Security
Defense in depth across host, agents, network, and outbound boundary. Plus what to do when the agent does something it shouldn’t.
Recipes in this chapter
Agent Incident Runbook
When an agent breaks something, stop the bleeding first, preserve evidence second, and only then fix the root cause.
Updated 2026-05-11Agent Security Hardening
How to treat your AI agent as an untrusted actor and build guardrails that actually work. Includes a real post-mortem from when a sub-agent nuked a production database.
Updated 2026-06-05Secret Management
Secrets belong in narrow local stores with boring permissions, not in prompts, repos, screenshots, or memory.
Updated 2026-05-11Security Hardening: Linux Host for OpenClaw
Practical hardening runbook for an Ubuntu 24.04 machine running OpenClaw as an always-on AI agent. This covers firewall configuration, SSH lockdown, fail2ban, and service binding to reduce attack…
Updated 2026-04-19Security Hardening: Windows + WSL2 Host for OpenClaw
Practical hardening runbook for a Windows machine running OpenClaw inside WSL2. Covers Windows Firewall, RDP/SSH/SMB lockdown, port proxy hygiene, WSL-specific gotchas, and defense-in-depth for a…
Updated 2026-04-19Wazuh Triage: RCA, Fix, Narrow Suppress, One Pass
When a Wazuh alert fires, find the root cause first, fix the underlying problem, and only then write the narrowest possible suppression. Do all three in one pass so the alert channel stays…
Updated 2026-06-04