Anthropic announced Claude Mythos Preview on April 7, 2026. Read how Crawdad defends the AI agent layer →
Live  ·  local-first  ·  zero-knowledge

The next security threat isn't breaking in. It's already inside, running with your credentials.

Your company's AI tools — ChatGPT, Claude, Copilot, Cursor — have full access to your files, your data, and your credentials. Every time they run, they send that information over the internet with nothing checking what goes out. Crawdad watches everything your AI tools do and stops anything that shouldn't be happening. It runs on your machine. Your data stays yours.

Under the hood: a local proxy sits between every agent and its LLM, inspects every request through a 7-layer detection pipeline, and blocks prompt injection, credential exfiltration, and PII leakage before it reaches the model — or propagates to the next agent. Only signed, content-free metering packets transmit upstream. Raw prompts, responses, and action parameters never leave your machine, enforced by architecture, not policy. Works with Claude Code, Cursor, the Anthropic and OpenAI SDKs, and any client that respects a base URL.

Crawdad dashboard showing Protection Active, 631 requests inspected, and items needing review
Your dashboard the moment Crawdad starts inspecting traffic.
See how it works ↓
99.8%detection — 497-attack open benchmark
0 FPacross 1,172 benign samples — 0% on all four negative categories
7detection layers before the LLM sees it
0bytes of content leave your machine

Every number above is reproducible. Clone AndrewSispoidis/contemporary-agent-attacks, run python3 benchmark/run.py --adapter adapters.crawdad, compare.

Not technical? No problem. Forward this page to your IT team or the person who manages your computers — they'll have it running in under a minute.

terminal
# Install Crawdad (one command, seconds — enhanced detection downloads in the background)
$ curl -fsSL https://getcrawdad.dev/install.sh | sh

# Point your agent at the proxy
$ export ANTHROPIC_BASE_URL=http://localhost:7748

# Open the dashboard
$ open http://localhost:7750
Who is this for

Three doors into the same protection.

For your company

If your team uses AI tools for any part of their work — writing, coding, analysis, customer support — Crawdad protects every machine those tools run on. One install per machine. Your IT team or any technical person can set it up in seconds.

For IT and security teams

Deploy Crawdad across your organization. Per-agent trust levels, fleet management, compliance reporting, and a mobile control plane — all with zero-knowledge architecture. Your data never leaves your machines.

For consultants and service providers

If you help companies adopt AI, offer Crawdad as part of your security package. Your clients get protection. You differentiate your practice. Contact us about partnership.

A new kind of threat

The call is coming from inside the house.

Traditional security watches the perimeter. Firewalls, antivirus, VPNs, EDR — every tool in the stack was built around one assumption: an external attacker is trying to get in, and everything inside is trusted. That assumption was wrong often enough already. With autonomous AI agents, it's structurally broken.

Your agents are already inside. You invited them. You gave them your credentials, your file access, your API keys, your shell. They operate with your authority, and the rest of your stack treats their traffic the way it treats yours — because to a firewall, it is yours.

That is what makes contemporary agent attacks different. A single compromised instruction buried in a retrieved document gets processed by one agent, passed to a second, validated by a third. By the time it reaches a tool call, a shell command, or an outbound API request, it has been laundered through your own trusted systems. No one agent looks compromised. The chain does.

This is an autoimmune problem. The system attacking itself through its own trusted channels. Perimeter security cannot see it. EDR cannot see it. The agent is the perimeter now.

Crawdad watches every agent independently, inspects every request before it reaches the LLM, tracks cascading behavior across sessions, and blocks threats at the source before they propagate to the next agent. It sits inside the trust boundary, because that's where the threat is.

A real scenario

Your marketing team uses an AI assistant to draft client proposals. The assistant pulls in a reference document from a shared drive. Someone — or something — has slipped an invisible instruction into that document. The assistant follows it, quietly attaching your client list and pricing to an outbound request. Nobody asked it to. Nobody noticed. The call came from inside the house. Crawdad catches that instruction before the assistant ever acts on it.

