Cisco DefenseClaw Locks Down AI Agents at RSA
Cisco open-sourced DefenseClaw at RSA 2026 - a five-minute install that scans agent skills, MCP servers, and AI-generated code before they run, with 2-second policy enforcement and Splunk telemetry built in.
6 min read
Eighty-five percent of enterprises are experimenting with AI agents. Only 5% have moved them into production. Cisco's own survey delivered that number at RSA 2026, and the company is betting that security - not capability - is the actual blocker.
On March 27, Cisco released DefenseClaw to GitHub under a permissive open-source license. It's a governance layer that sits on top of NVIDIA's OpenShell sandbox and adds scanning, policy enforcement, and supply chain documentation for AI agent deployments. The pitch is five minutes from download to protected agent.
TL;DR
- Cisco open-sourced DefenseClaw on March 27, 2026 - an agent security framework built on NVIDIA OpenShell
- Five scanners cover skills, MCP servers, agent-to-agent traffic, produced code, and supply chain inventory
- Blocked skills have permissions revoked and files quarantined within 2 seconds, no restart required
- Cisco also released AI Defense Explorer Edition (free red-teaming tool) and a LLM Security Leaderboard at RSA 2026
Installing DefenseClaw
The install path is intentionally short. DefenseClaw assumes OpenShell is already running as the sandbox layer. From there:
# Install DefenseClaw
curl -LsSf https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/install.sh | sh
# Initialize on an existing OpenShell agent
defenseclaw init --agent openclaw
# Run a full scan before first launch
defenseclaw scan --all
The --all flag triggers all five scanners at once. Individual scanners can be called separately for CI/CD pipelines - DefenseClaw ships with pre-built connectors for GitHub Actions, GitLab, and Jenkins.
What DefenseClaw Scans
Skill-Scanner
Every skill registered to the agent gets inspected before it can be invoked. The scanner checks for known-malicious patterns, unexpected network calls, and permission escalation attempts. It also tracks skill state over time - a clean skill on Tuesday can start exfiltrating data by Thursday, and DefenseClaw is built to catch that drift.
MCP-Scanner
Model Context Protocol servers are increasingly the attack surface of choice for agents. MCP-Scanner verifies each MCP server the agent connects to, applies allow/block list policies, and enforces time-bound access. When you block an MCP server, the policy takes effect within two seconds without requiring an agent restart - permissions are revoked at the OpenShell sandbox layer rather than the application layer.
A2A-Scanner
Agent-to-agent communication is the newest attack surface DefenseClaw addresses. As multi-agent pipelines become more common, an attacker who compromises one agent can use it to inject malicious instructions upstream or downstream. A2A-Scanner monitors message flows between agents and flags anomalies.
CodeGuard
When an agent produces code that it then executes, that code runs through CodeGuard's static analysis engine before execution. This matters more than it sounds: vibe-coded outputs from agents have shown significant security gaps, and most agent frameworks have no gate between generation and execution.
AI Bill of Materials
The AI BoM generator creates a structured inventory of every asset the agent depends on - skills, tools, MCP servers, models, dependencies. This is the supply chain documentation layer. The BoM output integrates directly with Splunk via a prepackaged connector, automatically streaming scan findings, policy decisions, prompt-response pairs, and tool invocations.
DefenseClaw's three-layer security model - supply chain scanning, runtime protection, and system boundary enforcement - as shown in the official Cisco blog.
Source: blogs.cisco.com
Runtime Policy Enforcement
The enforcement model is the technically interesting part. DefenseClaw doesn't just scan once at setup - it monitors continuously during execution. The policy engine runs as a sidecar inside the OpenShell container.
When a skill is blocked:
- Its sandbox permissions are revoked
- Its files are quarantined
- The agent receives an error if it tries to invoke the skill
- The enforcement event is logged to Splunk with full context
All of this happens within two seconds, without stopping the agent process.
"Projects shelved for lack of resources are now within reach," said Jeetu Patel, Cisco's Chief Product Officer.
The statement is slightly vague, but the underlying point is real: a lot of enterprise agent pilots stall not because the agents are bad but because no one can answer the security team's questions about what the agent is doing and to what.
Requirements and Compatibility
| Requirement | Details |
|---|---|
| Sandbox layer | NVIDIA OpenShell (required) |
| Supported agents | OpenClaw (native), others via OpenShell |
| Splunk | Optional; connector pre-packaged |
| CI/CD | GitHub Actions, GitLab, Jenkins |
| Install time | Under 5 minutes |
| License | Open source (permissive) |
| Repository | github.com/cisco-ai-defense/defenseclaw |
The Rest of the RSA Bundle
DefenseClaw wasn't the only release. Cisco shipped three other security tools with it.
AI Defense: Explorer Edition is a free self-service platform for red-teaming AI models and applications before deployment. It runs multi-turn adversarial tests to find prompt injection and jailbreak vulnerabilities, and integrates into CI/CD pipelines so developers can gate releases on security test results. It's essentially a free entry point to Cisco's broader AI Defense suite, with an upgrade path to enterprise RBAC for teams.
Zero Trust Access for Agents extends Cisco's Duo IAM to register AI agents as identities with human owners. The idea is that agents should have the same lifecycle management as human employees - provisioning, access scoping, and deprovisioning. Cisco Identity Intelligence then maps agentic identities across the environment for visibility.
LLM Security Leaderboard ranks language models against adversarial attacks - prompt injection resistance, jailbreak robustness, and related dimensions. It's a free resource. The methodology disclosure is limited at launch, which makes the rankings harder to interpret, but the intent is to give teams an independent signal on model security posture beyond the usual capability benchmarks.
The AI Defense Explorer Edition report view - results from multi-turn adversarial testing against a model or agentic application.
Source: blogs.cisco.com
Where It Falls Short
DefenseClaw is genuinely useful, but it has real dependencies and gaps worth noting.
OpenShell lock-in. DefenseClaw requires NVIDIA OpenShell as the underlying sandbox. If you're running agents on a different runtime - containerized but not OpenShell, or cloud-hosted with a different isolation model - DefenseClaw doesn't currently support that path. The roadmap hints at broader compatibility but it isn't shipping now.
A2A-Scanner is early. Agent-to-agent communication security is still an active research area. The A2A-Scanner exists, which puts Cisco ahead of most tooling, but the threat models for multi-agent pipelines aren't fully standardized yet. Treat A2A-Scanner as a useful starting point, not a complete solution.
LLM Leaderboard opacity. The security leaderboard needs more methodological transparency to be trustworthy. Benchmark names, prompt injection test sets, and evaluation conditions aren't published yet. A ranking without reproducible methodology is marketing dressed as measurement.
Enterprise timeline. Most of Cisco's additional features - Exposure Analytics, the specialized SOC agents, Guided Response - don't reach general availability until April through June 2026. DefenseClaw itself is available now, but the full vision requires waiting on the broader Splunk integration work.
The 85% to 5% gap Cisco cites is real. DefenseClaw addresses a genuine missing layer in most agentic deployments. Whether the OpenShell dependency is a dealbreaker depends on your existing infrastructure - if you're already using NVIDIA's OpenShell, this is a direct install with immediate value.
Sources:
