Built together

AI agents are being handed real power now — real credentials, real systems, real consequences — and the security to match hasn't caught up. Closing that gap is the whole reason Crawdad exists — and it's not a problem any single vendor solves in isolation. It gets solved alongside the people actually running agents in the wild, hitting the edges, and shaping what comes next.

So that's how Crawdad is built — with you, not just for you. There's no distance between the people using it and the people building it. When you run into something, it reaches engineering directly, and you can see the result right here on this page: much of what shipped over the last two months started with real users running the tool and showing us where it fell short. Report something on a Tuesday, and it's not unusual for the fix to land that week.

Every release is verified end-to-end before it ships, and every claim is reproducible — including the unflattering ones, because you deserve the real numbers, not the marketing ones. That's the standard we hold ourselves to, and it's the standard the community deserves.

If something's slowing you down, breaking, or just feels wrong — or if you see where this should go next — that's the conversation we want: contact@getcrawdad.dev. We read all of it, and it genuinely shapes what we build. Thank you for building this with us.

What we've shipped

Every release, newest first. Items tagged FEEDBACK were built because users asked for it.

2026-06-02 v0.12.1

FEEDBACK FEATURE

Node-family tool coverage. node, nodejs, jsnode, ts-node, tsx, and npx are now observed by default — testing revealed that only node was matched, and common aliases slipped through. Each is now covered by exact match.
npx moved from allowed to observed. npx downloads and immediately executes arbitrary packages — same risk profile as a language runtime. It's now in the observe tier so you see it in the Activity feed.
Policy upgrade propagation: existing installs receive the updated default policy on update via the built-in diff-merge upgrade.

2026-06-01 v0.12.0 — Graduated Trust

FEEDBACK FEATURE

The anchor release. Early testing showed Crawdad was too aggressive out of the box — blocking tool calls for benign dev work. This release introduces a graduated approach: real attacks still block immediately, but ambiguous actions are observed instead of blocked.

Two-tier default policy. High-confidence attacks (prompt injection, credential exfiltration, destructive commands) block by default. Ambiguous tool calls (language runtimes, network tools) are observed — passed through, recorded, and surfaced without interrupting work.
Observe mode. A new disposition between Allow and Ask. Observed events pass through the proxy unchanged but appear in the Activity feed for review.
Activity feed. Dashboard view showing a chronological stream of observed and blocked events with color-coded badges.
Promote-to-block. One-click "Block this" on any observed event writes a deny rule and reloads the policy engine instantly.
Session summaries. Per-session breakdown of observed, blocked, and "worth a look" events.
ML sensitivity presets. Strict / Balanced / Relaxed — one setting controls the ML classifier threshold across both the proxy and scan endpoints. Default is Balanced (99.8% detection, 0.09% FP on the open benchmark).
Linux uninstaller. curl -fsSL getcrawdad.dev/uninstall.sh | sh cleanly removes Crawdad. --purge flag to also remove data.

2026-05-20 v0.11.0 – v0.11.3 — Policy Engine

FEATURE

KDL capability policy engine. Configurable rules for filesystem, commands, network, and credentials. Supports Allow, Ask (pending review), Deny, and Kill verbs with per-tool and per-path granularity.
Pending Review queue. Actions that match an Ask rule are held for dashboard approval before proceeding. SSE-driven real-time updates.
Default security baseline. Ships with an opinionated default policy: read-only commands allowed, destructive commands blocked, system-admin commands require approval.
Policy page in the dashboard. Browse, enable/disable, and test rules. Import/export policy bundles for fleet deployment.
ML classifier calibration. Recalibrated the ML classifier to reduce false positives on benign developer chat (security discussions, code reviews) — with no loss of attack detection on the benchmark corpus.

2026-05-18 v0.10.5 – v0.10.7 — Reliability

FEEDBACK RELIABILITY

Driven by friction surfaced during real-world testing.

Dashboard no longer blanks on restart. A reconnection indicator appears automatically and dismisses when the sidecar is back.
Manual trust-level choices stick. Your explicit trust-level decision for an agent is no longer overridden by a single detection event.
Fewer false escalations. A single borderline detection no longer causes an abrupt trust-level change for an agent.
Events survive restart. The event stream replays missed events on reconnect so nothing is lost.
One-click restart to apply updates. Dashboard button replaces manual terminal commands.
General hardening and stability improvements.

2026-05-07 v0.10.2 – v0.10.4 — Install & ML Activation

INSTALL

ML detection activates on first boot. Fresh installs across macOS ARM64, Linux x86_64, and Linux ARM64 now reach full ML detection without manual steps. The model and runtime download in the background and activate automatically.
Robust Linux installer. Handles sudo installs correctly (resolves the real user's home, not root's). Graceful fallback on systemd-less distributions (Alpine, distroless). Handles minimal Docker containers.
Reproducible public benchmark. 99.80% attack detection (496/497), 0.09% false-positive rate (1/1,172) — verified end-to-end through the full proxy pipeline. Reproduce it yourself.
Install troubleshooting page. Docs → Install Troubleshooting covers every error path.

2026-05-06 v0.10.0 – v0.10.1 — Protection Modes

FEATURE

Protection modes. Maximum / Standard / Reduced / Paused. Standard is the default. Reduced flags most categories instead of blocking. Paused suppresses blocking while continuing to detect and record forensically — useful when Crawdad is in the way and you need to ship. Auto-unpause after a timer.
Protection-mode pill in the dashboard header. Always visible. One click to change. Keyboard shortcut for the modal.

2026-04-21 v0.9.2 — Cross-Platform ML

FEATURE

ML detection on three platforms. macOS ARM64, Linux x86_64, and Linux ARM64 all ship with auto-downloaded ML. Intel Mac remains pattern-only pending an upstream ONNX Runtime release.
Smaller ML model. FP16 quantization reduced the model from 541 MB to 272 MB with identical accuracy.
Deferred download. Install is binary-only (~30 MB, seconds). The ML model downloads silently in the background on first run.
Open benchmark corpus. 497 attacks across 13 categories, 1,172 benign samples across 4 categories. CC-BY 4.0, reproducible by anyone.
MCP server security database. 59 servers across 16 categories with trust-level classification.

2026-04-17 v0.9.1 — Remote Control Plane & Agent Trust

FEATURE

Monitor from your phone. Pair via QR code, then view live detections, change agent trust levels, and release quarantined agents from any network. All relay traffic is end-to-end encrypted — the relay sees only opaque ciphertext.
Per-agent trust levels. Four levels (Autonomous, Monitored, Restricted, Quarantined) with automatic escalation on detection events and configurable auto-recovery.
Agent attribution. Every request is attributed to the specific agent process that made it, so actions against one agent never affect another.
Dashboard agent behavior map. Per-agent activity sparklines, top tools, anomaly indicators.
Attack pattern intelligence. Ranked category bars with trend arrows, top and new-this-period patterns.

2026-04-15 v0.9.0 — Launch

FEATURE

7-layer detection pipeline. Pattern matching, ML classifier, indirect injection, session context, PII/credential detection, code scanning, optional LLM Judge.
Transparent proxy. One env var per provider — works with Claude Code, Cursor, Anthropic SDK, OpenAI SDK, and any base-URL-compatible client.
Local dashboard. Session timeline, detection details, audit trail, cost tracking.
Zero-knowledge architecture. Content stays on your machine by default. Only signed, content-free metering metadata exists — and even that is measured locally and never transmitted.
Signed binaries. macOS: signed + notarized by Apple. Linux: four-platform support.