Cisco DefenseClaw: The Open-Source Framework That’s Redefining AI Agent Security

The words Innovation Explained with the ai underlined on gradient background with a data node pattern.The words Innovation Explained with the ai underlined on gradient background with a data node pattern.

Cisco DefenseClaw is an open-source secure agent framework unveiled by Cisco at RSA Conference 2026 in San Francisco on March 23, 2026. Designed specifically for the emerging era of agentic AI (software that doesn’t merely answer questions but takes autonomous actions on behalf of businesses), DefenseClaw provides a unified, automated security pipeline for building, deploying, and continuously monitoring AI agents. By bundling four core tools (Skills Scanner, MCP Scanner, AI Bill of Materials, and CodeGuard) into a single installable framework, DefenseClaw allows development and security teams to scan every agent skill, verify every connected server, and inventory every AI asset, all without the manual effort that has historically made securing AI agents so burdensome.

In this article, we’ll discuss what Cisco DefenseClaw is, why it matters now, how its core scanning tools work together, how it integrates with NVIDIA’s OpenShell runtime, where it fits inside Cisco’s broader agentic security strategy, and what enterprises should know before adopting it. Whether you’re a security engineer trying to govern a growing fleet of AI agents, or a developer looking to ship faster without sacrificing safety, DefenseClaw represents a meaningful shift in how organizations can approach AI security.

TL;DR Snapshot

Cisco DefenseClaw is an open-source AI agent security framework announced at RSA 2026. It automates the scanning, sandboxing, and inventorying of AI agents, their tools, and their connections; closing the gap between the 85% of enterprises experimenting with AI agents, and the 5% that have confidently moved them to production. DefenseClaw installs quickly, and continuously monitors agents from admission through runtime.

Key takeaways include…

  • DefenseClaw is free, open-source, and installable in about five minutes, scans every skill, plugin, and MCP server before an agent is permitted to run, and continues monitoring at runtime to catch vulnerabilities introduced after initial deployment.
  • It’s built to integrate directly with NVIDIA’s OpenShell runtime, providing a hardened, sandboxed execution environment for AI agents and eliminating many manual security steps that have historically slowed enterprise adoption.
  • DefenseClaw is one part of Cisco’s larger agentic AI security platform announced at RSA 2026, which also includes Zero Trust Access for agents, AI Defense: Explorer Edition, and major Splunk SOC enhancements.

Who Should Read This: Security Engineers, Enterprise Architects, AI Developers, IT Leaders, and Technology Enthusiasts.

The AI Agent Security Gap: Why DefenseClaw Arrives at a Critical Moment

Agentic AI, software that can autonomously browse the web, write code, query databases, send messages, and orchestrate other agents, is no longer a futuristic concept. And yet the data from early adopters tells a sobering story. A recent Cisco survey of large-scale enterprises found that while 85% of respondents are actively experimenting with AI agents, only 5% have moved those agents into production environments. The gap between experimentation and deployment is almost entirely explained by one word: security.

Illustration of DefenseClaw using agent skills.

AI agents are uniquely difficult to secure for several reasons. Unlike traditional software, which executes a fixed set of instructions, agents are self-evolving. They install new skills, connect to external servers via protocols like MCP (Model Context Protocol), generate code dynamically, and interact with other agents. A skill that is completely safe when first installed could begin exfiltrating data days later. A connected MCP server could be compromised by a third party. An agent permitted to read a financial database might, through a subtle prompt injection, be manipulated into writing to it instead.

Traditional security tools weren’t built for this. They protect humans and static systems. The agentic world requires something new; a framework that treats every agent as an identity requiring onboarding, every skill as a package requiring scanning, and every runtime session as a transaction requiring monitoring. DefenseClaw is Cisco’s answer to that requirement.

Inside DefenseClaw: How the Five-Tool Scan Engine Works

DefenseClaw’s power comes from a unified scan engine that runs five specialized tools. Together, they cover every dimension of an AI agent’s attack surface, from the skills it runs, to the servers it calls, to the code it generates.

