What is DefenseClaw?
A 60-second pitch — DefenseClaw is the Cisco governance layer that wraps every AI coding agent (Claude Code, Codex, Cursor, OpenClaw, and more) with policy, audit, and human-in-the-loop approvals.
DefenseClaw is the enforcement and evidence layer for AI coding agents. It sits between your agent (Claude Code, Codex, Cursor, OpenClaw, ...) and the rest of the world, and answers three questions for you, by default:
- What is this agent allowed to do? Skills, MCP servers, plugins, and generated code are scanned before they run.
- What is the agent doing right now? Prompts, completions, tool calls, and sandbox activity are inspected at runtime.
- What did the agent do? Every decision lands in an SQLite audit DB and your existing telemetry sinks (OTLP, Splunk, webhooks).
Three modes, one command
Observe
Log everything, block nothing. Use this for the first week.
Action
Block on HIGH and CRITICAL. CRITICAL always wins.
HITL
Pause eligible actions on native-ask events. Other connector events preserve the confirm intent in audit and apply an immediate fallback.
Why a separate sidecar?
Inserting an inspection step inside the agent process means every agent has to grow its own copy. DefenseClaw moves the inspection out of the agent and into a single Go sidecar (defenseclaw-gateway), so:
- The agent does not need to be modified — connectors are written for the agent (Claude Code's hooks, Codex's
config.toml, Cursor'shooks.json, OpenClaw's plugin). - One audit log covers every agent the operator runs.
- One config file serves every connector — there is exactly one
~/.defenseclaw/config.yaml. The OPA admission policy is shared across all connectors, while guardrail posture (mode, fail mode, HILT, block message, rule pack) can optionally be set per connector when one gateway serves several hook connectors at once. See Multi-connector.
Where DefenseClaw sits
What DefenseClaw is not
DefenseClaw does not prove an agent's behaviour is safe. It improves safety by combining static scanner results, runtime inspection, policy decisions, sandbox controls, and audit trails. High-risk deployments should pair it with human review, least-privilege credentials, sandboxing, CI gates, and production monitoring.