Brex’s Pedro Franceschi says agents need network-layer guardrails, not more token prompts
Brex built CrabTrap, a framework-agnostic proxy plus LLM judge, and learned that policy beats guesswork.

Pedro Franceschi, co-founder and CEO of Brex, says traditional agent guardrails failed because real agents work through real credentials. Brex’s CrabTrap tackles that by enforcing policy at the HTTP/HTTPS transport layer and bootstrapping it from observed agent traffic.
If you’re deploying agentic systems in the enterprise, the uncomfortable problem is simple: agents don’t act like nice demo robots. They need real credentials, like API keys, OAuth tokens, and service accounts, and Brex found that the guardrails people usually reach for cannot reliably contain what agents do with those credentials.
That’s the core reason Brex built CrabTrap, its internal enforcement platform. Pedro Franceschi, Brex co-founder and CEO, told VentureBeat that the “network layer was an untapped enforcement point,” because “every request an agent makes is an opportunity to intercept, reason about, and make a policy decision.” In other words: stop trying to control agents only at the SDK or model level, and start policing the traffic path where decisions become real.
CrabTrap is an open-source HTTP/HTTPS proxy that intercepts all outbound network traffic from an agent. Users route requests through it by setting HTTP_PROXY and HTTPS_PROXY in the agent’s environment. From there, CrabTrap examines policy rules and uses an LLM-as-a-judge to decide whether each agent request should be approved or denied. The big bet is that this enforcement plane can sit underneath agent frameworks without needing SDK wrappers or per-tool integration. It’s framework-agnostic, language-agnostic, and API-agnostic, which matters in a world where agent builders keep swapping components.
But Brex’s argument is not “transport layer only.” Franceschi emphasizes “security by layers.” The transport layer is simply the underinvested one, and the reason to care is the incentive mismatch behind most guardrails. Fine-grained API tokens can help at the margins, but they’re still subject to misuse and can constrain functionality. Semantic guardrails, like context rules, skills, or prompt steering, can be bypassed by prompt injection, especially for agents connected to the internet. “Defanging” agents with read-only access or limited toolsets reduces risk, but it also reduces meaningful work. And if you swing the other way, giving broad write access and a large tool surface can lead to hallucinations and real production consequences.
Brex also contrasts CrabTrap with existing approaches that are either narrow or harder to trust. Model context protocol (MCP) gateways enforce policy only for traffic using MCP. LLM provider guardrails are tied to a single model and can be “opaque” when enterprises want to apply their own policies. There’s also the “per-sandbox egress control” angle from tools like Nvidia OpenShell, but CrabTrap’s architecture is designed to apply consistently across the agent’s normal HTTP/HTTPS flow.
So how does the system decide what to allow? CrabTrap combines deterministic static rules with an LLM-as-a-judge, but the judge is not meant to handle everything. Franceschi explains the judge only “fires on the long tail of unfamiliar endpoints or unusual request shapes,” which for a mature agent is typically fewer than 3% of requests. That design choice is about practicality. The other design choice is about correctness: Brex didn’t start by writing perfect policy rules from scratch.
Instead, the key insight was to “bootstrap policy from observed behavior rather than write it from scratch.” Brex built a policy builder, itself an agentic loop, that runs underlying agents in shadow mode, analyzes historic network traffic, samples representative calls, and drafts a natural-language policy aligned with what the agent actually does. Then comes the evaluation layer before anything goes live: an eval system tests policy changes by replaying historical audit entries and reporting the exact changes required. Users can slice results by method, URL, the original decision, and agreement status. Replay speed is not treated as an afterthought, either. With concurrent judge calls, replaying thousands of requests takes “minutes, not hours,” according to Franceschi.
CrabTrap then closes the loop with live feedback. Full audit trails are stored in PostgreSQL and queryable through the admin API and dashboard. If a resource is continuously denied, the system can notify a human or an agent to propose a policy update for review. That is important because it turns “deny and hope” into an operational workflow, not a one-time configuration project. For enterprise IT leaders and security teams, this matters because the pain is usually not policy existence. It’s policy drift, edge cases, and the slow, manual reconciliation between what agents do in the wild and what the org thinks they should be doing.
Of course, Brex ran into classic engineering traps. Latency sounded like the obvious risk: putting an LLM between an agent and every outbound API request seems like it would grind things to a halt. Brex says it did not turn out to be as bad, for two reasons. First, the LLM judge only activates on that small fraction of requests. Second, they used small, fast models like Claude Haiku, and even when the judge fires, the added latency was “negligible.” Franceschi also notes it can be reduced further with local models and prompt caching.
The harder challenge was prompt injection. Because the judge receives the full HTTP request and all content is user-controlled, a crafted URL, header, or request body could potentially manipulate the judge’s decision. Brex’s mitigation is to structure the request as a JSON object before sending it to the model, so user-controlled content is “escaped rather than interpolated as raw text.” That’s a subtle but decisive point: the difference between giving the model raw prompt text and giving it structured data that can be safely reasoned over.
Brex measures internal impact through engagement with agents, network traffic patterns, and net promoter scores (NPS), but Franceschi says the most meaningful outcome was “organizational confidence.” Earlier, the team had “real hesitation” to deploy autonomous agents broadly across business operations because existing guardrail options didn’t provide enough assurance. With CrabTrap, they now have an enforcement layer they trust, which increases confidence around expanding agent deployment and delegating more configuration and management to users.
The results they saw were practical, not theoretical. Franceschi describes the traffic-derived policies as “surprisingly strong.” The team expected the policy builder to produce a rough starting point requiring heavy manual editing, but when they pointed the platform at just a few days of real traffic, the policies matched human judgment on the “vast majority of held-out requests.” CrabTrap also revealed how much noise agents generate. The audit trail made that visible for the first time, and they used denial logs and traffic analysis not only to tune policies, but to understand what was happening when agents were denied.
For executives and boards, the second-order takeaway is that agent governance is shifting from static permissioning to continuous, evidence-based enforcement. If enterprise adoption is going to scale, you need a way to prove that the system did the right thing, for the right reason, on the right requests. CrabTrap is Brex’s answer to that proof problem, and it is built around a blunt operational reality: agents will use the network. So governance should live where the network actually happens.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Technology

Apple sues OpenAI as it launches Siri AI betas, turning a private rivalry into court.
Apple’s complaint is intense and public. The briefing breaks down what Apple wants, and what its lawsuit could signal to competitors.

Anthropic talks with Meta to buy compute, weeks after SpaceX Colossus 1 deal
Anthropic is shopping for compute capacity with Meta, following a similar effort with SpaceX, and it signals how AI infrastructure deals are getting brokered.

Nolan’s The Odyssey backlash fizzles as it targets $200M opening weekend
Despite loud “woke casting” claims, Christopher Nolan’s epic is tracking toward a $200 million global debut.
