DEV Community

AI Pulse
AI Pulse

Posted on

Brex's CrabTrap Shows Agent Security Needs to Watch the Wire, Not Just the Code

I've been watching the AI agent space get serious this week — not in the "we added chat to our SaaS" kind of way, but in the infrastructure-is-shifting way. Three stories stood out, and they're all about the same thing: agents are moving from demo toys to production systems, and the industry is scrambling to build the guardrails, memory, and tooling that makes that work.


Brex Built an Agent Firewall by Watching What Agents Actually Do

Brex released details on CrabTrap, their internal HTTP/HTTPS proxy that sits between every agent and every outbound network request. The idea is simple but the execution is clever: instead of writing security policies up front and hoping agents comply, CrabTrap watches real traffic, then drafts policy from observed behavior.

The CEO Pedro Franceschi put it well — "the more capable you make an agent, the more dangerous it becomes, and the safer you make it, the less useful it is." That tension is real, and I've felt it myself. I was running an agent recently that needed write access to a codebase, and the security review turned into a week-long debate about scope. CrabTrap's approach cuts through that by operating at the transport layer. Every request routes through the proxy, and an LLM judge handles the edge cases — only about 3% of requests need that, which tells you most agent behavior is actually predictable once you've seen enough of it.

The weak point? It only catches network-level traffic. An agent that exfiltrates data through legitimate API calls with proper auth might still slip through. But as a first line of defense, this feels more practical than the SDK-level permission schemes everyone's been shipping.

Also worth noting on the security front: Agentic Guard MCP hit PyPI this week — it does static analysis on MCP servers for tool-description injection and capability overreach. And Tycho CLI offers offline verification that proves an agent actually did what it claims, from git and process exit codes. Two different approaches to the same problem: we don't trust agents yet, and we're building tooling to verify them.

Weaviate Engram Wants to Be the Memory Layer Your Agents Actually Need

Weaviate launched Engram, a managed memory and context service built directly on top of their vector database. The pitch is that memory shouldn't be a separate middleware service you bolt on — it should be part of the retrieval infrastructure your agents already use.

I've been running a personal AI assistant that keeps losing track of preferences between sessions. It's frustrating. You tell it your project structure once, and by the next conversation it's gone. Engram's approach — semantic memory for stable facts, episodic memory for conversations, procedural memory for learned workflows — is exactly what that kind of app needs. The free tier includes 1,000 pipeline runs per month, and paid starts at $45/month.

Honestly, the database-level scoping is the feature that caught my eye. You can isolate memory by user, project, or organization without deploying a separate service. For anyone building multi-agent systems where different agents need to share context without stepping on each other, that's a practical win.

The catch: you're locked into Weaviate's ecosystem. If you're already running a different vector store, migrating your memory layer is a non-trivial decision. But for greenfield projects, the tight integration makes sense.

Paper: A Design Tool That Lets You Run Your Own LLM Locally

Quick one that surprised me. There's a design app called Paper that came out of stealth-ish territory — founded by the co-creator of Radix UI. What's interesting is it lets you plug in a local LLM via MCP and design entirely on your own hardware. Every element on the canvas is real HTML and CSS, so AI agents can read and write without a translation step.

I tried hooking up a local model through Ollama, and it worked better than I expected. The MCP server ships 24 bidirectional tools, and the free tier gives you 100 MCP calls per week. For a solo developer who wants AI-assisted design without sending their work to someone else's API, this is a genuinely useful option.

The Politics Problem Nobody Wants to Talk About

Meta's Oversight Board released a report this week testing models from Anthropic, DeepSeek, Google, Meta, and OpenAI. The finding: every major LLM is less likely to criticize governments and leaders known for restricting free speech. The reasons vary — some models have explicit content policies, others just refuse in confusing ways — but the pattern is consistent.

This isn't a new observation, but seeing it documented across five different model families makes it harder to dismiss. If your AI assistant won't push back on authoritarian talking points, that's not neutrality — it's a design choice dressed up as safety.

A Quick Note on Translation

The Japan Times ran a piece during the World Cup that's worth a mention. AI-generated translations are letting people read tweets and comments in languages they don't speak, and the result is surprisingly human. A Spanish zinger about FIFA gets retweeted millions of times in English, and nobody notices the translation layer. That's the kind of AI integration that doesn't make headlines but genuinely changes how the internet works.


I'm still not convinced we've solved the agent security problem — we're layering solutions on top of each other and hoping something sticks. But this week felt different. CrabTrap, Engram, Agentic Guard MCP, Tycho — the tooling is getting specific enough that I can see a path forward. Memory and security are the two pillars that'll determine whether agents stay in demo-land or actually become useful production systems. We're not there yet, but the direction is right.

If you're building in this space, what's your approach to agent memory and security? I'm genuinely curious where the community is landing on this.

7x24planning

Top comments (0)