Brex open-sources CrabTrap to police AI agent network requests
Brex says its proxy-based agent governance tool builds policy from observed traffic, then uses static rules and an LLM judge to approve or block requests.
By Renata Fuchs · Policy Reporter
· 4 min read
Brex has open-sourced CrabTrap, an internal HTTP/HTTPS proxy built to control what AI agents can do with real credentials such as API keys, OAuth tokens and service accounts. The release is relevant for enterprise AI teams because Brex says model guardrails, SDK permissions and tool-level controls were not enough to contain agent behavior once agents were connected to production systems and the internet.
Brex co-founder and CEO Pedro Franceschi told VentureBeat the company focused on the network layer because every outbound agent request creates a point where policy can be applied. The company is positioning CrabTrap as a centralized control plane for agent traffic, rather than another model-specific guardrail or per-tool integration.
CrabTrap sits between agents and outbound traffic
CrabTrap works by routing an agent’s HTTP and HTTPS requests through a proxy before they reach their destination. Users configure HTTP_PROXY and HTTPS_PROXY in the agent environment, which lets the system inspect requests without requiring SDK wrappers or custom integrations for each tool, language or agent framework, according to Brex.
The proxy checks requests against deterministic policy rules. For requests outside known patterns, Brex says CrabTrap can call an LLM-as-a-judge to decide whether the request should be allowed or denied. Franceschi said that for a mature agent, the judge is typically used on fewer than 3% of requests.
Brex’s case for this architecture is that common alternatives cover only part of the problem. Franceschi said fine-grained API tokens can still be misused, semantic guardrails can be bypassed by prompt injection, and MCP gateways apply only to traffic using the Model Context Protocol. He also said provider guardrails are tied to individual models and can be hard to adapt to company-specific policies.
Policies are drafted from observed behavior
The more unusual part of CrabTrap is how Brex says it builds policy. Instead of starting with a blank rule set, the company runs agents in shadow mode, reviews historic network traffic, samples representative calls and drafts a natural-language policy that reflects what the agent has already been doing.
Brex also built an evaluation system that replays historical audit entries against draft policy changes before they go live. The system reports how decisions would change and lets users filter results by method, URL, original decision and agreement status. Franceschi said replaying thousands of requests takes minutes because judge calls run concurrently.
Audit trails are stored in PostgreSQL and can be queried through CrabTrap’s admin API and dashboard, according to Brex. If a resource is repeatedly denied, the system can notify a person or an agent to suggest a policy update for review.
Brex says latency was manageable, prompt injection was harder
Franceschi said the expected latency problem was less severe than it appeared because high-volume request patterns become static rules and the LLM judge is used only on the long tail. Brex used small models such as Claude Haiku for judge calls, and Franceschi said local models and prompt caching could reduce latency further.
The harder issue, according to Franceschi, was prompt injection. Because the judge reviews the full HTTP request, user-controlled content in a URL, header or body could try to influence the decision. Brex addressed that by formatting the request as a JSON object before sending it to the model, so user-controlled fields are escaped rather than inserted as raw prompt text.
What Brex has not disclosed
Brex says CrabTrap improved internal confidence in deploying autonomous agents and helped the company identify noisy agent behavior, remove tools and cut categories of wasteful requests. The company tracks engagement with agents, traffic patterns and NPS, but it did not disclose specific performance metrics, NPS figures or comparative benchmarks.
Franceschi said policies generated from several days of traffic matched human judgment on the vast majority of held-out requests. Brex did not provide the underlying evaluation set or exact agreement rate.
The project has drawn more than 700 stars on GitHub, and Franceschi said Brex has heard interest from OpenAI, Y Combinator CEO Garry Tan and programmer Pete Steinberger. Planned areas include SSO, finer RBAC, escalation workflows, API-based policy management and additional signals from agent traces and resource calls.
For now, CrabTrap is a useful signal of where enterprise agent security is heading: away from relying solely on prompts and SDK permissions, and toward enforcement points that can see what agents actually do.
This story draws on original reporting from VentureBeat.