  1. Skills Scanner: Every AI agent relies on “skills,” discrete capabilities it can invoke to complete tasks, such as searching the web, querying a CRM, or sending an email. The Skills Scanner inspects each skill before it is permitted to run inside the agent environment. It checks for known vulnerabilities, unexpected behaviors, and permission mismatches. If a skill requests access beyond what the agent’s defined scope allows, it is flagged and sandboxed before it can cause harm.
  2. MCP Scanner: Model Context Protocol (MCP) servers act as connectors between AI agents and external tools or data sources. They are powerful, but potentially dangerous, as acompromised or misconfigured MCP server can become an entry point for attackers to manipulate an agent’s behavior. The MCP Scanner verifies the integrity of every MCP server an agent interacts with, confirms it’s on the authorized allow-list, and monitors the endpoint for changes over time. If an MCP server is blocked, DefenseClaw removes its endpoint from the sandbox’s network allow-list and denies all further connections at the OpenShell level.
  3. A2A Scanner: As AI deployments mature, agents increasingly interact with other agents, a pattern known as agent-to-agent (A2A) communication. This introduces a new vector: a malicious or compromised sub-agent can corrupt the behavior of an orchestrating agent. The A2A Scanner monitors and validates these inter-agent communications, ensuring that no unauthorized agent is injecting instructions or data into a trusted agent’s workflow.
  4. CodeGuard: One of the most overlooked risks in agentic AI is that agents don’t just execute pre-written code, they generate new code on the fly. CodeGuard is a static analysis layer that inspects every piece of code produced by an AI agent before it is executed. It enforces a policy ruleset encoding security best practices, flagging dangerous patterns such as unchecked file system writes, open network sockets, or privilege escalation attempts.
  5. AI Bill of Materials (AI BoM): Just as a software bill of materials (SBOM) inventories every library and dependency in a traditional application, the AI BoM automatically generates and maintains a complete inventory of every AI asset in the environment. This includes which agents are running, which skills they use, which MCP servers they connect to, and which models they rely on. And importantly, the inventory is not a one-time snapshot, DefenseClaw continuously updates it as agents evolve, giving security teams a live, auditable record of their agentic workforce.

Critically, all five of these tools run not just at the admission gate, but also at runtime. As DJ Sampath, Cisco’s SVP of AI Software and Platform, explained: “Claws are self-evolving systems. A skill that was clean on Tuesday can start exfiltrating data on Thursday. DefenseClaw doesn’t assume what passed admission stays safe.” A content scanner inspects every message flowing in and out of the agent at the execution loop itself, providing continuous protection against newly introduced threats.

DefenseClaw and NVIDIA OpenShell: A Hardened Runtime for AI Agents

DefenseClaw does not operate in isolation. One of its defining characteristics is its deep integration with NVIDIA’s OpenShell, a runtime environment released by NVIDIA that provides a sandboxed execution context for AI agents. OpenShell can be thought of as the operating environment in which an agent lives and breathes; DefenseClaw is the security layer that governs what that agent is allowed to do.

Illustration of Cisco DefenseClaw security features.

When an agent skill is blocked by DefenseClaw, its sandbox permissions inside OpenShell are immediately revoked and its associated files are quarantined. When an MCP server is blocked, OpenShell denies all outbound connections to that endpoint at the network level. This tight coupling means that policy decisions made by DefenseClaw have real, immediate enforcement teeth. They don’t merely generate alerts that a human must act upon, they alter what the agent is physically capable of doing.

This collaboration extends Cisco’s existing partnership with NVIDIA, which has produced joint work on the OpenClaw agentic framework and NemoClaw enterprise agent capabilities. DefenseClaw is specifically described as the security layer designed to make OpenClaw-style deployments safe for enterprise production use. The framework is expected to be available on GitHub as of March 27, 2026.

DefenseClaw in Context: Cisco’s Full Agentic Security Platform at RSA 2026

While DefenseClaw is the headline open-source release, it is just one component of a much larger security platform Cisco unveiled at RSA Conference 2026. Understanding where DefenseClaw sits within that broader set of announcements helps clarify what it does, and what it does not do on its own.

Zero Trust Access for AI Agents (Duo IAM): Cisco extended its Duo Identity and Access Management platform to support AI agent identities. Enterprises can now register agents, map them to human owners, define time-bound permissions, and enforce those permissions at the MCP gateway. An agent granted access to a financial database can be restricted to read-only access, with that access expiring after a defined window.

AI Defense: Explorer Edition: A self-service red-teaming toolkit that lets developers test AI models and applications for resilience against prompt injection, jailbreak attempts, and unsafe outputs before those agents go anywhere near a production environment. It integrates directly into CI/CD pipelines via GitHub Actions, GitLab, Jenkins, and similar platforms.

Agent Runtime SDK: A software development kit that embeds security policies and enforcement controls directly into agent code at build time, supporting major cloud environments including AWS Bedrock, Google Cloud Vertex, and Microsoft Azure AI Foundry.

Splunk Agentic SOC Enhancements: Cisco dramatically expanded its Splunk Enterprise Security platform with AI-driven SOC automation, including a SOP Agent that imports security standard operating procedures into response workflows, a Triage Agent that autonomously enriches and prioritizes alerts, Detection Studio for detection engineering, and Exposure Analytics that continuously maps all assets and their relationships across a corporate network.

Taken together, Cisco’s RSA 2026 announcements represent a full-stack approach to agentic AI security. Identity and access at the entry point, pre-deployment red teaming, runtime enforcement via DefenseClaw and OpenShell, and reactive threat hunting through an AI-augmented SOC. DefenseClaw is the developer-facing, open-source centerpiece of that strategy, the piece designed to make it easy for engineering teams to build secure agents without waiting for a security team to manually audit every component.

