Skip to main content

What is Declaw?

Declaw provides secure sandboxes for AI agents. When your agent needs to execute code, run shell commands, or call external APIs, Declaw isolates that execution in a Firecracker microVM and transparently intercepts all outbound traffic before it leaves the sandbox. Every sandbox is a full Linux environment with its own filesystem, process tree, and network namespace. The security proxy sits between the sandbox and the internet, scanning every HTTP and HTTPS request for PII, prompt injection payloads, and policy violations — without requiring any changes to the code running inside.

Firecracker MicroVM Isolation

Each sandbox runs in a dedicated VM with an independent filesystem, process tree, and network namespace. No sandbox can see or affect another.

MITM Security Proxy

A transparent TLS interceptor sits on the network path out of every sandbox. It inspects both HTTP and HTTPS traffic before it reaches the internet.

PII Redaction

Automatically detect and redact SSNs, credit card numbers, email addresses, phone numbers, API keys, and more in outbound HTTP request bodies.

Prompt Injection Defense

Score outbound LLM API calls against a prompt injection detection model. Block or audit requests that carry adversarial instructions.

Network Policy Engine

Domain allowlists, denylists, and IP CIDR rules enforced at the TCP layer. Block cloud metadata service access (169.254.169.254) by default.

Audit Logging

Record every intercepted request, PII detection, policy violation, and blocked connection. Query audit entries from the SDK.

Why Declaw?

AI agents execute code that neither you nor the agent fully controls. The agent might:
  • Receive a prompt injection payload hidden in a web page it scraped
  • Call an LLM API with a user’s SSN or credit card number in the request body
  • Exfiltrate credentials to an attacker-controlled endpoint
  • Access the cloud metadata service to steal instance credentials
Standard process isolation or Docker containers address none of this. They do not inspect outbound traffic, do not detect PII, and do not defend against prompt injection at the network layer. Declaw solves these problems by combining VM-level isolation with a programmable security proxy:
ProblemDeclaw solution
Code execution escapes the sandboxFirecracker microVM — hardware-enforced isolation
Agent leaks PII in an API callMITM proxy redacts PII before the request leaves the VM
Prompt injection via external dataInjection defense model scores and blocks malicious payloads
Unrestricted outbound network accessDomain allowlist/denylist enforced at the TCP layer
No audit trailAudit log records all security events and blocked requests

Key Concepts

  • Sandbox — a Firecracker microVM with its own filesystem, processes, and network namespace. Created on demand, destroyed after use.
  • Security Policy — a single object that composes PII config, injection defense, network rules, transformation rules, and audit settings. Attached to a sandbox at creation time.
  • envd — a lightweight HTTP daemon running inside every VM that exposes the filesystem and process APIs used by the SDK.
  • Security Proxy — the transparent MITM interceptor that sits on every packet leaving a sandbox. Only activated when a SecurityPolicy requires TLS interception.
Read the Concepts page for a full mental model, or jump straight to the Quickstart to run your first sandbox in five minutes.