What does the free cloud tier include?

Free sandbox execution with the full guardrails suite — PII redaction, prompt injection defense, code security scanning, toxicity detection, invisible text detection — plus network controls and audit logging. Good for development and small-scale production.

Can I self-host Declaw?

Yes. We provide Terraform configs for GCP and AWS, plus Docker Compose for local development. Deploy in your own VPC with full control. Contact us for details.

How is this different from sandbox vendors?

Sandbox vendors give you sandboxes. Declaw gives you sandboxes with a 6-stage security pipeline built in - all sharing the same execution context. No second vendor needed.

How is this different from guardrail products?

Guardrail products are a layer you bolt onto your existing infrastructure. Declaw is the runtime itself — the sandbox and the guardrails are integrated. The security proxy runs inside the VM, so it sees all traffic transparently.

What PII types are detected?

SSN, credit cards, emails, phone numbers, names, API keys, addresses, IP addresses, IBANs, JWTs, and MAC addresses. Regex-based with optional ML backend for higher accuracy.

Which frameworks does it work with?

Any Python agent framework - LangChain, AutoGen, CrewAI, LlamaIndex, OpenAI Agents, or your own code. The SDK wraps execution, it doesn't care what's inside.

What's the latency overhead?

Sandbox cold start is ~40ms (Firecracker). The security pipeline adds single-digit milliseconds per request. Network-bound agent workloads won't notice.

Fastest sandbox on ComputeSDK Benchmarks

The only sandbox with
security built in

Firecracker microVMs with guardrails, agent action controls, custom policy enforcement, and full agent observability — all in one SDK, not five vendors.

Get Started — $300 Free Book a Demo

~40ms

sandbox startup

100K+

sandboxes created

Drop-in compatible

Works with any LLM or agent framework

Declaw proxies traffic transparently. Keep your model provider, keep your framework — we secure what runs in between.

LLM providers

OpenAIAnthropicGoogle GeminiMistralGroqTogether AIFireworksCohereDeepSeekLlamaOllamaAny OpenAI-compatible API

Agent frameworks

LangChainLlamaIndexOpenAI Agents SDKVercel AI SDKCrewAIAutoGenMastraPydantic AIClaude Agent SDKCustom / roll your own

Get started in seconds

$pip install declaw

The problem

The AI agent stack is broken

Today you need a sandbox vendor, a guardrails vendor, DIY network controls, and DIY persistence. Five tools, gaps at every seam, nothing shares context.

Today

Sandbox vendor

Guardrails vendor

DIY network controls

DIY persistence layer

DIY audit logging

5 vendors · no shared context · gaps at every seam

With Declaw

Firecracker sandbox

PII redaction + rehydration

Prompt injection defense

Code security + toxicity + invisible text

L3/L4 + L7 network controls

Persistent filesystem

Full audit trail

One SDK · shared execution context · everything integrated

Sandbox + Security

Everything your agent needs to run safely

Sandboxes, filesystem, networking, guardrails, and audit — all sharing execution context inside the same Firecracker VM.

Firecracker Sandboxes

Every execution runs in an isolated microVM. ~40ms startup, configurable CPU/memory/disk, full Linux environment. Drop-in replacement for your current sandbox.

sbx = Sandbox.create(template="base", timeout=60)
result = sbx.commands.run("python3 agent.py")
print(result.stdout)

Persistent Filesystem

Read, write, watch files inside the sandbox. State persists across sessions so agents pick up where they left off.

sbx.files.write("/workspace/data.csv", csv_content)
files = sbx.files.list("/workspace")
content = sbx.files.read("/workspace/results.json")

Network-Layer Controls

L3/L4 kernel-level IP filtering + L7 domain/SNI inspection + TLS interception. Control exactly what your agent can reach.

from declaw import SecurityPolicy, NetworkPolicy

policy = SecurityPolicy(
    network=NetworkPolicy(
        allow_out=["*.openai.com", "pypi.org"],
        deny_out=["0.0.0.0/0"],
    )
)

Guardrails Suite

PII redaction with rehydration, prompt injection defense, code security analysis, toxicity scanning, and invisible text detection — all running at the proxy layer.