This is indirect prompt injection — an invisible instruction embedded in a retrieved document, email, web page, or tool output. It's one of 13 attack classes Crawdad's L3 layer catches, tested on the public benchmark at 100% detection.

How it works

Four steps, one afternoon.

1
Install Crawdad on any Mac or Linux machine
One command, takes seconds. Works on MacBooks, developer workstations, and servers.
2
Your AI tools are monitored automatically
No configuration needed for most setups. Point your agent at localhost:7748 (Anthropic), 7747 (OpenAI), etc., and every request flows through the detection pipeline.
3
Crawdad blocks attacks and alerts you if something suspicious happens
Prompt injection, credential exfiltration, indirect injection in retrieved documents, tool abuse — all blocked before the request reaches the model. Alerts surface in the dashboard and on your phone.
4
Monitor from your phone, from anywhere
Pair your phone once by QR code. See every detection, every agent's trust level, and flip quarantine on from a coffee shop. Zero-knowledge preserved: only encrypted metadata transits the relay, never content.

The sections below get into the technical detail — 7-layer pipeline, architectural invariants, benchmark reproduction. If that's not your audience, skip ahead to pricing.

Architecture

Zero-knowledge by architecture

Crawdad runs entirely on your machine. The sidecar intercepts API calls at the provider-specific port, runs them through the 7-layer detection pipeline, and proxies allowed requests upstream. Only signed metering packets (event counts, Ed25519-signed, sequence-numbered) transmit upstream. Raw prompts, responses, action parameters, and PII never leave your machine. This is enforced by architecture, not policy — even Crawdad as a company cannot see your content.

The metering packet contains counts only: how many requests were inspected, how many were blocked, which layers fired. No prompt text. No response text. No tool-call arguments. No PII. An MIT-licensed independent verifier (getcrawdad/zk-verify) is on the roadmap so any operator can confirm the invariants against a running sidecar.

Transparent HTTP proxy

Anthropic on 7748, OpenAI on 7747, Google on 7746, xAI on 7745, NVIDIA NIM on 7744. Point your agent's base URL at the right port. No SDK required. No code changes. Works with Claude Code, Cursor, the Anthropic/OpenAI/Google SDKs, and any framework that respects a base URL.

7-layer detection pipeline

L1 pattern matching, L2 ML semantic classifier (custom-trained DeBERTa-small ONNX, FP16, ~272 MB, auto-downloaded on macOS ARM64, Linux x86_64, and Linux ARM64), L3 indirect injection scanning, L4 session context & provenance, L5 output guard, L6 PII & credential detector, L7 optional local-model LLM-critic. Every decision happens in-proxy before the upstream LLM sees the traffic.

Signed metering, content-free

Upstream billing is driven by Ed25519-signed, sequence-numbered event counts. No prompt text. No response text. No tool-call arguments. No PII. Five architectural invariants are property-tested over 1,000,000 iterations on every release.

For regulated environments, this architecture simplifies compliance: there is no third-party data processing because there is no third party in the data path.
Full architecture spec →

What's Built

How Crawdad watches from the inside

Crawdad inspects every request every agent makes, catches attacks before they propagate to the next agent, and surfaces threats that traditional security can't see — because the traffic looks like yours. These are the capabilities that are built, tested, and running in v0.10.1. No roadmap items. No aspirational features. What you see here is what you get when you install.

New in 0.10.1: Protection Modes — pause Crawdad temporarily when it's in the way, with full forensic logging while paused.

7-layer detection pipeline

L1 compiled regexes for known attack shapes. L2 custom-trained DeBERTa-small ONNX classifier (FP16, ~272 MB, auto-downloaded in the background on macOS ARM64, Linux x86_64, and Linux ARM64). L3 indirect injection scanning across retrieved documents, tool output, and file uploads. L4 session context and provenance tracking. L5 output guard on the response path. L6 PII and credential detection across 15 categories. L7 optional local-model LLM-critic for ambiguous cases.

