Enterprise developers are currently hitting a wall with AI agent deployment. While frameworks like OpenClaw make it easy to build agents that can call APIs and browse the web, the transition from a successful prototype to a production-ready system is fraught with anxiety. Most teams rely on SDK-level permissions or model-based guardrails, but these are often porous. Once an agent is live, the gap between what a developer intended and what the agent actually executes in the wild becomes a significant security liability. The industry is realizing that trusting the model to follow instructions is not a governance strategy.
The Architecture of Network-Level Interception
To solve this, Brex has introduced CrabTrap, an open-source HTTP/HTTPS proxy platform designed specifically to intercept and govern AI agent requests. Unlike traditional security layers that sit at the application level, CrabTrap operates at the transport layer. This makes the system entirely agnostic to the framework, programming language, or specific API the agent is using. Implementation is intentionally minimal; developers simply need to configure the `HTTP_PROXY` and `HTTPS_PROXY` environment variables within the agent's environment to route all outbound traffic through the proxy.
Inside CrabTrap, the decision-making process is split into a hybrid pipeline to balance security with performance. The system first applies deterministic static rules to handle high-frequency, known traffic patterns. For the long-tail of requests—those involving unfamiliar endpoints or unusual request structures—the system invokes an LLM-as-a-judge. Brex utilizes Claude Haiku for this role due to its rapid response times. In real-world operational data, this hybrid approach ensures that the LLM judge is only called for less than 3% of total requests, preventing the governance layer from becoming a bottleneck. Every single request and decision is recorded in a PostgreSQL database, providing a comprehensive audit trail that administrators can query via a dedicated API and dashboard.
From Static Permissions to Dynamic Bootstrapping
The true shift in CrabTrap's approach is not just the interception, but how the policies are created. Most security tools require administrators to define a strict allow-list before deployment, which is nearly impossible for autonomous agents whose behavior is non-deterministic. Brex instead implements a bootstrapping pipeline based on observation. This process begins with Shadow Mode, where the agent runs in a production-like environment and the proxy collects network traffic without actually blocking any requests. This allows the team to see exactly what the agent wants to do without breaking the workflow.
Once enough data is collected, the system samples representative call patterns and feeds them into a Policy Builder—an internal agent loop that translates observed behavior into natural language policy drafts. These drafts are then put through an evaluation phase where they are tested against historical audit logs. Operators can slice the results by method, URL, and original decision to see exactly how a new policy would have changed the outcome of past requests. This transforms policy creation from a guessing game into an empirical science.
Security is further hardened by how the LLM judge receives data. To prevent prompt injection attacks where an agent might try to trick the judge into approving a malicious request, CrabTrap avoids simple text interpolation. Instead, it wraps the HTTP request details into a structured JSON object. By forcing the model to treat user-controlled content as escaped data rather than executable instructions, the system effectively neutralizes the risk of the judge being manipulated by the very traffic it is meant to monitor.
This architectural choice places CrabTrap in a different category than other emerging standards. While the Model Context Protocol (MCP) focuses on policy enforcement at the protocol layer and Nvidia OpenShell provides sandbox-based egress control, CrabTrap asserts control at the transport layer. This allows it to catch everything that leaves the system, regardless of the protocol or the sandbox configuration. By combining this with the use of small, fast models like Claude Haiku and a path toward local model integration and prompt caching, Brex has minimized the latency penalty that usually kills the utility of LLM-based firewalls.
Beyond security, this visibility allows operators to identify and eliminate noise. By analyzing rejected logs, developers can find unnecessary tool calls and refine the agent's primary prompts to optimize request categories. This creates a feedback loop where governance actually improves the agent's efficiency and reduces token costs.
Developers must now move past the static question of which permissions to grant and instead focus on the dynamic reality of how an agent behaves and how to refine that behavior over time.



