Building Declaw: Why Transparency Matters for Security Infrastructure

The short version

Declaw is built with auditability at its core. The full runtime — Firecracker sandbox orchestration, the 6-stage security pipeline, the Python SDK — is designed so you can understand exactly what sits between your agent and the internet.

The security pipeline that does PII redaction, prompt injection detection, code scanning, toxicity filtering, and invisible text detection — none of it is a black box.

Here's why we made that call.

Security tools should be auditable

This one's straightforward. If you're trusting a tool to inspect and redact sensitive data flowing through your AI agents, you should be able to read the code that does it.

We've used closed-source security products where the redaction logic was a black box. When a customer's SSN made it through, the vendor's response was basically "we'll look into it." No way to debug it ourselves, no way to verify the fix, no way to know if it was a pattern matching gap or something deeper.

We didn't want to build that kind of product.

The problem with security SaaS

There's a weird tension in the AI security space right now. You're supposed to trust a third-party SaaS with your agent traffic — the same traffic you're trying to protect from third-party exposure. Route your sensitive data through our servers so we can make sure it doesn't leak to other servers.

That always felt off to us.

With Declaw, the security pipeline runs inside the sandbox VM itself. If you self-host, your data never touches our infrastructure. If you use Declaw Secure Sandbox, we're running the same code — you can verify exactly what's running.

What we're actually building a business on

Fair question. If the runtime is free, what's the business?

Declaw Secure Sandbox. Managed infrastructure so you don't have to run Firecracker VMs yourself. We handle the orchestration, the scaling, the VM image updates. You get an API key and a Python SDK.

The managed service is what you pay for (when we start charging — right now it's free).

This is the same model that works for databases (Postgres → managed Postgres), containers (Docker → managed container platforms), and a bunch of other infra. The value isn't in the code, it's in not having to operate it at 3am.

What this means practically

If you want to self-host Declaw:

• Clone the repo
• Follow the setup guide
• Run the orchestrator, API server, and security proxy on your own infrastructure
• Use the same Python SDK with your own API endpoint

If you want Declaw Secure Sandbox:

• Get an API key
• pip install declaw
• Start creating sandboxes

Same SDK, same security pipeline, same behavior. The only difference is who's managing the VMs.

What's next

We're actively working on a few things:

• More guardrails: Expanding detection coverage beyond the current set. If you have specific patterns you need caught, reach out.
• Better audit tooling: The audit log captures everything, but we want better querying and export options.
• Multi-language SDKs: Python first (because that's where most agent code lives), TypeScript next.

If any of this is interesting, come build with us on Discord.