Anthropic's citations feature makes the model attach source references to the claims in its output. For general chat, this is nice. For security advisory work — where every claim will eventually be reviewed by an auditor or a regulator — it is foundational. Griffin AI uses citations extensively; advisory workflows without citations are difficult to defend in review.
Why citations matter for security advisory
Three concrete needs:
- Verifiability. The consumer of the advisory can check each claim against its source.
- Auditability. The advisory can be reviewed later and the claims tracked back.
- Updateability. When a source is corrected, the advisory can be systematically updated.
Without citations, the advisory is a black box claim. The consumer either trusts the vendor or rebuilds the analysis.
What Griffin AI does with citations
Four concrete usages:
- CVE references. Every CVE claim cites the authoritative advisory.
- Exploit references. Exploit availability claims cite the specific threat intelligence source.
- Vendor attestation references. VEX statements and vendor-published mitigations are cited.
- Internal policy references. Organisational policy invocations cite the specific policy document and version.
The advisory reads as a structured document with external links for every factual claim.
What advisories without citations look like
Mythos-class tools and raw-LLM advisory workflows commonly produce paragraphs of analysis without source attribution. The content is plausible. Some of it is correct. The consumer has no way to separate the two.
During regulatory review, un-cited advisories are worth substantially less than cited ones.
A concrete example
A Griffin AI security advisory for a specific CVE includes:
- The CVE description, citing the NVD entry.
- The exploit availability, citing CISA KEV.
- The vendor's VEX statement, citing the vendor's advisory.
- The organisational policy decision, citing the specific policy document.
Each claim has a link. Reviewers can verify. Regulators can audit. Updates propagate.
An un-cited equivalent advisory makes the same claims as prose. The review takes longer; the audit trail is thinner; updates require rewriting.
How Safeguard Helps
Safeguard's Griffin AI uses citations as a default for advisory output. Every factual claim is linked. Advisory documents generated by the platform are review-ready and audit-ready. For organisations whose advisory work feeds regulatory processes, citations are the architectural property that makes the output defensible.