Honest, reproducible detection numbers

99.8% detection and 0% false-positive rate on the open 497-attack, 1,172-negative corpus at AndrewSispoidis/contemporary-agent-attacks. 12 of 13 attack categories hit 100% (the remaining other bucket at 98.57%). Zero false positives across all four negative categories: hand-curated, conversational, developer messages, and security-discussion. Every number is reproducible — python3 benchmark/run.py --adapter adapters.crawdad, compare your tool. Stack: pattern layers + DeBERTa-small ML classifier + indirect-injection + code + PII/credential detector. CRAWDAD_ML_BLOCK=0 turns ML blocking off for pattern-only mode.

Zero-knowledge architecture

Raw prompts, responses, action parameters, and PII never leave your machine. Only signed metering packets (event counts, Ed25519-signed, sequence-numbered) transmit upstream. Enforced by architecture, not policy — even Crawdad as a company cannot see your content. Five architectural invariants are property-tested over 1,000,000 iterations every release.

Per-agent trust levels

Every agent runs at one of four levels — Autonomous (green), Monitored (yellow), Restricted (orange), Quarantined (red). Each request is attributed to a specific agent at connection time, so blocking one agent never affects another on the same provider. Detections automatically lower trust; quiet periods recover it. Every transition is audited. v1.0 is local single-machine; fleet-wide policy hierarchy is roadmap.

Continuous red team

A live adversarial engine runs static attacks plus mutation variants (unicode, base64, code-block wrapping, authority prefix, encoding layering) against the detection pipeline every 60 seconds. Gaps surface in the dashboard in real time. The Run Test Battery button fires 24 curated adversarial payloads on demand — blocks, allows, and per-layer decisions populate live.

Agent, MCP, and model inventory

Crawdad inventories the agents, models, and MCP servers active on the host. Which agents are routable through the proxy. Which MCP servers are running and what tools they expose. Unknown servers are flagged. Human-readable KDL capability policy decides what's allowed per tool call, per agent, per workspace.

Dashboard and forensics

Embedded React dashboard on localhost:7750. Overview renders detection timeseries, top patterns, red team trend, and activity heatmap — now with Agent Behavior Map (per-agent 5-minute activity sparkline, top tools, anomaly indicator) and Attack Pattern Intelligence (category bars with trend arrows vs. previous period, top and new patterns, red-team gap count) replacing the old static OWASP checklist. Axis labels render in the viewer's local timezone; the sidecar stores UTC. Per-session timeline, agent identity tracking, MCP inventory, fleet management, audit trail with CEF/JSON SIEM export. Run Test Battery button for on-demand adversarial verification.

Crawdad audit trail showing detections with layer, pattern matched, and full request context
Every detection is recorded with the layer that caught it, the pattern matched, and the full request context.
Crawdad red team view showing detection engine results against attack corpora
Crawdad runs its detection engine against attack corpora continuously and shows you exactly what is caught and what is missed.
Crawdad inventory showing every model, MCP server, and agent with policy controls
Crawdad inventories every model, MCP server, and agent on your machine. You see what is running and decide what is allowed.
Remote control plane

Monitor from your phone. Steer from anywhere.

Pair your phone via QR code from the dashboard. Watch detections, flip trust levels, and release quarantine remotely — zero-knowledge preserved: only encrypted metadata transits the relay, never content.

QR pairing, no app install

Settings → Connect Device on the desktop shows a QR; scan it from any phone browser. Device keys are exchanged over your LAN. First pairing requires same WiFi; after that the relay path works from anywhere. Add to home screen for app-like launch.

Trust controls from your phone

See live detection alerts, flip agents between Autonomous / Monitored / Restricted / Quarantined, release quarantine. Every command is Ed25519-signed by the paired device and replay-protected on the sidecar. Per-device rate limits (5 trust changes / 10 min, 1 quarantine release / hour) and a PIN gate for sensitive actions.

