The RSAC cybersecurity conference is this week and for the last two years, the conversation at the event has revolved around generative artificial intelligence — that is, models we talk to, and they talked back and act as a copilot.
At RSAC 2026, there has been a definite change in topic as the world has been shifting from conversational AI to agentic AI. The world is moving from AI that answers questions to AI that takes actions — software that can browse the web, execute code, manage your calendar and interface with corporate databases.
The poster child for this movement is OpenClaw, the open-source agent framework that has taken the developer world by storm. But as Jeetu Patel, Cisco Systems Inc.‘s chief product officer, noted during his RSAC keynote, “in the enterprise, power without governance isn’t innovation; it’s unmanaged risk.”
To bridge this gap, Cisco Monday unveiled DefenseClaw, an open-source security framework designed to wrap these “Claws” in a layer of enterprise-grade protection. For anyone following the “agentic” trend, this product announcement should allow companies to create the necessary security friction that actually allows speed. That might seem counterintuitive, but I’ll explain.
What exactly are ‘Claws’?
Before discussing securing Claws, one must understand what they are. In the current AI vernacular, a “Claw,” referring to agents built on frameworks such as OpenClaw or Nvidia Corp.’s NemoClaw) is an autonomous AI agent capable of reasoning and using tools. Unlike a standard large language model, which is a closed loop, a Claw uses the Model Context Protocol or MCP to reach out into the world.
Think of a Claw as a digital co-worker. You don’t just ask it to “summarize this email;” you tell it to “summarize this email, find the mentioned project in Jira, update the status to ‘in progress,’ and Slack the team the update.” To do this, the agent uses “Skills” — modular plugins that give it specific capabilities, such as running shell commands or accessing a specific application programming interface. Once the Claw learns this behavior, it will do this without being asked and continue to refine its skills, theoretically providing more value.
The nightmare scenario: Why agents are different
The very thing that makes Claws powerful makes them a security professional’s worst nightmare. Traditional security is built on the idea of a human user making a request. Agents break that model from the following:
- The Skills supply chain: Much like the early days of browser extensions, “Skills” are often community-contributed. A skill that claims to “Format your Excel sheets” might secretly contain a curl command that exfiltrates your local credentials to a rogue server.
- Prompt injection 2.0: In a chatbot, prompt injection might make the AI say something rude. In an agent, a “malicious” email read by the agent could contain instructions that force the agent to delete files or change database permissions.
- Self-evolving risks: Agents are dynamic meaning their behavior changes based on the data they consume. For Claws, this could result in a skill that was clean today but then evolves to start exfiltrating data later. Unless every transaction is watched, the user would have no knowledge of this.
Enter DefenseClaw: The governance layer
DefenseClaw shouldn’t be thought of as an inhibitor to OpenClaw but rather its bodyguard. Built to integrate with Nvidia OpenShell, DefenseClaw acts as an automated security and inventory framework that can be deployed in under five minutes.
It functions through four primary technical pillars:
1. The pre-flight scan (admission control)
Before a “Skill” or an MCP server is allowed to run, DefenseClaw puts it through a gauntlet of scanners. This includes:
- Skill Scanner: Analyzing the underlying code for malicious intent or hidden network calls.
- CodeGuard: Static analysis of any code the agent itself generates to ensure it hasn’t “hallucinated” a security vulnerability into a script it’s about to run.
- AI BOM (Bill of Materials): Automatically generating a manifest of every model, tool and plugin the agent touches.
2. Strict runtime sandboxing
In partnership with Nvidia, DefenseClaw leverages OpenShell to create a “deny-by-default” environment. If an agent tries to call an API that isn’t on the approved list, the network request is killed at the kernel level. The agent lives in a box; DefenseClaw decides what is allowed to enter or leave that box.
3. Intent-aware monitoring
This is where the Cisco network and observability DNA adds value. DefenseClaw doesn’t just look at code; it looks at telemetry. It streams every tool call, every prompt-response pair and every policy decision directly into Splunk. By analyzing the intent of a sequence of actions, the system can detect “abnormal behavior” — such as an agent suddenly trying to access sensitive financial data it has never touched before.
4. Agentic identity (Duo and zero trust)
Cisco is extending Duo to the agentic world. Every Claw is assigned a unique identity and mapped to a human “sponsor.” This ensures that if an agent goes rogue, there is a clear audit trail showing who deployed it and what permissions it was granted.
The goal: Moving from pilot to production
As part of it RSAC activities, Cisco released its Cyber Threat Trends Report, which found that 85% of enterprises are testing AI agents, but only 5% have moved them into production, highlighting the primary bottleneck to adoption is a very wide trust gap.
DefenseClaw aims to close that gap by making Claw security provable instead of probable. It transforms the agent from a “black box” into a governed corporate asset. By open-sourcing the framework, Cisco is betting that a standardized security layer will do for AI agents what SSL/TLS did for the web: Make it safe enough for everyone to use.
Final thoughts
Many industry watchers look at the agentic AI eras the Wild West, with new frontiers being discovered seemingly daily. Though this drives innovation and productivity to unprecedented levels, it also takes risks to equally high levels. By providing a framework that automates the “boring” parts of security, like inventory, scanning and sandboxing, Cisco is positioning itself as a network centric guardian on the road to the agentic workforce.
Claws are coming and they’re coming fast. Security needs to be in place before threats against them overwhelm information technology and cyber teams.
