Cisco DefenseClaw is an open-source security governance framework for agentic AI systems that enforces a strict principle: nothing runs until it has been scanned, and anything dangerous is blocked automatically.
While MCP-Scan focuses specifically on MCP server vulnerability scanning and Agentic Radar audits agentic workflows across frameworks, DefenseClaw provides a broader governance layer that adds skill scanning, static code analysis, runtime inspection, and sandbox isolation.
Released at RSA 2026 by Cisco AI Defense, DefenseClaw provides pre-execution scanning of AI agent skills and MCP servers, static code analysis, runtime inspection of LLM interactions, and enterprise-grade audit logging.
The framework serves as a governance layer for OpenClaw, an open-source AI agent framework, but its scanning components work independently.
The project is part of Cisco’s broader AI Defense portfolio, which addresses security across the AI application lifecycle from development through deployment.
What is Cisco DefenseClaw?
As AI agents gain the ability to execute code, call external APIs, and interact with production systems, the attack surface expands dramatically. A compromised agent skill can exfiltrate data, a poisoned MCP server can hijack agent behavior, and insecure code patterns can introduce vulnerabilities that traditional security tools miss.
DefenseClaw addresses this by inserting a mandatory security gate between AI components and execution. Every skill, MCP server, and code artifact is scanned before it runs.
Runtime interactions between agents and LLMs are inspected for secrets, PII, and injection patterns. All decisions are logged to an immutable audit store.
What are Cisco DefenseClaw’s key features?
| Feature | Details |
|---|---|
| Skill Scanner | Pre-execution analysis of AI agent skills |
| MCP Scanner | Vulnerability scanning for MCP servers |
| AIBOM | AI Bill of Materials with severity-ranked findings |
| CodeGuard | Static analysis for credentials, injection, unsafe patterns |
| Message Inspection | Prompt/completion scanning for secrets, PII, injection |
| Tool Inspection | Six categories: secrets, commands, paths, C2, tampering, injection |
| Sandbox Mode | OS-level isolation with Landlock LSM and seccomp-BPF |
| Policy Enforcement | Go gateway with REST API and WebSocket bridging |
| Audit Logging | SQLite store with full decision history |
| SIEM Integration | Splunk HEC real-time event forwarding |
| Observability | OTLP export (logs, spans, metrics) to Jaeger, Grafana, Datadog |
| Build System | make build (all), make pycli, make gateway, make plugin |
| Cross-compile | make gateway-cross GOOS=linux GOARCH=arm64 (DGX Spark) |
| Requirements | Python 3.10+, Go 1.25+, Node.js 20+ (plugin only) |
| License | Apache 2.0 |
Three-tier architecture
DefenseClaw consists of three integrated components working together:
The Python CLI is the operator-facing tool for scanning and policy management. Security teams use it to run Skill Scanner, MCP Scanner, and CodeGuard against their AI components.
The Go Gateway is the central daemon that handles REST API requests, WebSocket bridging, policy enforcement, and audit logging.
Every security decision flows through the gateway, which writes to a SQLite audit store and can forward events to Splunk HEC or OTLP-compatible collectors in real time.
The TypeScript Plugin runs inside the OpenClaw agent framework, intercepting tool calls via hooks. When an agent attempts to use a tool, the plugin routes the request through the gateway for policy evaluation before allowing execution.
Sandbox isolation
For high-risk operations, DefenseClaw provides OS-level sandboxing using Landlock LSM (Linux Security Module) for filesystem access control and seccomp-BPF for system call filtering. This creates a restricted execution environment where agent skills can only access explicitly permitted resources โ even if the skill itself is compromised.
Enterprise observability
All security decisions flow through the Go gateway and are written to a SQLite audit store.
For enterprise environments, DefenseClaw can forward events to Splunk HEC in real time for SIEM integration, or export logs, spans, and metrics via OTLP to collectors like Jaeger, Grafana, or Datadog. This means every scan result, runtime inspection outcome, and policy enforcement decision is captured in your existing observability stack.
