Breaking: April 10, 2025 — 14:32 UTC
Brex has released CrabTrap, an HTTP proxy that injects an LLM-powered decision layer into AI agent outbound traffic. The move is being hailed as a necessary security blanket for autonomous financial agents. But after a decade of auditing smart contracts and watching yield farming hacks unfold in real time, 17 reveals the true cost of trust. This isn't a security product — it's a test of how much latency and privacy we're willing to trade for control.
Context: Why Now?
AI agents are no longer a demo. They're processing invoices, executing trades, and even negotiating with vendors — all through open internet calls. But with that autonomy comes an explosion of attack surface: malicious prompt injection, unauthorized API calls, and out-of-bound data exfiltration. Traditional web application firewalls (WAFs) and cloud access security brokers (CASBs) were built for human traffic — they lack the semantic understanding to differentiate a legitimate agent intent from a crafted exploit.
Enter Brex. The fintech giant, known primarily for corporate cards and expense management, has placed a bet that the next frontier of enterprise security is the "agent perimeter." CrabTrap is their answer: a lightweight HTTP proxy that sits between the agent and the internet, applying a dual-layer filter — deterministic rule sets (URL blacklists, domain whitelists) and an LLM judge that evaluates the semantic intent of each request.
Core: The Technical Anatomy of CrabTrap
From the codebase (now public on GitHub), the architecture is straightforward but pragmatic. CrabTrap intercepts every HTTP/S request from the agent, runs it through a priority rule engine first, and if it passes, submits the full request context to a large language model for a 'threat score.' The deterministic layer handles known bad actors — C2 domains, crypto mining pools, data sinks. The LLM layer deals with the unknown: a request to "list all customer receipts" might be legitimate for an expense analyst agent, but malicious if the agent was hijacked.

Here's where the facts get ugly though. The LLM inference time adds at least 200–500ms per request — on top of network latency. For a trading agent that needs to react in sub-second windows, that's a dealbreaker. Worse, to inspect HTTPS traffic at depth, CrabTrap must perform TLS interception (man-in-the-middle decryption). Brex's documentation is conspicuously silent on how decrypted data is handled — no mention of encryption-at-rest for logs, no DPIA guidance, no GDPR compliance wrapper. 20 Yearn surge. Speed without precision is just noise; the precision of data handling is everything.
I've been here before. In 2017, during the Parity multi-sig kerfuffle, I rushed out a warning that saved a few wallets — but I also learned that a tool without auditable safeguards becomes a liability. CrabTrap's core insight is valid: agents need context-aware filtering. But the implementation is rough.

Contrarian Angle: Why This Might Be a Trap for Your Enterprise
Every crypto media outlet is spinning this as "Brex protects agents." The contrarian truth is that CrabTrap is first and foremost a marketing lever for Brex's own financial ecosystem. They want to be the infrastructure that AI-native companies trust — not just for payments, but for security governance. Open-sourcing a half-baked proxy costs them little (the development was internal anyway), but it instantly positions them as thought leaders in the "AI agent security" narrative.
The real risk? Over-reliance on a single point of failure. By routing all agent traffic through a proxy that uses a black-box LLM (likely GPT-4 or a fine-tuned Llama variant), you've introduced a single oracle that can be gamed, misconfigured, or simply be wrong. The BAYC crash wasn't just liquidity — it was the market realizing that collective sentiment overrode technical indicators. Similarly, CrabTrap's LLM judge might overfit on Brex's internal traffic patterns, failing in a different enterprise context.
Furthermore, the open-source license is MIT — which means no SLA, no liability, no guarantee of updates. After 90 days, if Brex shifts priorities, CrabTrap becomes abandoned ware. Contrast this with the approach of, say, Semgrep's Agent rules or Orca's runtime detection — they offer commercial support and continuous model updates. CrabTrap is a snapshot, not a living product.
Takeaway: What to Watch Next
The next 60 days will determine whether CrabTrap becomes a standard or a footnote. Look for three signals: (1) GitHub issue response time — if >48 hours, abandon ship; (2) independent security audit — if none by June, assume the LLM component is unvetted; (3) Brex's follow-up — a managed cloud version with compliance certifications would change the game. Yield farming is a Ponzi until proven otherwise. CrabTrap is a security tool until proven solvent.
I'm not shorting the idea — I'm shorting the execution until I see independent latency benchmarks and a privacy white paper. The market is euphoric about AI agent automation, but euphoria masks technical flaws. My code audit eyes see a proof-of-concept dressed as a product. Trust the pattern, not the press release.