Deep-Dive DD-19 — CrabTrap: The LLM-as-Judge Egress Proxy

Course: Master Course · Deep-Dive: DD-19 · Duration: 60 min · Prerequisites: Modules 0–12, DD-09 (NemoClaw), DD-18 (MetaClaw)

705 stars. Go. MIT. Brex engineering. An HTTP/HTTPS proxy that evaluates every outbound agent request against a natural-language policy using LLM-as-judge. The probabilistic governance bet.


The Subject

CrabTrap (github.com/brexhq/CrabTrap) is a forward HTTP/HTTPS proxy that sits between an AI agent and external APIs. Every outbound request is evaluated against the agent's security policy: static deterministic rules first, then an LLM-as-judge for anything not statically matched. Requests are allowed or blocked (403 + reason).

Built by Brex — a financial services company that runs AI agents with real credentials in production. This is not a research prototype; it's a production-oriented egress governance layer born from a real need: "we can't let an agent that might be prompt-injected call arbitrary endpoints."

The Architectural Debate This Deep-Dive Embodies

CrabTrap and IronCurtain (DD-20) represent the single most important debate in agent security: probabilistic vs. deterministic enforcement.

This is the stochastic-vs-predictable security debate, made concrete. Course 2B (hacking harnesses) will exploit CrabTrap's probabilistic surface directly.

Architecture — The Two-Tier Evaluation Pipeline

CrabTrap is a transparent MITM proxy with TLS termination. It generates a per-host certificate from a custom CA and decrypts requests in cleartext. The agent is configured via HTTP_PROXY/HTTPS_PROXY environment variables.

Evaluation flow (two tiers):

  1. Static deterministic rules (fast path): prefix, exact, and glob URL patterns with optional HTTP method filters. Deny rules always win over allow. If a static rule matches, no LLM call is made — the decision is instant and deterministic.
  2. LLM-as-judge (if no static rule matches): the full request (method, URL, headers, body) is JSON-encoded and sent to the judge alongside the agent's natural-language policy. The judge returns allow/deny with a reason.

Prompt-injection defense at the judge boundary: request payloads are JSON-encoded and policy content is JSON-escaped before being sent to the judge. This prevents the request body from being interpreted as judge instructions. It's a defense, but not a complete one — a sophisticated payload could still attempt semantic manipulation through encoded content.

Circuit breaker: after 5 consecutive LLM failures, a 10-second cooldown triggers. Fallback is configurable: deny (default) or passthrough. This is good production engineering — the system fails safe.

What CrabTrap Intercepts — and What It Doesn't

Intercepts: outbound HTTP/HTTPS requests only. Full request content including headers and body. Authorization and Cookie headers are visible in cleartext (the trust boundary is the proxy itself).

Does NOT intercept:

This is the critical limitation: CrabTrap covers the egress boundary only. For full coverage you need a layered approach — CrabTrap for egress, plus a tool-call interceptor (IronCurtain) for tool governance, plus a sandbox (NemoClaw) for filesystem/runtime isolation.

The Policy Builder and Eval System (Novel Contributions)

Two engineering features make CrabTrap more than a simple proxy:

Policy Builder (Agentic Loop)

An agent analyzes observed traffic patterns and drafts natural-language policies. This is an LLM-powered policy generation tool — it looks at what the agent is calling, infers the legitimate use patterns, and proposes rules. Humans review and approve.

Eval System

Replays historical audit entries against a policy to measure accuracy. You can test "would this policy have blocked the bad request from last week?" before deploying it. This is a regression-testing framework for security policy — rare and valuable.

Built-In Defenses

Score: N/A (Governance Layer, Not Harness)

CrabTrap is scored differently from harness deep-dives — it has no loop, tools, memory, or context management. It's a governance middleware evaluated on its own axes:

Dimension Score Notes
Egress coverage 4/5 Thorough HTTP/HTTPS interception. No response filtering.
Enforcement reliability 3/5 LLM-as-judge is probabilistic. Static rules are deterministic but limited.
Production maturity 4/5 Admin UI, PostgreSQL audit trail, OpenTelemetry, Docker, CI. Built for production.
Policy expressiveness 4/5 Two-tier (static + NL). Policy builder + eval system.
Credential safety 2/5 Sees all credentials in cleartext. No isolation. Trust = proxy.
Scope completeness 2/5 Egress only. No tool calls, filesystem, or response filtering.

Architect's Verdict

CrabTrap optimizes for production egress governance with a pragmatic two-tier model: fast deterministic rules for known patterns, LLM-as-judge for novel requests. The policy builder and eval system are genuinely novel — regression-testing security policy against historical traffic. Its limitation is scope (egress only, no response filtering) and its risk is enforcement reliability (LLM-as-judge is probabilistic). Deploy alongside a tool-call governance layer (IronCurtain) and a sandbox (NemoClaw) for defense-in-depth.