LLM guardrail proxy
DefenseClaw includes a built-in guardrail proxy that inspects all LLM traffic in real time, operating independently of plugin installation. The proxy runs in two modes: observe mode logs findings without blocking, while action mode actively blocks flagged prompts and responses. Severity thresholds are configurable in ~/.defenseclaw/config.yaml.
Tool inspection categories
The runtime tool inspection engine evaluates six specific threat categories: secret (API keys in arguments), command (shell commands like curl/wget/nc), sensitive-path (system files), c2 (command-and-control hostnames), cognitive-file (memory/instruction tampering), and trust-exploit (prompt injection disguised as arguments).
OWASP, NIST, and MITRE alignment
DefenseClaw’s six tool-inspection categories map directly to the OWASP Agentic AI Threats and Mitigations taxonomy: secret and command cover T7 Tool Misuse; sensitive-path and c2 cover T6 Excessive Agency and T8 Communication Poisoning; cognitive-file covers T1 Memory Poisoning; and trust-exploit covers T15 Human Manipulation plus indirect prompt injection scenarios from OWASP Top 10 for LLM Applications LLM01: Prompt Injection.
The pre-execution scan + runtime gateway model is a textbook Policy Enforcement Point (PEP) pattern, which is what NIST AI RMF Manage recommends for high-risk agentic deployments. SIEM forwarding to Splunk HEC and OTLP-compatible collectors gives the Measure function structured evidence, and tool-call traces map onto MITRE ATLAS techniques such as AML.T0011 Command and Scripting Interpreter and AML.T0051 LLM Prompt Injection for shared red-team and detection vocabulary.
How do I get started with Cisco DefenseClaw?
curl -LsSf https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/scripts/install.sh | bash. Requires Python 3.10+, Go 1.25+, and optionally Node.js 20+ for the TypeScript plugin.defenseclaw init --enable-guardrail to set up the Go gateway, configure the SQLite audit store, and enable guardrail functionality. The gateway starts listening for policy enforcement requests.OTEL_EXPORTER_OTLP_ENDPOINT for OTLP collectors.When to use Cisco DefenseClaw
Ideal for organizations deploying agentic AI systems in enterprise environments that need governance controls matching their existing security standards.
The framework covers the full lifecycle โ pre-execution scanning, runtime inspection, and audit logging โ which makes it a strong fit for regulated industries where every AI component interaction needs to be auditable.
The Cisco backing and enterprise integrations (Splunk, OTLP) make it a natural fit for organizations already in the Cisco security ecosystem, though the open-source license means it works independently of any Cisco product.
For a broader overview of AI security tools, see the AI security tools guide. For MCP-specific vulnerability scanning without the full governance framework, see MCP-Scan . For security analysis of agentic workflows across multiple frameworks, consider Agentic Radar .
DefenseClaw alternatives
DefenseClaw is a fresh-launch governance framework, so most teams evaluate it alongside narrower or commercial alternatives.
MCP-Scan is the closest component-scope alternative. It focuses on MCP server vulnerability scanning โ prompt injection, tool poisoning, configuration weaknesses โ without the broader skill scanning, static analysis, or runtime gateway. MCP-Scan is the better pick when MCP servers are the only concern and a governance gateway is overkill.
Agentic Radar widens the lens to multi-framework agentic workflow scanning, supporting LangGraph, CrewAI, AutoGen, and similar orchestrators that DefenseClaw does not natively cover. It is a strong fit for teams running agents across multiple frameworks who need a workflow-level static audit rather than a runtime PEP.
Akto is the closest commercial alternative, with API and agentic AI security testing in a hosted SaaS package. Akto suits enterprises that want managed scanning, dashboards, and ticketing integration rather than running a self-hosted CLI + gateway.
Cerbos is complementary rather than competitive โ it handles fine-grained authorization for AI agents and MCP tool access. Many teams pair Cerbos (deciding which tools an agent is allowed to call) with DefenseClaw (deciding whether a tool call is safe to execute) for layered policy + safety controls.
For broader runtime AI security, see Lakera Guard (acquired by Cisco in May 2025) and Prompt Security (acquired by SentinelOne in May 2025) โ both are AI firewall products that overlap with DefenseClaw’s runtime inspection layer.
