What's the difference between Pipelock and DefenseClaw?

Pipelock is a network proxy that scans HTTP, MCP, and WebSocket traffic for agents whose traffic is routed through it. DefenseClaw is Cisco's governance sidecar for the OpenClaw framework. Pipelock sits in the network path. DefenseClaw hooks into OpenClaw's event system. Different enforcement points, different trade-offs.

Does DefenseClaw scan HTTP traffic?

DefenseClaw includes a guardrail reverse proxy for LLM API calls (OpenAI-format chat completions) and inspects tool calls through OpenClaw's event system. It does not operate as a general-purpose HTTP forward proxy. Agent HTTP requests that don't go through the guardrail proxy or OpenClaw's tool system are outside its scope.

Can I use Pipelock and DefenseClaw together?

Yes. DefenseClaw provides governance features for OpenClaw: OPA policy engine, TUI dashboard, SIEM integration, and tool call inspection. Pipelock provides network-layer content scanning. They operate at different layers and don't conflict.

Pipelock vs DefenseClaw

The short version

Pipelock is a network proxy. It scans HTTP, MCP, and WebSocket traffic for credential leaks, injection, SSRF, and tool poisoning. Works with agents whose traffic is routed through it. Single binary.

DefenseClaw is Cisco’s open-source governance sidecar for OpenClaw agents. Three components: a Python CLI for scanning and management, a Go gateway with a guardrail proxy and policy enforcement, and a TypeScript plugin that hooks into OpenClaw’s tool call lifecycle.

Different architectures, different enforcement points. Pipelock sits in the network path. DefenseClaw hooks into the application framework.

Feature comparison

Feature	Pipelock	DefenseClaw
Architecture	Network proxy (transport-agnostic)	Application sidecar (OpenClaw framework)
Language	Go (18MB binary)	Python + Go + TypeScript (3 components)
Agent support	Agents routed through proxy (any framework)	OpenClaw
HTTP proxy	Yes (fetch + forward + CONNECT + WebSocket)	LLM guardrail reverse proxy
MCP scanning	Runtime bidirectional (stdio + HTTP)	Static analysis + tool call inspection via plugin
DLP patterns	48 built-in, encoding-aware, env leak detection	Multiple pattern sets across file and runtime scanners
Injection detection	25 patterns, 6-pass normalization	Guardrail proxy + file scanner (different approaches per layer)
SSRF protection	DNS rebinding, private IP, metadata blocking	Pattern matching in tool arguments
Tool poisoning detection	Yes (fingerprint + Unicode normalization)	Yes (ClawShield file scanner)
Policy engine	YAML config, hot reload	OPA Rego + YAML, hot reload
TUI dashboard	No (Prometheus metrics endpoint)	Yes (bubbletea terminal UI)
SIEM integration	Syslog + webhook + Prometheus	Splunk HEC + OTLP + SQLite
Kill switch	Yes (4 independent sources)	Not documented
Flight recorder	Yes (hash-chained, tamper-evident)	Not documented
Code analysis	No	Yes (CodeGuard scans agent-written code)
PII detection	DLP patterns cover common PII	Dedicated PII rules with Luhn validation
Sandbox	Landlock + seccomp + netns (built-in)	OpenShell integration (NVIDIA)
License	Apache 2.0	Apache 2.0

Where DefenseClaw is better

OPA policy engine. DefenseClaw uses Open Policy Agent with Rego for policy decisions across 6 domains: admission control, guardrail behavior, firewall rules, sandbox configuration, audit policy, and skill actions. Pipelock uses YAML-based configuration. If you need complex conditional policy logic, OPA is more expressive.

TUI dashboard. DefenseClaw ships a terminal UI for real-time monitoring of tool calls, guardrail verdicts, and agent activity. Pipelock exposes Prometheus metrics and a JSON stats endpoint but has no built-in visual dashboard.

