Brex released CrabTrap as open-source software on Thursday, giving enterprises a transport-layer proxy that intercepts every network request an AI agent makes and decides whether to allow or block it. The tool uses an LLM-as-a-judge architecture combined with deterministic static rules to enforce security policy without requiring per-tool SDK integration or framework-specific wrappers.

“Every request an agent makes is an opportunity to intercept, reason about, and make a policy decision,” Brex co-founder and CEO Pedro Franceschi told VentureBeat. “The network layer was an untapped enforcement point.”

How CrabTrap Works

The proxy operates at the transport layer. Deployers set HTTP_PROXY and HTTPS_PROXY environment variables in an agent’s runtime, routing all outbound traffic through CrabTrap before it reaches any destination. For HTTPS, CrabTrap performs TLS interception by generating per-host certificates signed by its own CA. Optional iptables rules in the agent’s container can block direct outbound connections that bypass the proxy entirely.

Requests pass through two evaluation stages, according to the Brex engineering blog. First, deterministic static rules match against URL patterns and HTTP methods. Deny rules always take priority. These compile to cached regexps and execute in microseconds. If no static rule matches, the request goes to an LLM judge that receives the full request context alongside a natural-language policy for that specific agent.

For a mature agent, the LLM judge fires on fewer than 3% of requests, Franceschi told VentureBeat. Agents settle into predictable traffic patterns quickly, and once those patterns are observed, they become static rules. Using small, fast models like Claude Haiku keeps added latency “negligible” even when the judge activates.

Policy from Observation, Not Prediction

The more distinctive design choice is how policies get written. Brex built a policy builder (itself an agentic loop) that runs agents in shadow mode, analyzes historic network traffic, samples representative calls, and drafts a natural-language policy matching the agent’s real behavior. Franceschi described the philosophy directly: “Our key insight was to bootstrap policy from observed behavior rather than write it from scratch.”

An eval system tests policy changes before they go live by replaying historical audit entries against a draft policy and reporting exactly what would change. Results can be sliced by method, URL, original decision, and agreement status using concurrent judge calls that replay thousands of requests in minutes, per the Brex blog.

A live feedback loop stores full audit trails in PostgreSQL. When a resource is continuously denied, the system can notify a human or agent to propose a policy update for review.

Why Existing Approaches Fell Short

Franceschi laid out the specific limitations Brex encountered before building CrabTrap. Fine-grained API tokens constrain functionality. Semantic guardrails via prompt steering are “easily bypassed by prompt injection, especially for agents connected to the internet.” MCP gateways enforce policy only for traffic using MCP. LLM provider guardrails are tied to a single model and “opaque” to customize. NVIDIA OpenShell provides per-sandbox egress control but not cross-framework governance.

“When we started, we hadn’t found a solution to deploying harnesses like OpenClaw safely,” Franceschi told VentureBeat. “Instead of waiting for the industry to catch up, we decided to own the problem and invent the necessary tools.”

The Governance Layer Enterprise Agents Need

CrabTrap is framework-agnostic, language-agnostic, and API-agnostic by design. That positions it as a governance layer that can sit in front of OpenClaw, LangChain, or any other agent harness without requiring those frameworks to build in security controls themselves. For enterprises that have been hesitant to move agents from pilot to production because of credential and API safety concerns, CrabTrap offers a concrete reference implementation: observe first, enforce second, refine continuously.