Brex open-sourced the agent firewall they actually run in production
Brex just published CrabTrap, an HTTP proxy that sits between your agents and the outside internet, decides every outbound request with either a deterministic rule or an LLM-as-judge, and logs the whole thing to Postgres. It is not a demo. It is what Brex runs to keep their own agents from doing something stupid.
The threat model is simple and nobody else has cleanly shipped a tool for it. An agent that can call Slack, Gmail, GitHub, or anything else is one prompt-injection away from sending internal docs to an attacker-controlled URL. Static allowlists break the moment the agent needs to hit a URL you did not predict. CrabTrap hits the pragmatic middle, URL pattern rules decide instantly when they match, anything else goes to an LLM judge evaluating the request against a natural-language security policy you wrote. Every decision is recorded, every policy is evaluable against replay logs.
The engineering is the giveaway that this is production code. TLS termination with custom certs so it can actually see HTTPS payloads. SSRF protection covering RFC 1918, loopback, link-local, CGNAT, and IPv6 ULA with DNS-rebinding defense. Prompt injection defense that JSON-encodes payloads before handing them to the judge so the judge cannot get hijacked by the traffic it is inspecting. There is even a policy builder that reads observed traffic and drafts security policies for you. That is the kind of detail you only add after an agent tried to do something stupid.
Timing-wise CrabTrap lands in the same week Anthropic sanctioned official Claude Code distribution, Capsule Security raised 7M on agent-runtime security, and OX Security disclosed the MCP supply-chain vuln. Agent security has stopped being a thesis slide and started being shipped infra, and the category is consolidating fast. Brex giving away their internal tool is going to make life harder for the startups trying to sell it.
Repo at https://github.com/brexhq/CrabTrap and product page at https://www.brex.com/crabtrap.
← Back to all articles
The threat model is simple and nobody else has cleanly shipped a tool for it. An agent that can call Slack, Gmail, GitHub, or anything else is one prompt-injection away from sending internal docs to an attacker-controlled URL. Static allowlists break the moment the agent needs to hit a URL you did not predict. CrabTrap hits the pragmatic middle, URL pattern rules decide instantly when they match, anything else goes to an LLM judge evaluating the request against a natural-language security policy you wrote. Every decision is recorded, every policy is evaluable against replay logs.
The engineering is the giveaway that this is production code. TLS termination with custom certs so it can actually see HTTPS payloads. SSRF protection covering RFC 1918, loopback, link-local, CGNAT, and IPv6 ULA with DNS-rebinding defense. Prompt injection defense that JSON-encodes payloads before handing them to the judge so the judge cannot get hijacked by the traffic it is inspecting. There is even a policy builder that reads observed traffic and drafts security policies for you. That is the kind of detail you only add after an agent tried to do something stupid.
Timing-wise CrabTrap lands in the same week Anthropic sanctioned official Claude Code distribution, Capsule Security raised 7M on agent-runtime security, and OX Security disclosed the MCP supply-chain vuln. Agent security has stopped being a thesis slide and started being shipped infra, and the category is consolidating fast. Brex giving away their internal tool is going to make life harder for the startups trying to sell it.
Repo at https://github.com/brexhq/CrabTrap and product page at https://www.brex.com/crabtrap.
Comments