MLSecOps Relevance

CrabTrap's LLM-as-judge is its primary attack surface for Course 2B. A prompt injection in an outbound request body could manipulate the judge into allowing a malicious call. The JSON-encoding defense mitigates naive injections but sophisticated semantic manipulation remains possible. The response-side gap is worse: an injected payload in an API response flows unchecked back to the agent. The eval system is the defense — continuously replaying traffic against policy to catch regressions.

3 things CrabTrap does better

  1. Eval system: replay historical traffic against policy. Regression-testing for security rules. Rare and valuable.
  2. Policy builder: LLM-powered policy generation from observed traffic patterns. Reduces the cold-start problem.
  3. Production engineering: admin UI, PostgreSQL audit trail, circuit breakers, OpenTelemetry, multi-arch Docker. Built for real deployment.

3 things to fix

  1. Response filtering: the biggest gap. Inbound injections from API responses flow unchecked.
  2. Credential isolation: the proxy sees all credentials in cleartext. IronCurtain's fake-key swap is the model.
  3. Deterministic fallback: when the LLM judge fails, provide a more granular fallback than deny-everything — perhaps a static-rule-only mode.

References

  1. CrabTrap source — github.com/brexhq/CrabTrap (Go, MIT, 705 stars).
  2. Brex engineering blog — "Building CrabTrap: an LLM-as-a-judge HTTP proxy to secure agents in production."
  3. Module 6 — permission/approval/safety; egress governance as a safety layer.
  4. Module 11 — security; the probabilistic-vs-deterministic enforcement debate.
  5. DD-09 (NemoClaw) — beneath-agent runtime governance (full stack vs egress-only).
  6. DD-18 (MetaClaw) — same proxy position, opposite purpose (learning vs governance).
  7. DD-20 (IronCurtain) — the deterministic counterpoint to CrabTrap's LLM-as-judge.
  8. Course 2B — CrabTrap's LLM-as-judge is a primary attack target for prompt-injection-based governance bypass.
# Deep-Dive DD-19 — CrabTrap: The LLM-as-Judge Egress Proxy

**Course**: Master Course · **Deep-Dive**: DD-19 · **Duration**: 60 min · **Prerequisites**: Modules 0–12, DD-09 (NemoClaw), DD-18 (MetaClaw)

> *705 stars. Go. MIT. Brex engineering. An HTTP/HTTPS proxy that evaluates every outbound agent request against a natural-language policy using LLM-as-judge. The probabilistic governance bet.*

---

## The Subject

CrabTrap (github.com/brexhq/CrabTrap) is a forward HTTP/HTTPS proxy that sits between an AI agent and external APIs. Every outbound request is evaluated against the agent's security policy: static deterministic rules first, then an LLM-as-judge for anything not statically matched. Requests are allowed or blocked (403 + reason).

Built by Brex — a financial services company that runs AI agents with real credentials in production. This is not a research prototype; it's a production-oriented egress governance layer born from a real need: "we can't let an agent that might be prompt-injected call arbitrary endpoints."

## The Architectural Debate This Deep-Dive Embodies

CrabTrap and IronCurtain (DD-20) represent the single most important debate in agent security: **probabilistic vs. deterministic enforcement.**

- **CrabTrap bets on LLM-as-judge at runtime.** The judge sees the full request + the agent's policy and makes an allow/deny decision. This is flexible — new attack patterns are caught because the LLM understands semantics. But it's probabilistic — a clever prompt injection in the request body could manipulate the judge itself.
- **IronCurtain bets on deterministic enforcement.** LLMs compile the policy at build time into JSON rules. At runtime, zero LLM involvement — decisions are deterministic if/then checks. Predictable, but the compilation step could misinterpret the policy.

This is the stochastic-vs-predictable security debate, made concrete. Course 2B (hacking harnesses) will exploit CrabTrap's probabilistic surface directly.

## Architecture — The Two-Tier Evaluation Pipeline

CrabTrap is a transparent MITM proxy with TLS termination. It generates a per-host certificate from a custom CA and decrypts requests in cleartext. The agent is configured via `HTTP_PROXY`/`HTTPS_PROXY` environment variables.

**Evaluation flow (two tiers):**

1. **Static deterministic rules** (fast path): prefix, exact, and glob URL patterns with optional HTTP method filters. Deny rules always win over allow. If a static rule matches, no LLM call is made — the decision is instant and deterministic.
2. **LLM-as-judge** (if no static rule matches): the full request (method, URL, headers, body) is JSON-encoded and sent to the judge alongside the agent's natural-language policy. The judge returns allow/deny with a reason.

**Prompt-injection defense at the judge boundary**: request payloads are JSON-encoded and policy content is JSON-escaped before being sent to the judge. This prevents the request body from being interpreted as judge instructions. It's a defense, but not a complete one — a sophisticated payload could still attempt semantic manipulation through encoded content.

**Circuit breaker**: after 5 consecutive LLM failures, a 10-second cooldown triggers. Fallback is configurable: deny (default) or passthrough. This is good production engineering — the system fails safe.

## What CrabTrap Intercepts — and What It Doesn't

**Intercepts**: outbound HTTP/HTTPS requests only. Full request content including headers and body. Authorization and Cookie headers are visible in cleartext (the trust boundary is the proxy itself).

