What are the five core scanning engines in DefenseClaw?

DefenseClaw comprises five specialized scanning engines: 1) Skill Scanner — performs comprehensive security audits on agent skills before they're loaded, including permission analysis, data flow tracking, and dependency chain inspection; 2) MCP Scanner — targets Model Context Protocol servers to detect prompt injection and unauthorized access; 3) A2A Scanner — monitors Agent-to-Agent communications in multi-agent systems; 4) CodeGuard — performs real-time static analysis on agent-generated code; 5) AI BOM Generator — creates complete component inventories for each AI agent, similar to software SBOMs.

How does DefenseClaw's runtime threat detection differ from static scanning?

Static scanning performs one-time security audits before skills/code are loaded, while runtime threat detection continuously monitors every message flowing in and out of AI agents during execution. This means even if a skill passes initial scanning, DefenseClaw can detect and block anomalous runtime behavior such as data exfiltration. Runtime detection includes real-time message inspection, behavioral baseline comparison, ML-based anomaly pattern recognition, and automated response mechanisms.

What does Cisco mean by 'walls, not suggestions' in DefenseClaw's policy enforcement?

Cisco uses 'walls, not suggestions' to distinguish DefenseClaw from AI safety tools that merely issue advisory warnings. DefenseClaw's policy enforcement is hard — violations are actively blocked rather than just logged. This includes block/allow list management, automatic permission revocation when skills are deemed unsafe, network isolation policies restricting agent communications, and data classification-based access controls. Policy violations result in immediate action such as skill removal or sandbox permission revocation.

Cisco Upgrades Open-Source DefenseClaw: Comprehensive AI Agent Security Scanning Framework

Cisco Open-Sources DefenseClaw: Comprehensive AI Agent Security Scanning

Introduction: The Security Imperative of Agentic AI

Cisco Open-Sources DefenseClaw: Comprehensive AI Agent Security Scanning

Introduction: The Security Imperative of Agentic AI

On March 23, 2026, at the RSA Conference 2026 in San Francisco, Cisco unveiled DefenseClaw — a fully open-source AI agent security scanning framework that represents a paradigm shift in how organizations approach the security of autonomous AI systems. This release comes at a critical juncture, as enterprises worldwide are rapidly deploying AI agents that can autonomously execute tasks, call APIs, generate code, and interact with sensitive systems.

The rise of agentic AI has fundamentally changed the threat landscape. Unlike traditional software applications with deterministic execution paths, AI agents exhibit non-deterministic behavior — the same input can produce vastly different outcomes depending on model inference, context accumulation, and tool availability. This introduces novel attack vectors that existing security frameworks were never designed to address: prompt injection attacks can hijack agent behavior, privilege escalation vulnerabilities can lead to unauthorized data access, and malicious plugins can propagate laterally through agent ecosystems.

DefenseClaw was purpose-built to address these challenges, offering a unified, automated security pipeline for building, deploying, and continuously monitoring AI agents.

Architectural Overview: Five Core Scanning Engines

DefenseClaw employs a modular architecture centered around five specialized scanning engines, each targeting a critical aspect of AI agent security.

#### 1. Skill Scanner

In the agentic AI ecosystem, "skills" represent discrete capability units that enable agents to perform specific tasks — from querying databases to sending emails to executing shell commands. The Skill Scanner performs comprehensive security audits on every skill before it enters the agentic environment.

The scanning process encompasses:

**Permission Analysis**: Evaluates the permissions each skill requests against the principle of least privilege. Skills requesting excessive permissions are flagged with detailed justifications.
**Data Flow Tracking**: Maps the complete data flow within a skill, identifying potential data exfiltration paths, unauthorized external communications, and sensitive data handling violations.
**Dependency Chain Inspection**: Performs recursive dependency analysis, cross-referencing against known vulnerability databases (CVE, NVD) and detecting supply chain attack patterns.
**Behavioral Pattern Analysis**: Uses static and heuristic analysis to identify suspicious behavioral patterns such as obfuscated code, dynamic code generation, or delayed execution triggers.

