Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- Cisco says DefenseClaw is the oversight that's been missing in agentic AI.
- DefenseClaw will automatically block some agentic operations.
- Cisco enters a crowded field of security firms offering agentic oversight.
Agentic artificial intelligence, the kind that will automatically watch your email or book your flights, has been an overnight sensation, capturing the imagination but also presenting massive security risks.
A natural reaction by enterprise software vendors is to help the “good” agents and block the “bad” agents.
And, so, on Monday, networking and security giant Cisco Systems unveiled DefenseClaw, a play on the name of the open-source OpenClaw agentic AI framework that shot to popularity in January.
Also: AI agents of chaos? New research shows how bots talking to bots can go sideways fast
DefenseClaw is the “operational layer” for agentic security that has been missing, according to Cisco's head of AI software, DJ Sampath. It is a tool for oversight that will “keep a claw governed,” he wrote in a blog post. “That's zero to governed claw in under five minutes.”
DefenseClaw will be posted on GitHub starting March 27, said Sampath.
Govern the claws
Announced at the annual RSA security trade show in San Francisco this week, DefenseClaw is meant to address the lack of agentic projects going into production, according to Cisco.
Only 5% of enterprise-agentic AI has moved from testing to production, according to a survey of “major enterprise customers” that Cisco said it recently conducted.
Sampath emphasized that OpenClaw is rapidly becoming every nerd's butler for just about any task. OpenAI has hired Peter Steinberger, the creator of OpenClaw, and Nvidia has offered its own version of the agentic framework, NemoClaw.
“My wife and I use it to plan our kids' schedules. I built an agent skill that pulls up the school lunch menu every morning as a reminder,” he related. His point is that agents via OpenClaw, Nvidia's open-source offering NemoClaw, or other open-source projects are rapidly expanding in an ungoverned, grassroots fashion.
The subtext of Sampath's blog is: Claws are out; better start thinking about them securely.
(In a related development, Meta — owner of Facebook, Instagram, and WhatsApp — is acquiring the bot social platform Moltbook, which has been a showcase of the good and bad of what can happen when OpenClaw is used to its fullest extent.)
DefenseClaw is designed to plug into and use a variety of tools, according to Sampath. OpenShell, the code sandbox software that was unveiled by Nvidia last week at its GTC conference, is important, and so are Cisco's scanning tools, he noted. “But who manages the block lists? Who sees the alerts when something goes wrong at 2 a.m.? That's DefenseClaw.”
Also: Nvidia bets on OpenClaw, but adds a security layer – how NemoClaw works
DefenseClaw does three things, explained Sampath.
First, it scans every piece of code before it runs. “Every skill, every tool, every plugin, before it's allowed into your claw environment, and every piece of code generated by the claw gets scanned.” That scanning operation is composed of multiple individual tools, such as Cisco's open-source skill-scanner tool.
Second, the tool detects threats by scanning all messages entering and leaving the agent at runtime.
Third, DefenseClaw will automatically block a “skill,” such as an email server account, removing those permissions from the sandbox. The sandbox, in this case, may be Nvidia's OpenShell. Sampath emphasized that the automatic prevention of operations “aren't suggestions; they're walls.”
Sampath gave an example of running the tool from the command line to first scan an OpenClaw install operation:
defenseclaw skill install community/jira-triage
With such a request, DefenseClaw would “scan first, check your block/allow lists, generate a manifest, and only then install. Nothing bypasses the admission gate.”
Cisco is using its Splunk log analysis tool as the monitoring system of record for all claws, said Sampath. “Every claw is born observable,” he wrote, “All stream into Splunk as structured events the moment your claw comes online.”
In fact, Cisco announced several additional Splunk extensions intended to make the tool more like an automated security operations center (SOC).
For example, a Guided Response Agent, due in alpha release “soon,” said Cisco, will “help SOC teams go from detection hypothesis to production in minutes with accuracy — allowing teams to quickly import, tune, and tag detections.”
The idea is that you type a request to the agent at the prompt, such as the reputation of a given URL, and it will narrow down what needs to be checked.
Cisco's Guided Response Agent within the Splunk security operations center (SOC).
Cisco Systems
A multi-pronged toolkit
DefenseClaw is one of many pieces of an agentic AI security toolkit that Cisco announced on Monday. Other parts include enhancements to Cisco Secure Access to enforce agent identity verification and access control, and to apply zero-trust procedures to each agent created.
Also: AI agents are fast, loose, and out of control, MIT study finds
Cisco claimed it is moving beyond mere code scanning with the introduction of tools to red team potential risks, meaning, simulate real-world threats.
A new offering, Cisco AI Defense: Explorer Edition, will “conduct multi-turn adversarial testing for models and applications that power agentic workflows,” and examine the AI models themselves to “validate resistance to prompt injection, jailbreaks, and other unsafe outputs.”
Cisco is also offering an agent runtime SDK it claimed will “embed policy enforcement” into the code as it's being developed.
A crowded field
Cisco gets props for offering clever branding with DefenseClaw within what will become a very crowded market. Just about every enterprise vendor is pledging to secure, authenticate and potentially block agents in production.
That includes the traditional cybersecurity firms that have been handling zero trust, such as Palo Alto Networks and Zscaler; the DevOps firms that have handled code-scanning, such as JFrog and GitLab; and the observability firms that offer tools for both development-time and runtime oversight of code, such as Dynatrace and Datadog.
And then there are Anthropic, OpenAI, and Google, all of which offer tools for code scanning and related tasks.
Also: Will AI make cybersecurity obsolete, or is Silicon Valley confabulating again?
It remains to be seen whether Cisco's control of enterprise networking — it holds a dominant share in corporate campus and wide-area routing and switching — will give the company an edge against those many other offerings. It's also not yet clear whether enterprises will hand off the whole matter to their security operations teams or simply push back on developers to be more careful with their code from the outset.
Some enterprises may just throw up their hands and forbid “claws” entirely.
