Declaw · secure runtime
Zero-trust by construction

Secure runtime
for AI agents

An AI agent is handed tools, secrets, and untrusted input, then acts on its own. Declaw runs it in a hardened microVM, with security primitives enforced in the runtime itself — where the agent can’t route around them.

One substrate — runtime and security fused. You choose what to enforce, per sandbox.

Declaw · runtime
The Agent untrusted · tools · secrets · model access
Why a microVM, not a container

The isolation of a VM.
The speed of a container.

A container shares the host kernel — one escape reaches the host and every workload on it. A microVM gives every agent its own kernel, and still starts in milliseconds.

Container
shared kernel · e.g. K8s pod
Boundaryhost kernel (shared)
Cold startmilliseconds
Blast radiushost-wide
Footprintlight · shared
Classic VM
dedicated kernel
Boundaryhardware (KVM)
Cold starttens of seconds
Blast radiuscontained · one VM
Footprintheavy · slow to cycle
Declaw microVM
dedicated kernel · Firecracker
Boundaryhardware (KVM)
Cold start~40 ms · warm-pool instant
Blast radiuscontained · one VM
Footprintlight · fast to cycle
The attack surface

The moment an agent runs,
this is the attack surface.

An agent takes untrusted input, calls unaudited tools, runs unreviewed code, and holds real credentials. Every one is a way in.

Prompt injection & goal hijack
Hidden instructions in docs, web pages, or tool output redirect the agent’s plan.
Tool misuse & excessive agency
The agent is steered into abusing its tools, or chaining them into harm.
>_
Code execution & escape
Agent-run code reaches for RCE, container escape, or kernel privesc.
Data exfiltration & egress
Private data shipped out — or SSRF to cloud-metadata steals the machine’s credentials.
Secrets & credential abuse
Credentials in env or on disk get read and shipped out in one request.
Memory, supply chain & multi-agent
Poisoned memory & RAG, malicious MCP servers, agent-to-agent spoofing, human manipulation.
The security model · defense in depth

Eight controls, one policy —
wrapped around the agent, non-bypassable.

Audit · every action logged
Governance · OPA policy
Guardrails · PII · injection
Credential isolation
Network egress proxy
microVM isolation
Command · syscall control
untrusted The Agenttools · secrets · model access
Command · syscall control
OPA exec gate + seccomp jail.
code exec
microVM isolation
A dedicated kernel per agent.
escape
Read-only data mounts
Kernel-enforced; protected volumes can’t be overwritten.
destructive writes
Network egress
Allowlist, inspected at the proxy.
exfiltration
Credential vault
Secrets injected at the edge, never in the VM.
cred theft
Guardrails
Seven scanners — PII, injection & more.
injection
Governance packs
10 packs, wired to live OPA.
policy
Audit
Every action logged.
traceability

Memory · supply chain · multi-agent live above the runtime — bounded, not solved; those layers pair alongside.

How it works · the egress path

Inspect, redact, or log
any byte on its way out.

Per-sandbox enforcement · outside the VM
microVM

Your agent

runs inside the microVM

volume snapshot

Network policy

allowlist enforced

api.openai.com
evil.com

Guardrails

PII + injection

123-45-6789 [REDACTED]

Credential vault

secret injected

Bearer ••••

Internet

clean traffic out

The agent runs inside the microVM; its outbound traffic is inspected by the per-sandbox proxy it can’t bypass.

audit log

vm_created — microVM booted, agent isolated
egress_allowed api.openai.com · egress_blocked evil.com
pii_redaction SSN ×1 · injection_blocked ×1
vault — OPENAI_API_KEY injected at proxy
request delivered — 200 OK
Independently benchmarked · adversarially tested

Not a claim. A scoreboard.