What Enterprises Should Know Before Adopting DefenseClaw

DefenseClaw’s open-source nature and five-minute install time lower the barrier to adoption significantly. But before rolling it into a production pipeline, enterprise security and engineering teams should keep several considerations in mind.

Symbolic illustration of DefenseClaw capabilities.

Availability timeline: DefenseClaw itself is expected on GitHub around March 27, 2026. However, several of the complementary Cisco capabilities (e.g. Exposure Analytics, the SOP Agent, and Federated Search) are slated for April and May, while the Automation Builder Agent and Triage Agent target June releases. Organizations planning a comprehensive agentic security rollout should map these staggered release dates against their own deployment schedules.

OpenShell dependency: DefenseClaw’s deepest capabilities, particularly the runtime enforcement of blocked skills and MCP servers, depend on NVIDIA’s OpenShell environment. Organizations not already running OpenClaw or OpenShell-based agent infrastructure will need to factor that into their architecture planning.

Competitive landscape: Cisco is not alone in this space. At RSA 2026, Microsoft announced AI security dashboards and shadow AI detection tools, CrowdStrike unveiled EDR AI Runtime Protection and Shadow AI Discovery for Endpoint, and SentinelOne added Prompt AI Agent Security. Cisco’s differentiation lies in its open-source approach, ecosystem breadth (integrating NVIDIA, AWS, Google, and Microsoft cloud runtimes), and the unification of scanning tools into a single installable framework.

The “shift-left” philosophy: DefenseClaw, and the AI Defense Explorer Edition alongside it, reflect a “shift-left” approach to AI security, meaning security is embedded earlier in the development lifecycle rather than bolted on after deployment. This is a cultural as much as a technical shift for many enterprises, requiring closer collaboration between AI engineers and security teams. Organizations that invest in that cultural shift now are likely to be better positioned as agentic AI continues its rapid expansion.

Frequently Asked Questions

Cisco Systems is one of the world’s largest networking and cybersecurity companies, headquartered in San Jose, California. Founded in 1984, it is best known for internet routing and switching hardware, but has expanded significantly into enterprise software, cloud security, and AI over the past decade. Its security portfolio includes the Duo identity management platform, Cisco Secure Access, and Splunk Enterprise Security (Cisco acquired Splunk in 2024). Cisco stock rose approximately 1.5% on the day DefenseClaw was announced.

An AI agent is a software system powered by a large language model (LLM) that can take autonomous actions. Not just generating text, but interacting with tools, browsing the internet, writing and running code, calling APIs, and coordinating with other agents to complete multi-step tasks on behalf of a user or business. Unlike a traditional chatbot that responds to a single prompt, an AI agent can plan, reason, and execute a chain of actions over time.

Model Context Protocol (MCP) is an open standard, originally developed by Anthropic, that defines how AI agents connect to and communicate with external tools, data sources, and services. An MCP server acts as a bridge between an AI agent and a resource, like a CRM database, a file system, or an email client. Because MCP servers mediate agent access to potentially sensitive systems, they are a critical security surface that DefenseClaw specifically targets with its MCP Scanner.

NVIDIA OpenShell is a sandboxed runtime environment released by NVIDIA that provides a controlled execution context for AI agents, and is part of NVIDIA’s OpenClaw agentic AI ecosystem. OpenShell allows agents to run skills, plugins, and tools in an isolated environment, so that a compromised or malfunctioning component cannot directly affect the host system. DefenseClaw hooks into OpenShell to enforce its security policies at the runtime level.

Zero trust is a security philosophy based on the principle of “never trust, always verify.” Rather than assuming that entities inside a corporate network are safe, a zero trust model requires that every user, device, and application prove its identity and obtain explicit permission for every resource it accesses. Cisco is extending zero trust to AI agents, meaning each agent must be registered with a verified identity, mapped to a human owner, and granted only the minimum permissions necessary to complete its task, with those permissions expiring after a defined time window.

RSA Conference (RSAC) is one of the world’s largest cybersecurity conferences, held annually in San Francisco. It serves as a major stage for cybersecurity vendors to announce new products, research, and partnerships. RSA 2026 took place in March 2026 and featured announcements from Cisco, Microsoft, CrowdStrike, SentinelOne, Palo Alto Networks, and dozens of other security vendors.

Splunk is a leading security information and event management (SIEM) platform that allows enterprises to collect, analyze, and act on security data from across their IT environment. Cisco acquired Splunk in 2024, making it a core part of Cisco’s security operations (SOC) offering. At RSA 2026, Cisco announced major AI-driven enhancements to Splunk Enterprise Security, including specialized agents for triage, detection engineering, and automated incident response.

Yes. DefenseClaw is an open-source project being published on GitHub, free to use, modify, and contribute to. Cisco’s commercial revenue opportunity lies in the surrounding offerings (e.g. Duo IAM, Cisco Secure Access, AI Defense, and Splunk) rather than in DefenseClaw itself. The open-source strategy is consistent with Cisco’s broader approach of building community adoption around foundational tools before monetizing the enterprise platform layer above them.