Direct injection is when a user types instructions designed to override the agent's behavior, like "ignore previous instructions." Modern LLMs handle most direct injection well. Indirect injection is when malicious instructions are embedded in content the agent processes — a web page, a document, a tool result — and the agent treats them as instructions. Indirect injection is the dominant enterprise threat in 2026. Anthropic dropped the direct prompt injection metric from their system cards in February 2026 specifically because indirect attacks are more relevant to production deployments. Crawdad's L3 layer specifically scans for indirect injection attempts in tool results, web content, and documents.
Three things. First, Crawdad normalizes content aggressively before pattern matching — stripping zero-width characters, unicode confusables, decoding base64/hex/ROT13/URL encoding, and stripping markdown wrappers. Second, detection patterns run against ALL contexts (tool results, agent responses, code), not just user messages. Third, the LLM-as-Critic validates that agent responses match the user's original intent, catching hijacks that bypassed pattern matching entirely.
No. Crawdad works out of the box with detection layers L1–L6 plus structural defenses. For the optional L7 LLM-critic (judgment for ambiguous cases), install Ollama and a local model: brew install ollama && ollama pull llama3.1:8b. Recommended but not required. 99.80% detection, 0% false-positive rate on the open 497-attack, 1,172-negative benchmark. Stack: pattern layers + fine-tuned DeBERTa-small ML classifier + indirect-injection + code + PII/credential detector.
Because only the binary downloads at install time. Pattern detection is active the moment the sidecar starts, so your agents are protected immediately. The ML model (~272 MB) and the platform libonnxruntime shared library download in the background on first run — the dashboard shows a single line of status while it's happening, and full detection activates automatically on the next sidecar restart. The download runs exactly once per machine.
The full pattern layer plus the indirect-injection, output-guard, code, and PII/credential detectors are all live from the first request. ML adds the remaining attack coverage that brings the stack to 99.80% detection. While the model downloads, pattern detection is blocking prompt-injection, credential exfiltration, and tool abuse attempts exactly as it will after ML activates; ML is an upgrade, not a gate.
The sidecar retries three times with backoff, resuming via HTTP Range requests where the server supports it. If the SHA-256 doesn't match, the partial file is deleted and the download restarts. If all three attempts fail the dashboard shows "Detection enhancement paused — will retry automatically" and the sidecar keeps running in pattern-only mode. The retry happens on the next sidecar restart. Insufficient disk space (model size + 200 MB margin) produces "Additional detection capabilities require more disk space" instead. At no point does any failure interrupt pattern detection or your agent's traffic.
Only signed metering packets (event counts, Ed25519-signed, sequence-numbered) transmit upstream. Raw prompts, responses, action parameters, and PII never leave your machine. This is enforced by architecture, not policy — even Crawdad as a company cannot see your content. The sidecar binary intercepts API calls, scans content, records sessions to local SQLite, and serves the dashboard — all on localhost.
Only signed metering packets (Ed25519-signed event counts) transmit upstream. No prompt text, no response text, no tool-call arguments, no PII values. All scanning, detection, and recording happens inside the sidecar binary on localhost. For regulated environments, there is no third-party data processing because there is no third party in the data path.
Yes. The Crawdad Secure Agent package runs entirely on your own infrastructure. Your data never touches our servers. Download the installer at getcrawdad.dev.
The proxy fails open — if the Crawdad sidecar is unreachable, your agent's requests go directly to the AI API with an X-Crawdad-Status: degraded warning header. Your agent never stops working. The sidecar runs locally as a system service and restarts automatically, so downtime is rare.
Pattern-only layers (L1, L3–L6) run sub-millisecond in memory — compiled regexes, no network calls, no disk I/O. The rules-based pre-filter adds sub-millisecond on top. The ML layer (L2) only runs when the pre-filter flags input as attacker-shaped, so most conversational traffic skips ML inference entirely and stays at sub-10ms p99. When ML does run, inference time varies by platform: low on macOS ARM64 with native ONNX prebuilts, higher on platforms running through the Rust ORT path (Python inference subprocess fix is post-v0.10.0 work). LLM response generation takes 500ms–5s regardless, so pipeline overhead is small relative to round-trip.
Cancel anytime from your dashboard. No cancellation fees. Your data is available for export for 30 days after cancellation. After 30 days it is permanently deleted.
Crawdad is licensed under BSL 1.1. The sidecar's detection logic and proxy are verifiable by inspecting network traffic — you can confirm that only signed metering packets leave your machine using curl http://localhost:7749/v1/verify. Five architectural invariants are property-tested over 1,000,000 iterations on every release by the crawdad-zk-verify crate. A standalone getcrawdad/zk-verify MIT reproducer is on the roadmap so any operator can confirm the invariants independently. No third-party security audit has been completed. Results will be published publicly when available.
