Brex, the $12 billion corporate card and spend management company, just open-sourced CrabTrap on GitHub, and it addresses the single biggest operational risk facing anyone deploying AI agents in production: how do you stop an agent from doing something destructive with the API keys you gave it? The repo already has over 700 stars, and for good reason. CrabTrap is not another SDK wrapper or framework plugin. It is an HTTP/HTTPS proxy that sits between your AI agent and every external API it calls, evaluating each request against security policies before anything reaches the internet.

What CrabTrac Does That Nothing Else Does

The core insight behind CrabTrap is that the transport layer is the right place to enforce AI agent security. By operating as a forward proxy at the HTTP/HTTPS level, it becomes completely agnostic to which agent framework, programming language, or SDK the agent uses. You set the HTTP_PROXY and HTTPS_PROXY environment variables to point at CrabTrap, and every outbound request from the agent routes through it automatically. No SDK integration, no wrapper functions, no per-tool configuration. If the agent can make an HTTP request, CrabTrap can inspect it.

For HTTPS traffic, which is most production API calls, CrabTrap performs TLS interception. It generates a per-host certificate signed by its own certificate authority, terminates the TLS connection from the agent, inspects the decrypted request, then opens a separate TLS connection to the upstream API. This is the same technique enterprise security proxies have used for decades, but applied specifically to the AI agent architecture.

Every request is evaluated in two stages. First, deterministic static rules match the URL against prefix, exact, or glob patterns. These compile to cached regular expressions and execute in microseconds. Deny rules always take priority over allow rules. For the typical patterns an agent follows, static rules handle the fast path instantly. But static rules cannot cover every possible URL an agent might call. That is where the second stage comes in.

LLM-as-a-Judge: The Killer Feature

If no static rule matches a request, CrabTrap sends it to an LLM judge. The judge receives the full request context as a structured JSON object including the method, URL, headers, and body, along with a natural-language security policy assigned to that agent. The LLM returns a structured decision: ALLOW or DENY, with a reason. This is where CrabTrap diverges from every existing approach. MCP gateways enforce policy at the protocol layer but only for MCP traffic. LLM provider guardrails are tied to a single model and opaque to customize. Solutions like NVIDIA OpenShell operate at the sandbox level rather than the request level. CrabTrap makes nuanced, context-aware decisions about every outbound call.

The prompt engineering problem here is nontrivial. CrabTrap sends user-controlled content as JSON-escaped fields rather than interpolated raw text, preventing prompt injection through crafted URLs, headers, or body content. Security-relevant headers are prioritized and total header content is capped at 4KB to prevent prompt inflation attacks that stuff headers with junk to displace the policy from the context window. Request bodies are truncated at 16KB with an explicit warning to the model. Multipart requests are replaced with a structured summary of each part.

Brex also built two supporting systems that make CrabTrap practical. The policy builder is itself powered by an agentic loop that analyzes the agent's historical traffic, samples representative network calls, and drafts a natural-language policy matching the agent's real behavior. The eval system replays historical audit log entries against a draft policy and reports what would change with any policy updates. This means you do not need to write a perfect policy from scratch. You observe what your agent does, have LLMs generate a policy from that behavior, test it against historical data, and deploy it.

Production Architecture and Security Features

CrabTrap ships as a Docker container that runs alongside PostgreSQL. The admin UI runs on port 8081 and provides an audit trail viewer, policy editor, eval results, and agent management. Security features include SSRF protection that blocks requests to private networks with DNS rebinding prevention, per-IP token bucket rate limiting with configurable defaults, a circuit breaker that trips after five consecutive LLM failures and reopens after a 10-second cooldown, and denial alerting that notifies bot managers when a new URL pattern is blocked.

The configuration is defined through a YAML file with sections for proxy settings (port, timeouts, rate limits), TLS (CA cert paths, certificate cache size), approval mode (LLM or passthrough, with configurable timeout), LLM judge provider and model IDs, database connection, audit output destination, and alerting cooldown. A fallback mode lets you choose whether denied requests default to deny or passthrough when the LLM judge is unavailable.

Brex has been running CrabTrap in production with OpenClaw agents doing real work in their corporate environment. Their learnings are worth noting: policies derived from traffic analysis are surprisingly strong and require minimal editing. The eval system catches edge cases before they reach production. And the two-tier evaluation architecture means the most common patterns resolve in microseconds while the long tail gets intelligent judgment.

Comparison to Alternatives

The existing landscape for AI agent security falls into three camps. MCP gateways enforce policy at the protocol layer but only protect agents that use MCP, which is a subset of agent traffic. LLM provider guardrails from OpenAI, Anthropic, and others are tied to a single model and do not let you define custom enterprise policies. Per-sandbox egress controls like NVIDIA OpenShell block at the container level rather than the individual request level. CrabTrap is the only solution that operates at the transport layer, works with any framework and any API, and makes per-request decisions using both deterministic rules and LLM judgment.

The quickstart is straightforward. Run docker compose up -d to start CrabTrap and PostgreSQL. Copy the generated CA certificate. Create an admin user, generate an agent token, and point your agent at the proxy with curl -x http://token:@localhost:8080 --cacert ca.crt https://api.example.com/endpoint. The full setup takes about five minutes.

Who This Is For

CrabTrap is for any founder or engineering team deploying AI agents that call external APIs. If you are building with OpenClaw, LangChain, AutoGPT, or any agent framework where the agent has credentials to real services, CrabTrap gives you a production-grade security layer without requiring changes to your agent code. It is also relevant for platform teams building internal AI agent infrastructure who need audit trails, policy enforcement, and compliance documentation. The MIT license means there is no barrier to adopting it, modifying it, or contributing back. The repo is at github.com/brexhq/CrabTrap, and the Brex engineering blog has a detailed post walking through the architectural decisions behind it.