Every tool call, every delegation, every agent-to-agent interaction. Inspected, governed, and enforced. In real time. Before the damage is done.
Pattern matching catches known attacks. But novel ones, social engineering disguised as a database query, slow data exfiltration that looks like normal usage, are harder.
Clampd combines deterministic rules with semantic analysis and behavioural intelligence. Known threats blocked in real time. Unknown threats caught by what the agent does differently, not by what the payload looks like.
263 built-in rules across 12 categories: SQL, shell, network, payments, comms, SCM, browser, cloud, fs, llm, auth, agent. SQL injection, command injection, SSRF, prompt injection, PII patterns, schema injection, encoding evasion, reverse shells.
L0 funnel filters 90%+ of clean traffic without scanning all rules. L1 regex matches known patterns. L2 dictionary catches keywords. L3 signals score compound payloads. L4 normalisation decodes base64, URL-encoding, and other obfuscation before rules fire.
Every agent builds a profile over time. New tools, unusual hours, unexpected data volumes, different output patterns are flagged even when no rule fires. EMA-based scoring with configurable thresholds; auto-suspend at 0.9 by default.
Gray-zone requests scoring between two configurable thresholds (0.2 and 0.75 by default) escalate to an LLM-as-judge for a semantic second opinion. Off by default, fail-open if the model is unreachable. When it fires, expect upstream LLM API latency to dominate (200-400ms).
A traditional firewall sees a perfectly valid, authenticated JSON request. Clampd sees the behavioural shift that follows.
When Agent A delegates to Agent B, and B delegates to C, who verifies the chain? Who checks that B didn't change its capabilities after approval? Who notices when C behaves differently after talking to a compromised agent?
Clampd tracks every delegation, hash-validates every handoff, and detects when behaviour shifts after inter-agent contact. Maximum delegation depth, cycle detection, and rug-pull verification are built in.
Detection without response is just logging. Clampd's kill switch propagates across the fleet via NATS broadcast in real time. Compromised agents are isolated, contacts flagged, blast radius contained.
Native TOML rule packs ship with Clampd. PortableRule JSON for tool-author distribution. Sigma YAML adapter available behind a build flag. Custom keyword dictionaries and Cedar policies (AWS's open-source authorisation language) are first-class.
Scope-based least-privilege per agent. Delegation approval workflows with tool-level restrictions. Every decision logged, every action auditable, every policy version-controlled. Regulation tags live on individual rules in the TOML source.
Every approved tool call is bound to a short-lived Ed25519-signed token carrying the exact (category, subcategory, operation) it was approved for. Tools verify via JWKS. The agent never sees raw downstream credentials.
Clampd intercepts agent payment flows at the protocol layer. Google AP2 mandates (Cart and Intent) are validated for structure, TTL, budget limits, and approved-payee allowlist before any payment executes. x402 HTTP 402 responses are caught before the agent's wallet sends stablecoin, with per-transaction limits and hourly spend caps enforced server-side.
Default-deny on payments. Per-agent spend limits. Approved vendor lists. Every payment decision audited with full mandate details.
clampd.openai(client, agent_id="my-agent")
clampd.anthropic(client, agent_id="my-agent")
Python and TypeScript SDKs. Drop-in adapters for OpenAI, Anthropic, LangChain, CrewAI, Google ADK, and any MCP server. No configuration required. Protection activates immediately.