Overview
DefenseClaw is the Cisco governance layer for AI coding agents — scan capabilities before they run, inspect runtime traffic, and export durable audit evidence across thirteen first-class connectors.
DefenseClaw is the Cisco governance layer for AI coding agents. It enforces one rule: untrusted agent capabilities are scanned, governed, logged, and blocked when policy says they are unsafe.
Guided example · Pre-authored outcomes
One Claude Code action under three operating modes
Change the mode to see the same HIGH-risk action log, block, or pause through a predefined outcome.
mode: actionhuman_approval: truehitl_min_severity: highcritical_behavior: always_blockconnector: id: claudecode native_ask_event: PreToolUsemode: actionhuman_approval: truehitl_min_severity: highcritical_behavior: always_blockconnector: id: claudecode native_ask_event: PreToolUse
Action mode + HITL + native ask support
Wait for operator
What DefenseClaw did — and did not do
What it did
- Show deterministic outcomes for one action under three modes
- Use Claude Code connector capabilities in the result
What it did not do
- Run a policy engine in the browser
- Allow observe mode to block
- Pause a CRITICAL finding
What you just saw
The same synthetic Claude Code PreToolUse event produces three deliberately different results. Observe allows execution and records evidence. Action blocks at the configured HIGH threshold. Action + HITL returns a native pause because Claude Code exposes an approval-capable pre-execution hook. CRITICAL findings always block, regardless of HITL.
Quickstart in 5 minutes
Install, pick a connector, watch a guardrail block a destructive command.
Setup Guardrail
The central command. Modes, scanner backends, rule packs, judge, HITL.
Capability Matrix
Which connectors can block, which can ask, which support fail-closed.
Stories
Concrete walkthroughs — stop rm -rf on Claude Code, catch prompt injection on Codex, and more.
Three jobs, one runtime
| Govern | Inspect | Prove |
|---|---|---|
| Skills, MCP servers, plugins, and generated code before they run | Prompts, completions, tool calls, and sandbox activity at runtime | SQLite audit history, JSONL, OTLP, Splunk, webhooks, and TUI views |
DefenseClaw combines a Python operator CLI, a Go gateway sidecar, and an OpenClaw TypeScript plugin. The CLI configures and inspects; the gateway runs the data path; the plugin wires the loop closed inside OpenClaw.
Architecture
What's in the box
13 connectors
OpenClaw, ZeptoClaw, Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, OpenHands, Antigravity, Hermes, OpenCode, OmniGent.
Observe → Action → HITL
Three operating modes that compose. Start safe, earn enforcement, escalate to a human only when needed.
OpenClaw integration
The reference proxy connector. Fetch interceptor, before_tool_call hook, plugin-mediated approvals.
Reference
CLI commands, gateway API, configuration files, environment variables.
Scope and limitations
DefenseClaw improves safety by combining scanner results, runtime inspection, policy decisions, sandbox controls, and audit trails. It does not prove that an agent, skill, plugin, or model interaction is risk-free.
High-risk deployments should pair DefenseClaw with human review, least-privilege credentials, sandboxing, CI gates, and production monitoring. In observe mode, findings are logged without blocking. In action mode, configured HIGH and CRITICAL findings can block prompts, tool calls, or component admission.