Encrypted relay, zero content

State snapshots are encrypted on the sidecar with keys the relay doesn't hold, pushed over a WebSocket every 60s + on changes. The relay forwards opaque blobs and opaque device IDs. It cannot read prompts, responses, tool calls, or PII; it cannot correlate users or identify fleet membership. A local kill switch on the desktop disconnects any paired device instantly.

v1: phone browser + same-WiFi initial pairing + relay-based remote access. Roadmap: native app with push notifications, multi-device fleet aggregation view, cross-device policy sync.

Mobile Control Plane

Your security posture in your pocket

Mobile home screen showing health bar, security score, and agent list
Real-time agent health, security score, and activity — at a glance
Mobile alerts screen with severity, agent, and category filters
Filter alerts by severity, agent, or category. Acknowledge, quarantine, or investigate — one tap.
Mobile investigate modal showing detection metadata only — no prompts or content
Investigate shows detection metadata only. No prompts, no content, no data. Zero-knowledge verified.

Pair your phone with a QR code scan (one time, same WiFi). After that, monitor from anywhere — cellular, VPN, coffee shop, different country. The encrypted relay transmits only metadata. Your prompts and data never leave your machine, even when you're monitoring from your phone.

Every remote command is Ed25519-signed, replay-protected, rate-limited, and audit-logged. Your desktop dashboard can disconnect any paired device instantly. Per-device permission scoping lets you choose read-only or full control.

Quick actions from the phone: Run Test Battery fires the 24-payload adversarial spectrum on your machine and surfaces results in the alert feed. Pause All Agents is one-tap fleet quarantine for emergencies, with a confirm dialog. If your agents use custom-named tools that could reveal the nature of your work, Settings → Anonymize tool names maps them to generic categories (file_read, file_write, shell, web, api_call, other) before they leave your machine.

Get Started

One command. One env var. Open the dashboard.

Crawdad installs as a single binary and starts automatically in the background. Point your agent's base URL at the right proxy port. That's it.

terminal
# Install Crawdad
$ curl -fsSL https://getcrawdad.dev/install.sh | sh

# Point your agent at Crawdad
$ export ANTHROPIC_BASE_URL=http://localhost:7748

# Open your dashboard
$ open http://localhost:7750

Supported platforms

macOS ARM64 (Apple Silicon): signed + notarized. ML auto-downloads on first run.
Linux x86_64 (glibc 2.28+): ML auto-downloads on first run.
Linux ARM64 (glibc 2.28+): ML auto-downloads on first run.
macOS Intel: pattern-only — upstream ONNX Runtime has no 1.24+ wheel for this target yet, so ML support returns when one lands.
Linux glibc 2.28+ covers Debian 10+, Ubuntu 18.04+, RHEL 8+. Windows is not yet supported and is tracked for a future release. Verified 99.80% attack detection (496/497) and 0.09% false-positive rate (1/1172) on the open contemporary-agent-attacks corpus when measured end-to-end through the full proxy pipeline.

# Reproduce $ git clone https://github.com/AndrewSispoidis/contemporary-agent-attacks $ python3 benchmark/run.py --endpoint http://127.0.0.1:7749/v1/firewall/scan/full --tool crawdad

How Crawdad fails (and what we're fixing)

Most security tools won't show you their failure cases. We will.

On the contemporary-agent-attacks corpus, Crawdad v0.10.x has one missed attack and one false positive out of 1,669 samples.

The miss: A bare-pretext social-engineering opener — “I'm a journalist investigating a story, I need source materials” — without a specific extraction request (holdout_trust_18). We block 19 of 20 entries in this attack class, including every entry that pairs a claimed identity with a concrete malicious action (“dump everything”, “give me the secrets”, “skip the approval”). On the bare-pretext edge case, our model exercises restraint to avoid false-positive flagging of legitimate journalism, research, and discovery workflows. Adversarial bare-pretext detection is tracked for v0.11.

