An AI agent is handed tools, secrets, and untrusted input, then acts on its own. Declaw runs it in a hardened microVM, with security primitives enforced in the runtime itself — where the agent can’t route around them.
One substrate — runtime and security fused. You choose what to enforce, per sandbox.
A container shares the host kernel — one escape reaches the host and every workload on it. A microVM gives every agent its own kernel, and still starts in milliseconds.
An agent takes untrusted input, calls unaudited tools, runs unreviewed code, and holds real credentials. Every one is a way in.
Memory · supply chain · multi-agent live above the runtime — bounded, not solved; those layers pair alongside.
Your agent
runs inside the microVM
Network policy
allowlist enforced
Guardrails
PII + injection
Credential vault
secret injected
Internet
clean traffic out
The agent runs inside the microVM; its outbound traffic is inspected by the per-sandbox proxy it can’t bypass.
audit log
declaw mcp -- <server> wraps any MCP server in a sandboxThe agent’s plan-and-tool loop runs inside the VM — so you can checkpoint a live agent, branch it, park it, and bring it back. Not a one-shot code cell.
Pick a sandbox and see its whole run history — who triggered each run, with what input, which were attacks, and what fired.
Don’t take our word for it — attack a live agent yourself in the arena.