AI/TLDR

Brex · 2026-04-17 · notable

CrabTrap — LLM-as-Judge HTTP Proxy to Secure AI Agents in Production

Brex open-sources CrabTrap, a Go+TypeScript HTTP/HTTPS proxy that intercepts all outbound AI agent requests and evaluates them against natural-language security policies using an LLM-as-judge. Static rules execute in microseconds; the LLM judge activates on <3% of requests. 110 HN points, 204 GitHub stars.

brexhq/CrabTrap GitHub repository — LLM-as-judge HTTP proxy for securing AI agent outbound requests

CrabTrap sits between your AI agent and the internet, vetting every outbound request against natural-language security policies before they leave.

Key specs

GitHub stars204
LanguageGo + TypeScript
Llm judge activation<3% of requests
Static rule latencymicroseconds

What is it?

CrabTrap is an open-source HTTP/HTTPS proxy from Brex Engineering that intercepts all outbound requests made by AI agents. Every request passes through a two-tier policy engine: first a fast static rules layer (URL patterns, HTTP methods, path prefixes), then an LLM-as-judge layer that evaluates the full request context against natural-language policies. The proxy adds SSRF protection for private network access, a PostgreSQL audit log, a web UI for managing policies and reviewing decision history, and an automatic policy builder that learns from observed traffic patterns.

How does it work?

Agents route all HTTP(S) traffic through CrabTrap by setting proxy environment variables. Static rules execute in microseconds via cached regex patterns — the first check, covering the common case. When no static rule matches, the LLM judge receives the full request body, headers (capped at 4KB to avoid context flooding), and the relevant policy as structured JSON — encoding as JSON prevents prompt injection through adversarial request content. In Brex's deployment the LLM judge activated on fewer than 3% of requests, making added latency negligible. All decisions are logged to PostgreSQL with a flag indicating whether the static rules or the LLM judge made the call.

Why does it matter?

AI agents calling external APIs are an expanding attack surface: SSRF, data exfiltration, and adversarially-crafted tool calls are real production risks. Hard-coded allowlists are brittle; CrabTrap's natural-language policies can express intent ('never send customer data outside company domains') without exhaustively enumerating every legitimate URL. The design pairs probabilistic LLM judgment with deterministic rules as a first-line defense and full audit logging for post-hoc review.

Who is it for?

Teams running AI agents in production who need enforceable security guardrails on external API calls.

Try it

git clone https://github.com/brexhq/CrabTrap  # Docker Compose quickstart in <2 min

Sources · 2 outlets

Tags

  • security
  • agents
  • proxy
  • llm-as-judge
  • open-source
  • go
  • ssrf-protection
  • audit-log
  • agent-security
  • production
  • brex

← All releases · Learn AI