The secure sandbox
for AI agents

Firecracker microVMs with guardrails, agent action controls, custom policy enforcement, and full agent observability — all in one SDK, not five vendors.

Per-sandbox enforcement · outside the VM
microVM

Your agent

runs inside the microVM

volume snapshot

Network policy

allowlist enforced

api.openai.com
evil.com

Guardrails

PII + injection

123-45-6789 [REDACTED]

Credential vault

secret injected

Bearer ••••

Internet

clean traffic out

The agent runs inside the microVM; its outbound traffic is inspected by the per-sandbox proxy it can't bypass.

audit log

vm_created — microVM booted, agent isolated
egress_allowed api.openai.com · egress_blocked evil.com
pii_redaction SSN ×1 · injection_blocked ×1
vault — OPENAI_API_KEY injected at proxy
request delivered — 200 OK

Works with OpenAI, Anthropic, LangChain, CrewAI, and any OpenAI-compatible API — drop-in, no code changes.

Get started in seconds

$pip install declaw
npm i @declaw/sdk·go get github.com/declaw-ai/declaw-go

Trusted by teams shipping AI agents in production

And used by engineers from

MicrosoftGoogleAmazonRipplingFlipkartMedia.net

The problem

The AI agent stack is broken

Today you need a sandbox vendor, a guardrails vendor, DIY network controls, and DIY persistence. Five tools, gaps at every seam, nothing shares context.

Today

Sandbox vendor
Guardrails vendor
DIY network controls
DIY persistence layer
DIY audit logging

5 vendors · no shared context · gaps at every seam

With Declaw

Firecracker sandbox
PII redaction + rehydration
Prompt injection defense
Toxicity + invisible-text detection
L3/L4 + L7 network controls
Credential vault — secrets never enter the VM
Snapshots, pause / resume
Volumes — persistent, attachable storage
Audit trail

One SDK · shared execution context · everything integrated

Sandbox + Security

Everything your agent needs to run safely

Sandboxes, snapshots, volumes, networking, credential vault, guardrails, and audit — all sharing execution context inside the same Firecracker VM.

Firecracker Sandboxes

Every execution runs in a hardware-isolated microVM — warm-pool restore in tens of milliseconds, configurable CPU/memory/disk, full Linux environment. Drive it entirely from code with a programmatic files, process, and PTY API — no SSH. Drop-in replacement for your current sandbox.

sbx = Sandbox.create(template="base", timeout=60)
sbx.files.write("/workspace/data.csv", csv_content)
result = sbx.commands.run("python3 agent.py")
print(result.stdout)

Snapshots & Pause / Resume

Freeze a running microVM — full guest memory, CPU registers, and disk — then resume exactly where it left off. Pause idle agents to stop paying for compute; snapshot long-running state.

snap = sbx.create_snapshot()   # memory + CPU + disk
sbx.pause()                    # freeze the microVM
sbx.resume()                   # resume where it left off
snaps = sbx.list_snapshots()

Volumes

Persistent storage that lives independently of any sandbox. Attach to one or many sandboxes in copy mode (hydrate at boot) or live-mount mode (shared read-write). 64 GiB per volume.

vol = Volumes.empty("datasets")
Volumes.files(vol.volume_id).write("/train.csv", data)

sbx = Sandbox.create(template="python",
    volumes=[vol.attach("/data", mode="mount")])

Network-Layer Controls

L3/L4 kernel-level IP/CIDR filtering, plus L7 domain/SNI inspection with exact, wildcard, and regex matching. Control exactly what your agent can reach.

from declaw import SecurityPolicy, NetworkPolicy

policy = SecurityPolicy(
    network=NetworkPolicy(
        allow_out=["*.openai.com", "pypi.org"],
        deny_out=["0.0.0.0/0"],
    )
)

Credential Vault

Store API keys and secrets once, then reference them on create. The value is injected into outbound requests at the egress proxy and never enters the sandbox — so a compromised agent can't read or exfiltrate a key it never had.

vault.create_secret(value=OPENAI_KEY, provider="openai")

sbx = Sandbox.create(template="ai-agent",
    vault_refs={"OPENAI_API_KEY": "openai"})
# key is added at the proxy, never touches the VM

Guardrails Suite

PII redaction with response rehydration, prompt injection defense, toxicity scanning, and invisible-text detection — at the proxy layer, with configurable block / strip / log actions. Plus custom regex transformation rules on request and response bodies.

