco’s evidence is vendor-attested; Sectum AI’s evidence is cryptographically-verifiable without the vendor. For a regulator-facing posture, the latter is structurally stronger.
Pricing
- Cisco AI Defense — priced per-AI-applications-protected + usage + deployment model; Cisco enterprise quotes. Not publicly listed.
- Open Sectum (OSS) — free, Apache 2.0.
- Sectum Cloud — see pricing.
References
- Cisco AI Defense — solution overview, Robust Intelligence acquisition announcement (Cisco Blogs), Gartner Peer Insights reviews, Dark Reading: Cisco previews AI Defenses, MetriNote: Cisco acquires Robust Intelligence (Metrigy).
- Sectum AI — GitHub, docs, attack catalog, evidence chain, sample evidence packs.