Brex just open-sourced CrabTrap, a security tool for AI agents running in production. It's an HTTP proxy that sits between your agent and the APIs it calls. Every request the agent makes gets intercepted, evaluated against security policies, and either allowed or blocked in real time. The interesting part is how it makes those decisions: a mix of static rule matching and LLM-based judgment. You can see in the logs whether a call was blocked by a hard-coded rule or by the AI making a contextual call.
This came out of a real problem Brex was having. They're running autonomous agents inside their Empower spend management platform, doing things like automated expense auditing and transaction reconciliation. These agents need HTTP access to internal APIs that connect to ledgers, banking partners, and systems like NetSuite. Hard-coded security rules kept blocking legitimate queries because they couldn't understand context. But fully permissive access was too risky when you're dealing with financial data. CrabTrap was their answer: let agents read what they need and do logic checks, but stop them from running destructive commands or changing financial states.
Not everyone is sold on the approach. Using an LLM as a security layer means your guardrail is probabilistic, not deterministic. Security systems traditionally rely on hard limits. Some critics argue the right direction is adding non-LLM security layers instead of stacking more LLMs on top, which could compound vulnerabilities. It's a legitimate concern. If your security judge can be confused or manipulated, you've added a new attack surface rather than closing one. That said, Brex is running this in production for real financial workflows, which suggests they've found it useful enough despite the trade-offs.