#### 2. MCP Scanner

The Model Context Protocol (MCP) has emerged as the de facto standard for tool integration in AI agent systems. MCP Scanner specifically targets MCP servers, which serve as bridges between AI agents and external tools.

Key detection capabilities include:

**Request Origin Validation**: Verifies that MCP servers properly authenticate and authorize incoming requests, preventing unauthorized agents from accessing sensitive tools.
**Tool Description Injection Detection**: Scans tool descriptions for hidden prompt injection payloads — a particularly insidious attack vector where malicious instructions are embedded within tool metadata.
**Indirect Prompt Injection via Returns**: Analyzes return values for potential indirect prompt injection content that could manipulate the agent's subsequent behavior.
**Unauthorized Data Access Patterns**: Detects MCP servers that access data beyond their declared scope.

#### 3. A2A Scanner

As multi-agent systems become more prevalent, Agent-to-Agent (A2A) communication represents a critical and often overlooked attack surface. The A2A Scanner monitors inter-agent message passing to ensure:

Communication protocols adhere to security specifications
No unauthorized cross-agent command injection occurs
Message payloads are free of malicious content
Agent identity authentication mechanisms are robust and tamper-resistant

#### 4. CodeGuard Static Analysis

AI agents frequently generate and execute code dynamically — a capability that introduces significant security risks. CodeGuard performs real-time static analysis on every piece of agent-generated code, detecting:

Command injection vulnerabilities
Unsafe file system operations (path traversal, arbitrary writes)
Hardcoded credentials and sensitive information exposure
Logic vulnerabilities, race conditions, and boundary condition errors
Insecure network operations and unvalidated external inputs

#### 5. AI Bill of Materials (AI-BOM) Generator

Drawing inspiration from the Software Bill of Materials (SBOM) concept that has become mandatory in many regulatory frameworks, the AI-BOM Generator creates comprehensive component inventories for each AI agent. These inventories catalog:

Models used (including version, provider, and fine-tuning details)
Skills and plugins deployed
Data sources accessed
Third-party dependencies and their versions
Configuration parameters and policy settings

This capability is essential for compliance auditing, vulnerability tracking, and incident response.

Runtime Threat Detection: Beyond Static Scanning

Static scanning provides a critical first line of defense, but DefenseClaw's true innovation lies in its runtime threat detection capabilities. The framework continuously monitors every message flowing in and out of AI agents during execution, enabling detection of threats that emerge only during runtime.

This is particularly important because:

A skill that passes initial security scanning may later be compromised through a supply chain attack
Prompt injection attacks often exploit runtime context that doesn't exist during static analysis
Multi-turn conversation dynamics can create emergent vulnerabilities
Environmental changes (new data, updated models) can alter agent behavior in security-relevant ways

The runtime detection system operates on multiple levels:

**Real-time Message Inspection**: Every input and output message is analyzed for security threats, including prompt injection patterns, data exfiltration attempts, and policy violations.
**Behavioral Baseline Comparison**: DefenseClaw establishes behavioral baselines for each agent and detects deviations that may indicate compromise.
**Anomaly Pattern Recognition**: Machine learning-based detection identifies novel attack patterns that signature-based systems would miss.
**Automated Response Mechanisms**: Upon threat detection, DefenseClaw can automatically block the offending skill, revoke sandbox permissions, and generate detailed incident reports.

Policy Enforcement: Walls, Not Suggestions

Cisco has been emphatic that DefenseClaw provides "walls, not suggestions." This philosophy manifests in a robust policy enforcement engine that supports:

**Block and Allow Lists**: Administrators can define granular policies specifying which skills, tools, API calls, and data sources are permitted or prohibited.
**Automatic Permission Revocation**: When a skill is determined to be unsafe — whether through scanning or runtime detection — its sandbox permissions are automatically revoked.
**Network Isolation Policies**: Agents can be restricted to specific network segments, preventing lateral movement and unauthorized external communications.
**Data Classification-Based Access Control**: Different access levels are enforced based on data sensitivity classifications, ensuring that agents handling PII or financial data face stricter controls.

