Overview

DefenseClaw is the Cisco governance layer for AI coding agents — scan capabilities before they run, inspect runtime traffic, and export durable audit evidence across thirteen first-class connectors.

DefenseClaw is the Cisco governance layer for AI coding agents. It enforces one rule: untrusted agent capabilities are scanned, governed, logged, and blocked when policy says they are unsafe.

Guided example · Pre-authored outcomes

One Claude Code action under three operating modes

Change the mode to see the same HIGH-risk action log, block, or pause through a predefined outcome.

Deterministic
Outcome
mode: actionhuman_approval: truehitl_min_severity: highcritical_behavior: always_blockconnector:  id: claudecode  native_ask_event: PreToolUsemode: actionhuman_approval: truehitl_min_severity: highcritical_behavior: always_blockconnector:  id: claudecode  native_ask_event: PreToolUse
DecisionPause for approval
Reason

Action mode + HITL + native ask support

Action

Wait for operator

02

PauseHITL is enabled and Claude Code supports native ask.

Step 2 / 2
What DefenseClaw did — and did not do

What it did

  • Show deterministic outcomes for one action under three modes
  • Use Claude Code connector capabilities in the result

What it did not do

  • Run a policy engine in the browser
  • Allow observe mode to block
  • Pause a CRITICAL finding

What you just saw

The same synthetic Claude Code PreToolUse event produces three deliberately different results. Observe allows execution and records evidence. Action blocks at the configured HIGH threshold. Action + HITL returns a native pause because Claude Code exposes an approval-capable pre-execution hook. CRITICAL findings always block, regardless of HITL.

Three jobs, one runtime

GovernInspectProve
Skills, MCP servers, plugins, and generated code before they runPrompts, completions, tool calls, and sandbox activity at runtimeSQLite audit history, JSONL, OTLP, Splunk, webhooks, and TUI views

DefenseClaw combines a Python operator CLI, a Go gateway sidecar, and an OpenClaw TypeScript plugin. The CLI configures and inspects; the gateway runs the data path; the plugin wires the loop closed inside OpenClaw.

Architecture

setup · approve · audit
Agent runtimeAgent runtimeClaude · Codex ·OpenClaw · ...
ConnectorConnectorproxy or hooks
Control planedefenseclaw-gatewayGo sidecar
PolicyPolicy + Scanners+ optional LLM Judge
Evidence storeSQLite + JSONL
Evidence storeOTLP · Splunk · Webhooks
OperatorOperatorCLI · TUI · HITL
DefenseClaw spans three runtimes — Python CLI, Go gateway sidecar, OpenClaw plugin — and exposes one enforcement contract per connector.

What's in the box

Scope and limitations

DefenseClaw improves safety by combining scanner results, runtime inspection, policy decisions, sandbox controls, and audit trails. It does not prove that an agent, skill, plugin, or model interaction is risk-free.

High-risk deployments should pair DefenseClaw with human review, least-privilege credentials, sandboxing, CI gates, and production monitoring. In observe mode, findings are logged without blocking. In action mode, configured HIGH and CRITICAL findings can block prompts, tool calls, or component admission.