75%
CVE detection · 0 FP
23,691
skills indexed
120
revoked
Cognium × Virtusa
Trust infrastructure for
software built with AI agents.

Agents do the work. Cognium proves what they did. Audit agent output. Verify against intent. Enforce what ships.

10 use cases · 3 demos · 12 weeks · Score → Embed → Operate

COGNIUM LABS
TRUST INFRASTRUCTURE
cognium.net · March 2026 · Confidential
Cognium × Virtusa · Confidential
1 / 11
The Opportunity
Agents write production software.
The trust layer doesn't exist yet.
85%
of developers use AI coding tools
95%
use AI weekly — 75% for >half their work
$0
spent proving what agents did
For Virtusa's clients
BFSI and regulated enterprises adopting AI agents need machine-verified evidence that agent output matches intent. The risk committee won't accept "the developer checked it." They need audit trail, trust scores, spec compliance.
For Virtusa's positioning
First SI with governed agent delivery. Helio agents ship with trust scores. Agent Foundry catalog is verified. The ISG Agentic Leader story becomes real — with data, not assertions.
The Opportunity
2 / 11
What Cognium Does
We prove what agents did.
Audit
What did the agent do?
Semantic analysis reconstructs behavior.
Verify
Does it match intent?
Spec diff against Specifica standard.
Enforce
Should this ship?
Trust score gates the pipeline.
Agent-agnostic (BYOA)
Works with Claude Code, Copilot, Cursor, or any coding agent. Cognium verifies the result — architect keeps their tools.
Spec standard: Specifica
Open at specifica.org. spec.md + design.md + tasks.md + principles.md. Machine-verifiable intent. The input the trust engine needs.
Audit · Verify · Enforce
3 / 11
The Engine
SAST + LLM. Deterministic proof.
SAST ground truth · structure LLM meaning · intent · context Deterministic Proof no hallucinations · SAST grounds the LLM
75%
CVE detection
CWE-Bench-Java · 120 projects
3.3x
vs CodeQL
0
false positives
SAST + CLAUDE OPUS
81.7%
Five analyzers: Code · Instruction · Schema · Config · Bundle. Trust scored 0–100. Four tiers + Revoked.
The Engine
4 / 11
Live · runics.net
Largest live trust scan of the agent skill ecosystem.
23,691
skills indexed
~10,000
scanned (42%)
120
revoked · excluded
149
vulnerable
3,479
perfect trust
Source safety
ClawHub7,452
96.7%
GitHub1,081
99.2%
MCP Registry959
99.7%
Revoked = excluded from search. 0 leaked.
Why this matters for Virtusa
Every MCP and skill scored in the registry is available to every future Virtusa engagement without re-scanning. The verified catalog compounds with each project.
Helio agents and Agent Foundry skills can be trust-scored once, cached in the registry, and queried at runtime by any delivery team.
3 sync pipelines on cron. Growing while you read this slide.
Registry Traction
5 / 11
Virtusa Integration
Helio + Agent Foundry + Cognium.
Helio Agents
Every Helio agent scanned by Cognium before deployment. Trust score visible to delivery leads. Findings surfaced before client engagement — not after.
Agent Foundry
Catalog scored and trust-tiered. Author-Verified (85+) = production-ready for BFSI. Community (40–59) = needs review. Delivery leads see the catalog through a trust lens.
BFSI Delivery
Audit trail generated as a pipeline byproduct. Risk committee gets machine-verified evidence — not the delivery team's attestation. EU AI Act readiness.
Entry point
npm install cognium-ai — scan from terminal. Add as GitHub Action — one YAML file. Trust report on every PR. Zero workflow change for developers.
Specifica Standard
Open spec format at specifica.org. Structured intent documents the trust engine diffs against. Author-Verified tier (85–100) requires a published Specifica spec.
Virtusa Integration
6 / 11
The Path
Score → Embed → Operate. 12 weeks.
Phase 1 · Score
Week 1–2
Scan agents. See what you're shipping. Zero integration required.
UC 1 · Scan one Helio agent (5 min)
UC 2 · Scan 10 from Agent Foundry (1 hr)
UC 3 · ClawHub skill — Demo A
Phase 2 · Embed
Week 3–6
PR gate, registry, spec-diff, BYOA handoff. Library starts compounding.
UC 7 · GitHub Action on one repo (2 hr)
UC 4 · Stripe MCP → registry (1 hr)
UC 5 · KYC spec-diff (2 hr)
UC 6 · Intent → verified skill — Demo B
Phase 3 · Operate
Week 7–12
Full pipeline. Routines. Audit trail. Progressive autonomy measured.
UC 8 · BFSI 6-gate release (1 day)
UC 9 · Run 2 — progressive autonomy
UC 9b/c · Routine → skill promotion
UC 10 · Risk committee — Demo C
Start with one URL. End with a governed release. Each phase earns trust for the next — just like the pipeline itself.
12-Week Path
7 / 11
Three Demos
Each demo proves the next phase.
Demo A · Week 2
"Here's what your agents carry that VirusTotal doesn't see."
Real ClawHub skill from a live engagement. Side-by-side: VirusTotal says clean. Cognium finds prompt injection vector and data exfiltration.
Audience: Delivery lead, tech architect
Demo B · Week 6
"State what you need. Watch it get spec'd, built, and verified."
Architect states intent. Cognium augments into Specifica. Coding agent builds it (BYOA). Cognium verifies the result. Full loop.
Audience: VP Engineering, tech architect
Demo C · Week 12
"Here's the evidence package for your risk committee."
Full audit trail export from 6-gate release. Every gate decision logged. Machine-verified — not someone's attestation. EU AI Act readiness artifact.
Audience: CISO, risk committee, compliance
Three Demos
8 / 11
What Compounds
Every engagement makes the next one faster.
Registry library
Grows with every engagement
UC 4 scores Stripe MCP. UC 8 uses it without re-scanning. By engagement 10, the verified catalog is a competitive moat for Virtusa.
Trust history
Enables autonomy
Run 1 data enables L2 decisions in Run 2. The pipeline needs less from you every cycle. The delta between Run 1 and Run 2 is the commercial proof point.
Routines become skills
Conversation → routine → reusable asset
Architect defines a workflow in conversation. It proves valuable. Promote to Runics private registry. By engagement 5, Virtusa has a verified skill library.
Evidence baseline
Replaces assumptions with data
Every pilot data point replaces an illustrative assumption. That dataset becomes the case for Virtusa's clients, for ISG positioning, for the Agentic Leader story.
What Compounds
9 / 11
Commercial Structure
Partnership, not just procurement.
OEM
Cognium embedded in Helio platform. Virtusa branding on trust reports. White-label available.
Rev-Share
Per-engagement or per-scan pricing. Revenue aligned with delivery volume. Scales with adoption.
Joint GTM
Co-marketed trust story. Joint BFSI case study after pilot. ISG Agentic Leader positioning with data.
OEM · Rev-share · Joint GTM — structure to agree. The pilot proves the model. The data shapes the deal.
Pilot investment
12 weeks. 3 demos. 10 use cases. Minimal engineering lift — one YAML file for Phase 1.
Pilot outcome
Measured progressive autonomy. Verified skill library. BFSI audit trail. Commercial model validated with data.
Commercial
10 / 11
Cognium × Virtusa
Agents do the work.
Cognium proves what they did.
Start with one URL. End with a governed release.
12
weeks
3
demos
10
use cases
1
YAML file to start
eyal@cognium.net
cognium.net · cognium.dev · runics.net · specifica.org
Cognium Labs
11 / 11