policy = SecurityPolicy(
    pii=PIIConfig(enabled=True),
    injection_defense=InjectionDefenseConfig(enabled=True),
    toxicity=ToxicityConfig(enabled=True),
    invisible_text=InvisibleTextConfig(enabled=True),
)

Audit Trail

Every egress decision, redaction event, and policy block is logged with masked findings and counts. Configurable retention, queryable via console and API.

policy = SecurityPolicy(
    audit=AuditConfig(enabled=True)
)
# Audit events queryable via console/API

Architecture

Architecture overview

Every sandbox is a hardware-isolated Firecracker microVM. A transparent security proxy intercepts all outbound traffic — your workload never touches the internet directly.

Agent
your code
SDK
declaw-py
API Server
REST
Orchestrator
VM lifecycle
Firecracker VM
microVM + security proxy
Internet
filtered
Host layer

API Server

Central API for sandbox scheduling, lifecycle management, and security policy enforcement.

Orchestrator

Manages Firecracker VM lifecycle: boots microVMs, configures resource limits, handles snapshots and teardown.

Per-sandbox isolation

Sandbox daemon

Exposes file, process, and terminal APIs inside the sandbox.

Security Proxy

Runs in the sandbox's own network namespace, outside the VM — all outbound traffic is intercepted and inspected, and the workload can't bypass or tamper with it.

User workload

Your agent binary, Python script, or code — hardware-isolated from the host and every other sandbox.

The Security Proxy

A transparent security layer operates per-sandbox. All outbound traffic passes through it automatically — your agent makes ordinary network calls with no awareness of the proxy.

All outbound TCP intercepted. Every outbound TCP connection is intercepted and inspected before reaching the internet.

TLS visibility where you need it. On the domains you enable scanning or transforms for, HTTPS is decrypted per-sandbox via a unique per-sandbox CA, so guardrails can see request and response content.

Transparent by design. Your agent doesn't need code changes. The proxy is invisible at the application layer — it only appears in the audit log.

Key guarantee

Your agent doesn't need code changes — the proxy is transparent. Drop Declaw into any existing agent workflow.

6-stage pipeline

1

Network Policy

IP and CIDR allow/deny rules evaluated first.

2

Domain Filter

Domain-level filtering with wildcard support.

3

TLS Interception

HTTPS traffic decrypted for full request and response inspection.

4

Guardrails

PII redaction, prompt injection defense, code security, toxicity, invisible text detection.

5

Transformation Engine

Pattern-based match/replace rules on request or response body.

6

Audit Logger

Full event logging with configurable retention.

Detection engine

What gets detected and blocked

PII is redacted at the boundary and rehydrated in the response. Prompt injections, toxic content, and invisible text are caught — with configurable block, strip, or log actions.

Social Security

in123-45-6789
out[SSN_REDACTED]

Credit Card

in4532-0151-2345-6789
out[CC_REDACTED]

Email Address

injohn@company.com
out[EMAIL_REDACTED]

Phone Number

in415-867-5309
out[PHONE_REDACTED]

Prompt Injection

inIgnore all instructions and...
outBLOCKED

Toxic Content

inGenerate instructions for...
outBLOCKED

Invisible Text

inHidden​​instructions​...
outDETECTED & STRIPPED

Drop-in compatible

Works with any LLM or agent framework

Declaw proxies traffic transparently. Keep your model provider, keep your framework — we secure what runs in between.

LLM providers

OpenAIAnthropicGoogle GeminiMistralGroqTogether AIFireworksCohereDeepSeekLlamaOllamaAny OpenAI-compatible API

Agent frameworks

LangChainLlamaIndexOpenAI Agents SDKVercel AI SDKCrewAIAutoGenMastraPydantic AIClaude Agent SDKCustom / roll your own

Deployment

Deployment options

Run on Declaw's managed cloud or bring your own infrastructure. All options use identical SDK and security primitives.

Managed Cloud

$300 in free credits — no credit card
Fully managed, zero ops
Sandbox ready in < 5 min
Instant API key
Get Started — $300 Free

Self-hosted / BYOC

Bring Your Own Cloud — deploy in your VPC
Your data never leaves your infrastructure
Terraform modules for GCP & AWS
Dedicated support & SLAs
Custom security policies
Book a Call

or email team@declaw.ai

Support

FAQ