policy = SecurityPolicy(
    pii=PIIConfig(enabled=True),
    injection_defense=InjectionDefenseConfig(enabled=True),
    code_security=CodeSecurityConfig(enabled=True),
    toxicity=ToxicityConfig(enabled=True),
    invisible_text=InvisibleTextConfig(enabled=True),
)

Full Audit Trail

Every intercepted request, redaction event, and injection block is logged. Configurable retention, exportable.

policy = SecurityPolicy(
    audit=AuditConfig(enabled=True)
)
# Audit logs accessible via console/API

Architecture

Architecture overview

Every sandbox is a hardware-isolated Firecracker microVM. A transparent security proxy intercepts all outbound traffic — your workload never touches the internet directly.

Agent

your code

›

SDK

declaw-py

›

API Server

REST

›

Orchestrator

VM lifecycle

›

Firecracker VM

microVM + security proxy

›

Internet

filtered

Host layer

API Server

Central API for sandbox scheduling, lifecycle management, and security policy enforcement.

Orchestrator

Manages Firecracker VM lifecycle: boots microVMs, configures resource limits, handles snapshots and teardown.

Per-sandbox · Firecracker VM

Sandbox daemon

Exposes file, process, and terminal APIs inside the sandbox.

Security Proxy

All outbound traffic is intercepted and inspected at the network layer — transparent to your workload.

User workload

Your agent binary, Python script, or code — hardware-isolated from the host and every other sandbox.

The Security Proxy

A transparent security layer operates per-sandbox. All outbound traffic passes through it automatically — your agent makes ordinary network calls with no awareness of the proxy.

All traffic intercepted. Every outbound request is intercepted and inspected before reaching the internet.

Full TLS visibility. HTTPS traffic is decrypted and inspected per-sandbox, so guardrails can see request and response content.

Transparent by design. Your agent doesn't need code changes. The proxy is invisible at the application layer — it only appears in the audit log.

Key guarantee

Your agent doesn't need code changes — the proxy is transparent. Drop Declaw into any existing agent workflow.

6-stage pipeline

Network Policy

IP and CIDR allow/deny rules evaluated first.

Domain Filter

Domain-level filtering with wildcard support.

TLS Interception

HTTPS traffic decrypted for full request and response inspection.

Guardrails

PII redaction, prompt injection defense, code security, toxicity, invisible text detection.

Transformation Engine

Pattern-based match/replace rules on request or response body.

Audit Logger

Full event logging with configurable retention.

Detection engine

What gets detected and blocked

PII is redacted at the boundary. Injections, toxic content, and invisible text are caught. Unsafe code is blocked before execution.

Social Security

in123-45-6789

out[SSN_REDACTED]

Credit Card

in4532-0151-2345-6789

out[CC_REDACTED]

Email Address

injohn@company.com

out[EMAIL_REDACTED]

Phone Number

in415-867-5309

out[PHONE_REDACTED]

API Key

insk-proj-abc123...

out[API_KEY_REDACTED]

Prompt Injection

inIgnore all instructions and...

outBLOCKED

Toxic Content

inGenerate instructions for...

outBLOCKED

Invisible Text

inHiddeninstructions...

outDETECTED & STRIPPED

Code Security

inos.system('rm -rf /')

outBLOCKED

Deployment

Deployment options

Run on Declaw's managed cloud or bring your own infrastructure. All options use identical SDK and security primitives.

Managed Cloud

$300 in free credits — no credit card

Fully managed, zero ops

Sandbox ready in < 5 min

Instant API key

Get Started — $300 Free

Self-hosted / BYOC

Bring Your Own Cloud — deploy in your VPC

Your data never leaves your infrastructure

Terraform modules for GCP & AWS

Dedicated support & SLAs

Custom security policies

Book a Call

or email team@declaw.ai

Support

The only sandbox withsecurity built in

Works with any LLM or agent framework

The AI agent stack is broken

Everything your agent needs to run safely

Firecracker Sandboxes

Persistent Filesystem

Network-Layer Controls

Guardrails Suite

Full Audit Trail

Architecture overview

The Security Proxy

What gets detected and blocked

Deployment options

Managed Cloud

Self-hosted / BYOC

FAQ

The only sandbox with
security built in