San Jose, California
It took just three weeks after OpenClaw, a popular AI agent framework, went viral for security researchers to discover CVE-2026-25253, a critical code-execution vulnerability affecting over 135,000 exposed instances. By the time teams rushed to patch the issue, the Clock Havoc attack had already added 800 malicious skills to the Clock Hub app registry, with one in five spreading info stealers. For thousands of US companies now using AI agents in their daily operations, this incident served as a clear warning. Cisco DefenseClaw was created as a direct response, and it is available for free.
What Cisco DefenseClaw Actually Is
Cisco DefenseClaw is an open-source guardrail framework introduced at the RSA Conference in San Francisco on March 23, 2026. It is built for the era of agentic AI, which means software that not only answers questions but also takes actions for businesses. DefenseClaw provides a single automated security process for building, deploying, and continuously monitoring AI agents.
For example, an AI agent in a mid-sized accounting firm might be allowed to read invoices, create payment summaries, and mark discrepancies. Without security in place, a compromised plugin could instruct the agent to steal client tax records, change ledger files, and/or connect to an unauthorized server. Cisco DefenseClaw monitors all these actions in real time and blocks anything that breaks policy before harm is done.
A recent Cisco survey of large enterprise customers showed that 85% have tried using AI agents, but only 5% have put them into full production. This gap is not about technology. It is about trust. Companies need proof that an agent can act independently in ways that are harmful.
How Behavior Monitoring Works Inside DefenseClaw
DefenseClaw uses a Python operator for CLI, a Go gateway sidecar, and an OpenClaw TypeScript plugin. These tools work together to ensure that any untrusted agent features are scanned, managed, and blocked if they are unsafe per policy.
The framework’s behavior monitoring works at two checkpoints. The first is admission control, which means nothing enters the agent environment without being scanned first.
When you install a skill plugin or NCP using the DefenseClaw CLI, it is scanned before being allowed into your environment. The framework also continuously monitors the relevant directories for changes, whether they are manually adding plugins, copied skills, or additions from another process. If it finds anything critical or high risk, it takes action and logs to every event.
The second checkpoint is runtime, when the system actually stops rogue AI as it occurs. The framework constantly scans messages entering and leaving the agent’s execution loop. If an agent starts acting strangely during a task, it is stopped immediately.
The Four Tools That Form The Open Source Guardrail
Cisco DefenseClaw brings together skills scanner, MCP scanner, AI bill of materials, and CodeGuard. This setup makes sure every skill is scanned and sandboxed, every NCP server is checked, and every AI asset is automatically tracked. As a result, developers can deploy secure agents faster and with more confidence.
The CodeGuard component is especially important because it deals with errors that many security teams have not yet considered. Modern AI agents do more than follow pre-written instructions. They also create new code as they work. When an agent writes code, CodeGuard scans it before it runs, catching mistakes before they cause problems in production. For example, a faulty command that could have deleted a system folder is stopped before it reaches the operating system.
The MCP scanner checks the integrity of every MCP server an agent uses, ensures it is on the approved allow list, and monitors the endpoint for any changes over time. If a server is blocked, DefenseClaw removes it from the network protection allow list and stops all future connections at the open shell level.
Enforcement actions happen within two seconds and do not require restarting the agent. This is important in production situations where downtime can be expensive.
App Control, Network Section, And the Splunk Integration
A security tool is only as helpful as the insights it provides to the teams that need to act on its findings. As soon as you activate DefenseClaw, every scan result, block decision, prompt response, tool call, policy action, and alert is sent to Splunk as a structured event. There is no need for extra setup or custom pipelines. Security teams already using Splunk do not need a new dashboard. Agent security events appear in the same data environment they use daily.
The app control layer is part of Cisco’s larger identity platform. With the new features, you can register AI agents in Duo IAM and track which employees use them. After registration, administrators can set rules for which tools each agent can access. For example, an AI application might be allowed to view information in a financial database, but not change it. This degree of detail is what makes real app control different from just checking a compliance box.
The Cisco DefenseClaw, Open Source Agent Security Setup, and What It Costs.
The answer to the first question is simple: it is free. Cisco DefenseClaw is available on GitHub as of March 27, 2026. By choosing to open source, it rather than make it a paid product, Cisco shows that the industry views agent security as a shared standard, not something to keep behind closed doors.
For teams interested in trying the Cisco DefenseClaw open-source agent security setup, the governance layer runs on top of OpenShell and uses Cisco’s open-source scanners. A developer can set it up in under 5 minutes. The GitHub repository includes a comprehensive quick start guide covering CLI setup, guardrail activation, skill scanning, and gateway startup.
The bigger point goes beyond just one product. When 85% of companies are testing AI agents, only 5% trust them enough to use them widely; the real issue is not engineering. It is trust. Cisco believes that by establishing trusted identities, implementing zero-trust access controls, securing agents before they are deployed, and maintaining guardrails during use, security can be built into the core of the new AI economy rather than added after problems occur. For US companies considering the benefits of automation versus the risks of a major bot misstep, this foundation is now available and free to install.
Source: Talking strategy, M&A, and accelerating Cisco innovation with Ammar Maraqa