This hard enforcement model represents a significant departure from many existing AI safety tools that rely on advisory warnings and optional guardrails.

Integration with NVIDIA OpenShell

Cisco announced that DefenseClaw will integrate deeply with NVIDIA's OpenShell platform, which provides a hardened, sandboxed execution environment specifically designed for AI agents. This integration enables:

**Isolated Execution**: Agents run within hardware-isolated sandboxes, preventing container escapes and host system compromise.
**Automated Security Pipeline**: Security checks are automatically triggered at each stage of the agent deployment lifecycle.
**Unified Management Interface**: Security policies, scan results, and runtime alerts are managed through a single pane of glass.
**Hardware-Level Security Guarantees**: Leveraging NVIDIA's hardware security features for enhanced isolation and attestation.

Cisco's Broader Agentic AI Security Strategy

DefenseClaw is one pillar of Cisco's comprehensive approach to securing the "agentic workforce." Alongside DefenseClaw, Cisco announced:

**Duo Agentic Identity**: A purpose-built identity management solution for discovering, cataloging, and continuously monitoring AI agents across the enterprise. This addresses the fundamental question: "How many AI agents are operating in our environment, and what are they authorized to do?"
**AI Defense: Explorer Edition**: A developer-focused tool for testing model and application resilience against adversarial attacks, hallucination, and unintended behaviors.

Together, these three solutions form a layered defense-in-depth strategy: DefenseClaw handles technical security scanning and policy enforcement, Duo Agentic Identity manages identity and access governance, and AI Defense addresses model-level security evaluation.

Industry Impact and the Open-Source Decision

Cisco's decision to fully open-source DefenseClaw carries significant strategic implications:

1. **Democratizing AI Security**: Small and medium enterprises gain access to enterprise-grade AI agent security without licensing costs.

2. **Community-Driven Innovation**: The global security research community can contribute detection rules, scanning capabilities, and integrations.

3. **De Facto Standardization**: DefenseClaw has the potential to become the industry standard for AI agent security scanning, similar to how tools like OWASP ZAP and Snyk became standards in their respective domains.

4. **Transparency and Trust**: Open-source code can be independently audited, building user confidence in the framework's integrity.

The framework is available on GitHub, with comprehensive documentation, getting-started guides, and a growing library of community-contributed scanning rules.

Technical Deep Dive: Why AI Agent Security Is Fundamentally Different

Traditional application security focuses on deterministic code execution paths. Security teams can map inputs to outputs, trace control flows, and identify vulnerabilities through established methodologies like SAST, DAST, and penetration testing.

AI agents break this paradigm in several fundamental ways:

**Non-Deterministic Behavior**: The same input may produce different outputs due to model inference variability, temperature settings, and context window contents.
**Dynamic Tool Usage**: Agents select and invoke tools based on runtime decisions, making it impossible to predict all possible execution paths statically.
**Context Accumulation**: Agents build up context over multi-turn interactions, and vulnerabilities may only manifest after specific context conditions are met.
**Emergent Behavior in Multi-Agent Systems**: When multiple agents interact, their combined behavior can exhibit emergent properties not present in any individual agent.

DefenseClaw's design philosophy acknowledges these realities. By combining static scanning with continuous runtime monitoring and hard policy enforcement, it implements a "trust but verify" approach that represents the state of the art in AI agent security.

Conclusion

Cisco's release of DefenseClaw marks the transition of AI agent security from theoretical discussion to engineering practice. As an open-source, modular, full-lifecycle security framework, it provides a solid technical foundation for governing AI agents in the enterprise. As agentic AI deployment accelerates across industries, DefenseClaw and its ecosystem are positioned to become critical infrastructure for ensuring that autonomous AI systems remain secure, compliant, and controllable.