Breaking
Quantum Computing

AI Agent Security Policy Learns From Traffic

By Lorenzo Ferretti 3 min read
AI Agent Security Policy Learns From Traffic - ai agent security
AI Agent Security Policy Learns From Traffic

Brex has released an open-source security tool called CrabTrap to manage AI agents inside corporate networks. The platform acts as an HTTP/HTTPS proxy that sits between agents and external APIs, using a language model to evaluate requests based on observed behavior rather than static rules. Brex co-founder and CEO Pedro Franceschi noted that the company built the system after finding that existing guardrails were insufficient for containing agents using real credentials like OAuth tokens or API keys.

Traditional agent security focuses on scoped tools and model guardrails, but Franceschi argued that this approach creates a trade-off between safety and capability. He explained that agents connected to the open internet become more dangerous as they gain more tools, while restricting them to read-only access limits their usefulness. Brex needed a way to enforce policy at the transport layer, which is framework-agnostic and does not require SDK wrappers or per-tool integration.

Franceschi emphasized that the transport layer was simply an underinvested area for enforcement, not the only solution. CrabTrap intercepts every outbound request, and the system combines deterministic static rules with a language model for unfamiliar traffic. This judge only activates on the long tail of requests—typically fewer than 3% of the total—which keeps performance acceptable. Brex addressed latency concerns by using small, fast models like Claude Haiku, so the added overhead is negligible.

One technical challenge involved prompt injection, where user-controlled content in URLs or headers could manipulate the judge’s decision. Brex structured HTTP requests as JSON objects before sending them to the model, ensuring that user-controlled content is escaped rather than interpolated as raw text. The system also runs an eval process that compares historical audit entries against a draft policy, allowing users to see exactly how changes will affect existing traffic.

Franceschi said the most significant advantage of CrabTrap is the ability to bootstrap policy from observed behavior rather than writing rules from scratch. The team built a policy builder that runs agents in shadow mode to analyze historic network traffic and draft natural-language policies that match actual usage. This approach proved more effective than starting with a blank page, and the resulting policies matched human judgment on the vast majority of test cases.

The proxy also revealed how much noise agents generate. The audit trail made previously invisible traffic patterns clear, allowing the team to tighten agent configurations and remove tools that were wasting resources. Franceschi described CrabTrap as a discovery tool as well as an enforcement layer, and the platform has attracted more than 700 stars on GitHub since its release. He advised other builders not to wait for the industry to catch up, noting that infrastructure gaps should not prevent the deployment of AI agents.

Franceschi observed that many organizations struggle with [a full evaluation gap](https://qui-recherche.info/enterprise-ai-evaluation-gap.html) before they even begin deployment. He noted that companies often rush to implement [zero trust architecture](https://qui-recherche.info/zero-trust-architecture-agent-speed.html) without first understanding how agents behave in their specific environments. By using a network-based proxy, CrabTrap solves these problems by providing visibility into every request without requiring changes to application code.

Lorenzo Ferretti

Leave a Reply

Your email address will not be published. Required fields are marked *