Crawdad is built in Rust for memory safety. 1,201 tests across 17 crates. Licensed under BSL 1.1. Contact us at contact@getcrawdad.dev.
Crawdad runs entirely locally with no external network dependencies for core functionality. Threat feed updates can be disabled for air-gapped environments. Contact us at contact@getcrawdad.dev for details.
Any framework that uses the Anthropic, OpenAI, or Google APIs. Set ANTHROPIC_BASE_URL=http://localhost:7748 (or the equivalent for OpenAI/Google) and your agent's traffic is protected automatically. Tested with: Claude Code, OpenClaw, Cursor, Aider, LangChain, CrewAI, AutoGen. Also available as a Python SDK for explicit API calls.
Any Crawdad installation can be a Fleet Manager (receives reports), Fleet Member (sends reports), or both. Members periodically POST posture metadata to the manager — security scores, detection counts, layer status, agent counts, policy hash. The manager dashboard shows all devices in real time with health indicators. Configure in Settings → Fleet Management.
Fleet reporting sends only posture metadata: security scores, detection counts, layer status, agent counts, and policy hash. Session content, prompts, responses, and file data never leave any device. The manager stores only the metadata it receives.
Two options: (1) Transparent proxy — set your agent's base URL to the Crawdad proxy port (no code changes). (2) SDK scan endpoint — POST content to /api/v1/sdk/scan and receive detection results (sub-millisecond on pattern-only layers; ML layer adds platform-dependent inference time). A Python client is included. Available on Pro tier and above. Contact contact@getcrawdad.dev for OEM licensing.
Crawdad never stops protecting. Cancellation moves you to the Free tier, which includes the full 7-layer detection pipeline (1 agent, 50K requests/month fair-use). All your data remains on your machine and is fully accessible. You can export everything at any time. Re-subscribe whenever you want to lift the agent/request caps.
Settings → Your Data → Export All Data. Downloads a complete backup of sessions, audit events, and configuration. Your data is stored locally and always accessible regardless of subscription status.
Yes. Core detection works fully offline. Disable threat feed updates in Settings. Fleet management works on internal networks with no internet dependency.
Executive (2-3 pages): summary stats, OWASP coverage, key findings, recommendations. Full (5-10 pages): adds complete detection detail, AI inventory, policy configuration, threat intelligence. Technical (20+ pages): adds full session forensics, tool risk analysis, attack sequences, and data flow for every detection.
Every agent Crawdad detects runs at one of four levels. Autonomous (green) runs L1–L6 detection with L7 LLM-critic skipped for speed, no restrictions. Monitored (yellow) runs the full L1–L7 pipeline with no restrictions — the default for newly discovered agents. Restricted (orange) runs the full pipeline plus active per-tool-call restrictions (block Bash/shell, deny reads from /etc, ~/.ssh, ~/.aws, ~/.config; all editable per-agent). Quarantined (red) returns HTTP 403 to every request from that agent before detection runs. Enforcement is per-agent — each inbound request is attributed to the specific agent process that made it (by resolving the caller's TCP socket to its owning PID and walking the process tree), so blocking one agent never affects another on the same provider.
The system ratchets the offending agent's trust level down one step automatically. Autonomous → Monitored on any detection scored ≥ 50. Monitored → Restricted on score ≥ 70, or on two detections within five minutes. Restricted → Quarantined on score ≥ 90, or on three detections within ten minutes. Exfiltration-class patterns (credentials, PII, recon) quarantine immediately from any level. Every transition is audited with its trigger string, previous level, and whether it was manual or automatic — visible on the agent detail view in the dashboard. After a quiet period with no detections, a background loop walks auto-escalated agents back toward Autonomous one level at a time (Monitored → Autonomous after one hour by default; longer recovery windows for Restricted and Quarantined and default off, requiring human review). Manual level changes are never auto-reverted.
Yes. Click the protection mode pill in the dashboard header (or the Settings page Protection Mode panel), then choose Paused with a duration of 5 minutes, 15 minutes, 1 hour, or until you manually unpause. While paused, Crawdad continues to detect attacks and record them forensically — it just stops blocking. Auto-unpause is enforced server-side, so a paused sidecar will return to its previous mode at the end of the duration even if you forget. You can also unpause immediately with the "Unpause Now" button in the modal.
The endpoint that changes mode lives only on the management API and is not reachable from the proxy data path. A compromised LLM response or an injection payload arriving through traffic cannot trigger a pause. Quarantined agents remain quarantined regardless of mode. Allow-Always rules continue to apply. Detection still runs at every mode.