CodeGuard. DefenseClaw scans agent-written code for hardcoded credentials, dangerous execution patterns, outbound networking, and path traversal. Pipelock doesn’t analyze generated code.

SIEM integration. DefenseClaw has Splunk HEC integration with batched export, OTLP for metrics/traces/logs, and SQLite for local querying. Pipelock has syslog, webhooks, and Prometheus. DefenseClaw’s OTEL telemetry is more detailed.

Tool call governance. DefenseClaw hooks directly into OpenClaw’s tool call lifecycle via the before_tool_call event. It can approve, deny, or modify tool calls at the framework level, with context about which agent is calling which tool. Pipelock scans MCP tool traffic at the protocol level without framework-specific context.

PII detection. DefenseClaw has dedicated PII scanning rules with Luhn validation for credit cards and context-gated patterns. Pipelock’s DLP patterns cover some PII formats but without the same dedicated PII focus.

Where Pipelock is better

Network-layer coverage. Pipelock operates as a forward proxy, scanning HTTP, HTTPS (via CONNECT), and WebSocket traffic in addition to MCP. DefenseClaw’s guardrail proxy covers LLM API calls and its plugin covers OpenClaw tool calls, but agent HTTP requests outside those paths are not inspected at the network layer.

Injection normalization depth. Pipelock runs 6 normalization passes on scanned content: NFKC Unicode normalization, leetspeak decoding, vowel folding, optional-whitespace variants, and base64/hex decode with recursive re-scanning. This catches obfuscated injection that basic pattern matching may miss.

DLP with encoding awareness. Pipelock’s 48 built-in credential patterns include automatic base64, hex, and URL decoding on every outbound request. It also detects environment variable leaks and uses entropy analysis. Pipelock scans URLs, headers, request bodies, and MCP tool arguments through the same pipeline.

Agent compatibility. Pipelock works with agents whose traffic is routed through it: set HTTPS_PROXY or wrap MCP servers with pipelock mcp proxy. This works across frameworks. DefenseClaw connects via OpenClaw’s WebSocket v3 protocol and plugin system, so it’s purpose-built for that framework.

MCP bidirectional scanning. Pipelock scans MCP traffic in real time in both directions: tool descriptions for poisoning, arguments for credentials, responses for injection, fingerprint changes for rug-pulls, and call sequences for suspicious chains.

Architecture difference

DefenseClaw is three components working together:

OpenClaw Agent → [Plugin hooks tool calls] → DefenseClaw Gateway → [OPA policy + inspection rules]
                                          ↗
LLM API calls → [Guardrail reverse proxy] → OpenAI-compatible API

Pipelock is one component in the network path:

Agent → Pipelock → Internet (HTTP/HTTPS/WebSocket)
Agent → Pipelock → MCP Servers (stdio/HTTP)

DefenseClaw sees tool calls and LLM conversations with framework context. Pipelock sees network traffic without framework context. They’re looking at different things from different positions.

Cisco AI Defense (the commercial product)

DefenseClaw is the open-source local component. The commercial Cisco AI Defense service adds cloud-based ML scanning, MCP Catalog, AI BOM, and SASE integration. In “remote” scanner mode, DefenseClaw can use Cisco’s cloud API for additional detection capability beyond the local scanner.

When to use each

Start here if you need both containment and content scanning. It enforces across HTTP, WebSocket, and MCP traffic with containment, DLP, injection detection, SSRF protection, and tool policy, regardless of which agent framework you use.

Use DefenseClaw if: You’re standardized on OpenClaw and specifically want OPA policy, a TUI dashboard, Splunk/OTLP integration, or CodeGuard for agent-written code. DefenseClaw is strongest as OpenClaw governance rather than general network-path enforcement.

Use both if: OpenClaw is your framework and you want DefenseClaw’s governance on top of Pipelock’s network-path scanning.

Third-party feature descriptions are based on public materials reviewed in April 2026. Features and capabilities may change. Check each project’s current documentation for the latest.