**Does NOT intercept**:
- **Response bodies** — no filtering of what comes back from external APIs. A prompt injection in an API response flows unchecked back to the agent.
- **WebSocket frames** — only the upgrade request is checked.
- **Inbound traffic** — not a WAF or firewall.
- **Tool calls or filesystem access** — this is purely network egress.

This is the critical limitation: CrabTrap covers the **egress boundary** only. For full coverage you need a layered approach — CrabTrap for egress, plus a tool-call interceptor (IronCurtain) for tool governance, plus a sandbox (NemoClaw) for filesystem/runtime isolation.

## The Policy Builder and Eval System (Novel Contributions)

Two engineering features make CrabTrap more than a simple proxy:

### Policy Builder (Agentic Loop)
An agent analyzes observed traffic patterns and drafts natural-language policies. This is an LLM-powered policy generation tool — it looks at what the agent is calling, infers the legitimate use patterns, and proposes rules. Humans review and approve.

### Eval System
Replays historical audit entries against a policy to measure accuracy. You can test "would this policy have blocked the bad request from last week?" before deploying it. This is a regression-testing framework for security policy — rare and valuable.

## Built-In Defenses

- **SSRF protection**: blocks RFC 1918, loopback, link-local, CGNAT, IPv6 ULA/NAT64/6to4. DNS-rebinding prevention.
- **Per-IP token-bucket rate limiting**: default 50 req/s, burst 100. Prevents volumetric abuse.
- **Prompt-injection defense at judge boundary**: JSON encoding of payloads.
- **Deny-by-default on judge failure**: circuit breaker fallback.

## Score: N/A (Governance Layer, Not Harness)

CrabTrap is scored differently from harness deep-dives — it has no loop, tools, memory, or context management. It's a **governance middleware** evaluated on its own axes:

| Dimension | Score | Notes |
|---|---|---|
| Egress coverage | 4/5 | Thorough HTTP/HTTPS interception. No response filtering. |
| Enforcement reliability | 3/5 | LLM-as-judge is probabilistic. Static rules are deterministic but limited. |
| Production maturity | 4/5 | Admin UI, PostgreSQL audit trail, OpenTelemetry, Docker, CI. Built for production. |
| Policy expressiveness | 4/5 | Two-tier (static + NL). Policy builder + eval system. |
| Credential safety | 2/5 | Sees all credentials in cleartext. No isolation. Trust = proxy. |
| Scope completeness | 2/5 | Egress only. No tool calls, filesystem, or response filtering. |

### Architect's Verdict
> *CrabTrap optimizes for production egress governance with a pragmatic two-tier model: fast deterministic rules for known patterns, LLM-as-judge for novel requests. The policy builder and eval system are genuinely novel — regression-testing security policy against historical traffic. Its limitation is scope (egress only, no response filtering) and its risk is enforcement reliability (LLM-as-judge is probabilistic). Deploy alongside a tool-call governance layer (IronCurtain) and a sandbox (NemoClaw) for defense-in-depth.*

### MLSecOps Relevance
> *CrabTrap's LLM-as-judge is its primary attack surface for Course 2B. A prompt injection in an outbound request body could manipulate the judge into allowing a malicious call. The JSON-encoding defense mitigates naive injections but sophisticated semantic manipulation remains possible. The response-side gap is worse: an injected payload in an API response flows unchecked back to the agent. The eval system is the defense — continuously replaying traffic against policy to catch regressions.*

### 3 things CrabTrap does better
1. **Eval system**: replay historical traffic against policy. Regression-testing for security rules. Rare and valuable.
2. **Policy builder**: LLM-powered policy generation from observed traffic patterns. Reduces the cold-start problem.
3. **Production engineering**: admin UI, PostgreSQL audit trail, circuit breakers, OpenTelemetry, multi-arch Docker. Built for real deployment.

### 3 things to fix
1. **Response filtering**: the biggest gap. Inbound injections from API responses flow unchecked.
2. **Credential isolation**: the proxy sees all credentials in cleartext. IronCurtain's fake-key swap is the model.
3. **Deterministic fallback**: when the LLM judge fails, provide a more granular fallback than deny-everything — perhaps a static-rule-only mode.

---

## References
1. **CrabTrap source** — github.com/brexhq/CrabTrap (Go, MIT, 705 stars).
2. **Brex engineering blog** — "Building CrabTrap: an LLM-as-a-judge HTTP proxy to secure agents in production."
3. **Module 6** — permission/approval/safety; egress governance as a safety layer.
4. **Module 11** — security; the probabilistic-vs-deterministic enforcement debate.
5. **DD-09 (NemoClaw)** — beneath-agent runtime governance (full stack vs egress-only).
6. **DD-18 (MetaClaw)** — same proxy position, opposite purpose (learning vs governance).
7. **DD-20 (IronCurtain)** — the deterministic counterpoint to CrabTrap's LLM-as-judge.
8. **Course 2B** — CrabTrap's LLM-as-judge is a primary attack target for prompt-injection-based governance bypass.