Yes, per-agent. Each agent_identities row carries an auto_recovery_enabled flag and an auto_recovery_after_seconds dwell time. Both are editable via the agent detail view. Disabling auto-recovery leaves an auto-escalated agent at its current level until a human changes it manually. Automatic escalation down (the ratchet toward more restriction) always runs — Crawdad never ignores detection signal. What you can disable is the recovery path that walks agents back up.
Yes. Open Settings → Connect Device on the dashboard, scan the QR code from your phone, and you're paired. From the phone you can watch live detections, flip an agent's trust level (Autonomous / Monitored / Restricted / Quarantined), release a quarantined agent, and receive alerts — from anywhere. First pairing needs you on the same WiFi as the desktop so the handshake stays local; after that the encrypted relay path works over any network.
Yes, by design. Every remote command from the phone is Ed25519-signed by the paired device's key and replay-protected on the sidecar. Relay traffic is AES-256-GCM encrypted — the relay forwards opaque blobs it cannot decrypt. Per-device rate limits cap sensitive actions (5 trust changes per 10 minutes, 1 quarantine release per hour). Sensitive actions can be PIN-gated. Permissions can be scoped per device (view-only or full control). A local kill switch on the desktop disconnects any paired device instantly. Every accepted remote command is written to the immutable audit trail with its device ID.
Encrypted blobs and opaque per-device IDs. Nothing else. State snapshots and alerts are encrypted on the sidecar with a key the relay doesn't hold; commands are signed by a key the relay doesn't hold. The relay cannot read prompts, responses, tool-call arguments, PII values, detection content, trust levels, or agent names. It cannot correlate devices to tenants or identify fleet membership — the only identifier that crosses the boundary is a random 128-bit per-device token.
No. The mobile UI is a web app that works in any modern phone browser. Add it to your home screen for an app-like launch experience. A native app with push notifications is on the roadmap but not required for any v1 capability.
Home: a one-line health bar (uptime, requests inspected today, blocked today), a 0–100 security score with three sub-scores (trust posture, detection health, alert hygiene) and a trend arrow, three-up activity stats (Today / Week / Month), and the agent list with colored trust dots. Alerts: filter by severity / agent / category; per-alert Acknowledge, Quarantine, and Investigate (Investigate shows metadata only — time, agent, category, pattern, severity, verdict — never content). Agent detail: 24-hour activity sparkline, tool usage chips, trust-level selector. Settings: notification preferences (threshold, per-agent mute, quiet hours), tool-name anonymization toggle, disconnect device.
A floating action button on the home screen opens two emergency-grade commands. Run Test Battery fires the 24-payload adversarial spectrum through your local detection pipeline and surfaces results in your alert feed — useful to sanity-check detection from a hotel room. Pause All Agents quarantines every routable agent in one tap, with a confirmation dialog, for incidents where you want traffic stopped before you finish debugging. Both are signature-gated like any other remote command.
By default the remote state snapshot carries real tool names (Read, Bash, WebSearch) so the phone can show tool-usage counts meaningfully. If your agents use custom-named tools that could reveal the nature of your work (query_patient_database, stripe_refund), enable Anonymize tool names in Settings (desktop or mobile). Names are mapped to six generic buckets (file_read, file_write, shell, web, api_call, other) only at the snapshot boundary. The local agent_activity table and desktop dashboard always show the real names. Startup default is off; set CRAWDAD_ANONYMIZE_TOOLS=1 to enable at boot.
Nothing. The app has two transports in parallel — the direct HTTP path (used when your phone shares WiFi with the desktop) and the encrypted relay WebSocket (used everywhere else). If one goes down, the other takes over. Local state and the last-known alert feed are cached in the phone's IndexedDB, so the app renders immediately on every launch and fills in live data as the transports come back. Specifically: after a desktop reboot that changes the LAN IP, the phone races a 3-second direct probe and falls back to the relay automatically — never a blank screen. When both transports are offline the app shows a red banner ("Machine appears to be offline — showing last known state") above the cached content instead of going blank.
Yes. Tap the floating action button on the home screen and choose Run Test Battery. The phone sends an Ed25519-signed run_test_battery command; the sidecar kicks off the local test battery in a background task (same pipeline the desktop Run Test Battery button uses) and the resulting detections flow into your alert feed on both phone and dashboard within the next snapshot cycle.
Two new widgets replace the old static OWASP checklist: Agent Behavior Map (polls every 10s; per-agent trust dot, 5-minute activity sparkline, top tools in the last 5 minutes, last action + relative timestamp, anomaly indicator when volume exceeds baseline + 2σ or a detection fires) and Attack Pattern Intelligence (polls every 60s; 24h / 7d / 30d range selector, total blocked, ranked category bars with trend arrows vs. previous equal-length period, top patterns, new-this-period patterns highlighted, red-team-gaps link). Chart axis labels render in the viewer's local timezone; the sidecar still stores everything in UTC.
Fill out the form below and we'll get back to you.