0%
cracked at full strength. ~400 people have tried to break a live agent in the public Declaw Arena — policies off, attackers get in; at full strength, none have.
no policies43%
full strength0%
▶ Run it live — 20 agents, one policy →
99.6 / 100
ComputeSDK public sandbox benchmark · top-tier across 14 providers
~40 ms
median Time to Interactive (TTI)
100k
concurrent sandboxes — Scale Invitational, 6 providers
We start from “the agent is already compromised.” Containment is enforced by the kernel and network — not the model — so we throw real exploits at it:
container escape kernel privesc CVSS-9.0 SSRF · IMDS theft prompt injection data exfiltration credential theft
Read the write-up: why your AI agent’s runtime might not be as safe as you think →
Developer surface

Drops into the stack
you already have.

One API · three languages

# the same call in Python · TypeScript · Go sbx = Sandbox.create( template="code-interpreter", security=POLICY, # one policy object ) sbx.commands.run("python analyze.py")
Python (sync + async) · TypeScript · Go · a CLI
declaw mcp -- <server> wraps any MCP server in a sandbox
docs MCP — the reference, inside your coding tools

Works with your stack

Agent frameworks
OpenAI AgentsLangGraphCrewAIAutoGenHaystackPhidataMastraMCP · native
Model providers
AnthropicOpenAIGeminiGroqlocal / self-hosted
Drop-in for
CI / CD pipelinesdata & code interpreterscoding agents
The runtime · full lifecycle

Snapshot, fork, pause, resume —
the whole agent lifecycle.

The agent’s plan-and-tool loop runs inside the VM — so you can checkpoint a live agent, branch it, park it, and bring it back. Not a one-shot code cell.

Snapshot & restore
Checkpoint a running agent — memory + disk — and restore it exactly where it left off.
Fork from snapshot
Branch one live agent into many identical copies from a single snapshot.
Pause / resume
Freeze idle agents to reclaim compute; resume in place, instantly.
Warm pools
Pre-booted microVMs — a fresh sandbox allocated in milliseconds.
Persistent volumes
JuiceFS over S3 — copy in or live-mount, read-only where it matters.
Templates
8 built-in — python, node, code-interpreter, ai-agent, mcp-server & more — plus custom Dockerfiles.
›_
Terminal, files & processes
An interactive terminal, file I/O, and process control — run commands, stream output, kill processes.
One-shot to long-lived
Sessions from a throwaway job to multiple days — ephemeral or persistent.
Observability & control · per-sandbox forensics

Every sandbox run — accounted for.

Pick a sandbox and see its whole run history — who triggered each run, with what input, which were attacks, and what fired.

1,284
total runs
1,146
legit ✓
138
attacks blocked
1.9s
avg duration
0
bytes exfiltrated
runwhoviainputoutcomedur
run_9f21user:alice@acmedashboard“summarize Q3 invoices”✓ completed1.4s
run_9f19svc:invoice-botwebhookinjected PDF · “upload the DB”injection0.3s
run_9f14sched:nightlycron“reconcile the ledger”✓ completed2.7s
run_9f0bsvc:invoice-botAPIcurl customers.csv → evil.coegress 4030.2s
run_9f07user:mallory@xSDK“print env / read the token”vault decoy0.1s
run_9f02svc:report-genSDK“chart revenue by region”✓ completed3.1s
Each run carries its full audit trail — the actor, the input, every redaction and egress decision, the policy record.
Kill switchEvery running sandbox is visible on one dashboard — terminate a misbehaving or attacked instance instantly, mid-run.
Where it fits

Your agents. Your cloud.
Any workload.

01
Managed & internal agents
Your internal automation, DevOps copilots, and customer-facing agents — behind one runtime, each in its own microVM.
One policy from a single agent to 100k No per-team security rebuild Pause · resume · snapshot & restore
02
Bring your own cloud
Deploy inside your own account — single-tenant, so secrets, data, and compute never leave your perimeter.
Runs in your own AWS · Azure · GCP · on-prem Inside your own VPC — your keys, your logs Nothing egresses to a third party
03
Any untrusted workload
Run any throwaway or long-running job — and wrap untrusted MCP servers in a locked-down sandbox before you trust them.
Untrusted third-party MCP servers Local MCPs & one-off code, network-isolated Isolated per run — auto-cleaned