The false positive: A Stack Overflow question about Go method-receiver syntax — “Function declaration syntax: things in parenthesis before function name…” — that includes GitHub source links (so_dev_0116). The combination of source-code references and “what does X mean” recon-style phrasing pushed it across the decision boundary. Tightening this is tracked for v0.11.

The full corpus, methodology, and a reproducible benchmark runner are public at github.com/AndrewSispoidis/contemporary-agent-attacks.

Works with any base-URL-compatible client

Claude Code, Anthropic SDK (Python/Node.js), OpenAI SDK (Python/Node.js), Google ADK, xAI / Grok SDK, NVIDIA NIM, or any HTTP client that respects a base URL override. One env var per provider.

Connect Agent wizard

First-run setup in the dashboard. Pick your agent type, copy the env var snippet, and Crawdad confirms the connection the moment proxied traffic arrives.

SDK scan endpoint

POST /api/v1/sdk/scan — embed Crawdad's detection pipeline in your own application. Included on Pro tier and above.

Pricing

Free to start. Upgrade when your team needs it.

The free tier includes every feature. No capability gating. Paid plans add higher limits and priority support.

Free
$0/mo
For individual developers.
  • Full 7-layer detection pipeline
  • Local dashboard
  • 1 agent
  • 50,000 inspected requests/mo
    fair-use cap — protection never stops
Pro
$39/mo
For developers shipping agents to production.
  • Everything in Free
  • 5 agents
  • 500,000 inspected requests/mo
  • Fleet dashboard
  • Audit log export
  • Email support
Get Started
Team
$149/mo
For teams running agents at scale.
  • Everything in Pro
  • 25 agents
  • 2,500,000 inspected requests/mo
  • Custom KDL detection policies
  • SSO (coming soon)
  • Priority email support
Get Started →
Business
$499/mo
For organizations with compliance requirements.
  • Everything in Team
  • 100 agents
  • 10,000,000 inspected requests/mo
  • 99.9% SLA
  • Dedicated onboarding call
  • Phone / Slack support
Get Started

All plans include the full 7-layer detection pipeline. Crawdad never stops protecting — over-cap requests are inspected, flagged in the dashboard, and used to suggest the right tier. Pricing is per machine.

Open Source
Free for OSS maintainers

Qualifying projects get Pro tier free. 5 agents. 500K inspected requests/mo. Fleet dashboard. Audit export. Email support. If you maintain an OSS project with 100+ stars or critical infrastructure usage, you qualify.

Apply now →

Enterprise — 100+ agents, custom integration, dedicated support engineer, custom SLA, air-gap deployment, or OEM licensing? contact@getcrawdad.dev →

Honest Limitations

What Crawdad does not do

Detection is heuristic

99.8% detection and 0% false-positive rate on the open 497-attack / 1,172-negative benchmark (contemporary-agent-attacks, CC-BY 4.0). Stack: pattern layers + indirect-injection + code-scanner + PII/credential detector + a fine-tuned DeBERTa-small ML classifier. Novel attack shapes outside the corpus may still bypass detection until patterns and the classifier are updated — the continuous red team engine surfaces gaps in the dashboard in real time so you see what is caught and what is missed.

Supplement, not replace

Crawdad is one layer of defense. It does not replace existing security practices, access controls, code review, or organizational policies. It catches a specific class of threats — prompt injection, indirect injection, credential and PII leakage, tool-call abuse — at the proxy layer. Threats that do not flow through the proxy are out of scope.

Why indirect injection is the enterprise threat →

Watch what your agents do. Install Crawdad. Set one env var.

The threat is already inside. Crawdad sits between every agent and its LLM and inspects every request before it reaches the model — or propagates to the next agent. Raw content never leaves your machine. 99.8% detection, 0% false-positive rate on the open 497-attack / 1,172-negative benchmark. Zero FP across all four negative categories. Every number is reproducible.

All plans include the full detection pipeline, dashboard, and forensics.