CiscoCiscoDefenseClaw
Get Started

Install

Install DefenseClaw with one curl command or build it from source. Covers macOS and Linux; pins Python 3.10+ and Go 1.26+ for source builds.

DefenseClaw ships pre-built binaries for macOS and Linux. The installer drops the defenseclaw CLI and defenseclaw-gateway sidecar into ~/.local/bin/, creates ~/.defenseclaw/, and sets up a virtualenv under ~/.defenseclaw/.venv/.

Installing as root is supported but discouraged — DefenseClaw is per-user by design so each operator's audit DB and connector state stays isolated.

Prerequisites

RequirementVersion
Python3.10+
Go1.26.2+ (only for source builds)
Node.js18+ (only for the OpenClaw plugin, source builds)
DockerOptional, for local observability and Splunk bundles

Pick an install path

curl -LsSf https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/scripts/install.sh | bash
defenseclaw init

The installer fetches the latest release for your platform, drops the binaries into ~/.local/bin/, and writes nothing else — it does not configure DefenseClaw. The follow-up defenseclaw init does that interactively. Re-running the curl command upgrades in place.

If you'd rather skip the wizard entirely (CI, scripted demos), use the zero-prompt sibling instead:

defenseclaw quickstart --connector codex
git clone https://github.com/cisco-ai-defense/defenseclaw.git
cd defenseclaw
make all
defenseclaw init

make all runs the Python install, builds the Go gateway, builds the OpenClaw plugin, and runs a quick smoke test. The artifacts land in bin/ and on your PATH. Then defenseclaw init walks you through the first-run setup (or run defenseclaw quickstart --connector <x> for the zero-prompt path).

What the install creates

config.yaml
audit.db

Verify

defenseclaw --version
defenseclaw doctor

doctor runs a full health check: it walks the config, pings the gateway, verifies the active connector, surfaces missing API keys, and prints a remediation hint for every red row.

Uninstall

defenseclaw uninstall              # reversible — keeps ~/.defenseclaw/ and binaries
defenseclaw uninstall --all        # also delete ~/.defenseclaw/ (audit log, config, secrets)
defenseclaw uninstall --binaries   # also remove ~/.local/bin/defenseclaw{,-gateway}
defenseclaw uninstall --all --binaries --yes   # full nuke, no confirm prompt

The default tears down connector integrations (restores ~/.codex/config.toml, ~/.claude/settings.json, etc. from byte-for-byte backups) but leaves ~/.defenseclaw/ and the installed binaries on disk so a subsequent defenseclaw setup guardrail can pick up where you left off. Use --all and/or --binaries to make the removal total. --dry-run previews the plan.

Next

Quickstart

Zero-prompt setup that gets you a guardrail in two minutes.

Setup Guardrail

The full configuration surface for the central command.

What is DefenseClaw?

A 60-second pitch — DefenseClaw is the Cisco governance layer that wraps every AI coding agent (Claude Code, Codex, Cursor, OpenClaw, and more) with policy, audit, and human-in-the-loop approvals.

Quickstart

First run in two minutes. Pick init for the guided wizard or quickstart for the zero-prompt scripted equivalent — both call the same first-run backend and end with a working guardrail.