The secure sandbox
for AI agents
Firecracker microVMs with guardrails, agent action controls, custom policy enforcement, and full agent observability — all in one SDK, not five vendors.
Your agent
runs inside the microVM
Network policy
allowlist enforced
Guardrails
PII + injection
Credential vault
secret injected
Internet
clean traffic out
The agent runs inside the microVM; its outbound traffic is inspected by the per-sandbox proxy it can't bypass.
audit log
Works with OpenAI, Anthropic, LangChain, CrewAI, and any OpenAI-compatible API — drop-in, no code changes.
Get started in seconds
Trusted by teams shipping AI agents in production
And used by engineers from
The problem
The AI agent stack is broken
Today you need a sandbox vendor, a guardrails vendor, DIY network controls, and DIY persistence. Five tools, gaps at every seam, nothing shares context.
Today
5 vendors · no shared context · gaps at every seam
With Declaw
One SDK · shared execution context · everything integrated
Sandbox + Security
Everything your agent needs to run safely
Sandboxes, snapshots, volumes, networking, credential vault, guardrails, and audit — all sharing execution context inside the same Firecracker VM.
Firecracker Sandboxes
Every execution runs in a hardware-isolated microVM — warm-pool restore in tens of milliseconds, configurable CPU/memory/disk, full Linux environment. Drive it entirely from code with a programmatic files, process, and PTY API — no SSH. Drop-in replacement for your current sandbox.
sbx = Sandbox.create(template="base", timeout=60)
sbx.files.write("/workspace/data.csv", csv_content)
result = sbx.commands.run("python3 agent.py")
print(result.stdout)Snapshots & Pause / Resume
Freeze a running microVM — full guest memory, CPU registers, and disk — then resume exactly where it left off. Pause idle agents to stop paying for compute; snapshot long-running state.
snap = sbx.create_snapshot() # memory + CPU + disk
sbx.pause() # freeze the microVM
sbx.resume() # resume where it left off
snaps = sbx.list_snapshots()Volumes
Persistent storage that lives independently of any sandbox. Attach to one or many sandboxes in copy mode (hydrate at boot) or live-mount mode (shared read-write). 64 GiB per volume.
vol = Volumes.empty("datasets")
Volumes.files(vol.volume_id).write("/train.csv", data)
sbx = Sandbox.create(template="python",
volumes=[vol.attach("/data", mode="mount")])Network-Layer Controls
L3/L4 kernel-level IP/CIDR filtering, plus L7 domain/SNI inspection with exact, wildcard, and regex matching. Control exactly what your agent can reach.
from declaw import SecurityPolicy, NetworkPolicy
policy = SecurityPolicy(
network=NetworkPolicy(
allow_out=["*.openai.com", "pypi.org"],
deny_out=["0.0.0.0/0"],
)
)Credential Vault
Store API keys and secrets once, then reference them on create. The value is injected into outbound requests at the egress proxy and never enters the sandbox — so a compromised agent can't read or exfiltrate a key it never had.
vault.create_secret(value=OPENAI_KEY, provider="openai")
sbx = Sandbox.create(template="ai-agent",
vault_refs={"OPENAI_API_KEY": "openai"})
# key is added at the proxy, never touches the VMGuardrails Suite
PII redaction with response rehydration, prompt injection defense, toxicity scanning, and invisible-text detection — at the proxy layer, with configurable block / strip / log actions. Plus custom regex transformation rules on request and response bodies.
policy = SecurityPolicy(
pii=PIIConfig(enabled=True),
injection_defense=InjectionDefenseConfig(enabled=True),
toxicity=ToxicityConfig(enabled=True),
invisible_text=InvisibleTextConfig(enabled=True),
)Audit Trail
Every egress decision, redaction event, and policy block is logged with masked findings and counts. Configurable retention, queryable via console and API.
policy = SecurityPolicy(
audit=AuditConfig(enabled=True)
)
# Audit events queryable via console/APIArchitecture
Architecture overview
Every sandbox is a hardware-isolated Firecracker microVM. A transparent security proxy intercepts all outbound traffic — your workload never touches the internet directly.
API Server
Central API for sandbox scheduling, lifecycle management, and security policy enforcement.
Orchestrator
Manages Firecracker VM lifecycle: boots microVMs, configures resource limits, handles snapshots and teardown.
Sandbox daemon
Exposes file, process, and terminal APIs inside the sandbox.
Security Proxy
Runs in the sandbox's own network namespace, outside the VM — all outbound traffic is intercepted and inspected, and the workload can't bypass or tamper with it.
User workload
Your agent binary, Python script, or code — hardware-isolated from the host and every other sandbox.
The Security Proxy
A transparent security layer operates per-sandbox. All outbound traffic passes through it automatically — your agent makes ordinary network calls with no awareness of the proxy.
All outbound TCP intercepted. Every outbound TCP connection is intercepted and inspected before reaching the internet.
TLS visibility where you need it. On the domains you enable scanning or transforms for, HTTPS is decrypted per-sandbox via a unique per-sandbox CA, so guardrails can see request and response content.
Transparent by design. Your agent doesn't need code changes. The proxy is invisible at the application layer — it only appears in the audit log.
Key guarantee
Your agent doesn't need code changes — the proxy is transparent. Drop Declaw into any existing agent workflow.
6-stage pipeline
Network Policy
IP and CIDR allow/deny rules evaluated first.
Domain Filter
Domain-level filtering with wildcard support.
TLS Interception
HTTPS traffic decrypted for full request and response inspection.
Guardrails
PII redaction, prompt injection defense, code security, toxicity, invisible text detection.
Transformation Engine
Pattern-based match/replace rules on request or response body.
Audit Logger
Full event logging with configurable retention.
Detection engine
What gets detected and blocked
PII is redacted at the boundary and rehydrated in the response. Prompt injections, toxic content, and invisible text are caught — with configurable block, strip, or log actions.
Social Security
Credit Card
Email Address
Phone Number
Prompt Injection
Toxic Content
Invisible Text
Drop-in compatible
Works with any LLM or agent framework
Declaw proxies traffic transparently. Keep your model provider, keep your framework — we secure what runs in between.
LLM providers
Agent frameworks
Ecosystem
Integrations & open-source tools
Drop Declaw into the tools you already use — or grab one of our open-source utilities.
Declaw MCP Server
Give Claude Desktop, Claude Code, Cursor, or Windsurf a secure sandbox to run code in — one line of MCP config.
mcp-sandbox
Sandbox any MCP server in one line. Firecracker isolation + network and credential scoping for the whole MCP dependency tree.
cagecheck
Check if your sandbox can be escaped. A static binary that runs inside any sandbox and reports concrete escape vectors.
n8n community node
Run untrusted code and AI-agent steps inside Declaw sandboxes from any n8n workflow.
Dify plugin
Add secure Declaw sandbox execution to your Dify apps and agents from the marketplace.
SDKs & CLI
Python, TypeScript, and Go SDKs plus a cross-platform CLI — all open source.
Deployment
Deployment options
Run on Declaw's managed cloud or bring your own infrastructure. All options use identical SDK and security primitives.
Managed Cloud
Self-hosted / BYOC
or email team@declaw.ai
Support