Thought Leadership

Why We Open-Sourced Our Security Model

Most AI platforms ask you to trust them on security. We open-sourced ours. Here's why transparency matters when your AI has access to everything.

Bradley Taylor ·
security open-source openclaw thought-leadership

Your AI agent has more access than most employees

Think about what your AI assistant connects to. Slack messages across every channel. GitHub repositories with proprietary code. Jira tickets containing customer escalations. CRM records with revenue data. API keys that grant write access to production systems.

Do you know how those credentials are stored? Can your security team audit the session management code before your company deploys it? If your AI platform is closed source, the answer is no.

”Trust us” is not a security model

Most AI platforms publish a security page with reassuring language. Encryption, isolation, compliance certifications, maybe a SOC 2 report. But the actual implementation — the code that handles your secrets, manages your sessions, and isolates your data from other tenants — is a black box.

For most SaaS, this works well enough. AI agents are different. A compromised CRM leaks contact records. A compromised AI agent leaks every credential it holds, every conversation it has processed, and every system it can reach. The blast radius is fundamentally larger.

When the stakes are that high, “trust us” is not a security architecture. It is a liability.

What we open-sourced and why

Alpha Agent is built on OpenClaw, an open-source AI agent platform. The security model is not a separate marketing document — it is the code itself, publicly auditable on GitHub. Here is what that means in practice.

Container isolation

Every user gets an isolated Docker container with a read-only root filesystem, no-new-privileges security flags, cgroup resource limits, and an isolated bridge network. No shared processes. No cross-tenant communication. The container isolation architecture is fully documented and the implementation is in the open-source Docker Compose templates and provisioning scripts.

KMS encryption

User secrets — API keys, OAuth tokens, service credentials — are encrypted with AWS KMS before they touch DynamoDB. Never plaintext. Never in environment variables during provisioning. The encryption flow, IAM scoping, and cost trade-offs are all public.

Session management

HMAC-signed session tokens using timingSafeEqual for signature comparison. No third-party auth library with its own dependency chain. The session verification code is readable in the dashboard source.

Zero inbound ports

EC2 instances have zero inbound rules in their security groups. No SSH, no management port, no debug endpoint. All administration runs through AWS Systems Manager. Container ports are bound to 127.0.0.1 only. There is no network surface to attack.

Secret handling

Secrets are encrypted individually per user, stored as ciphertext blobs in DynamoDB, decrypted only at provisioning time by a Lambda with a scoped IAM role restricted to a single KMS key. The full pipeline is auditable end to end.

Every control listed above is implemented in open-source code that your security team can clone, read, and verify before you sign a contract.

Closed source hides mistakes. Open source fixes them.

In February 2026, security researchers at DepthFirst published a detailed writeup of CVE-2026-25253, a critical remote code execution vulnerability in OpenClaw’s WebSocket gateway. The flaw carried a CVSS score of 8.8 and was exploitable even on localhost-only deployments.

A community researcher found the vulnerability. DepthFirst published a responsible disclosure. The OpenClaw maintainers patched WebSocket origin validation within 24 hours. Alpha Agent’s architecture was already structurally immune — our zero-inbound-port model meant the attack vector did not exist in our deployment — but we published a full technical analysis anyway, because transparency is the point.

If OpenClaw were closed source, that vulnerability would have been found by an attacker instead of a researcher. No public disclosure. No community patch. No way for customers to assess their exposure. The fix would have arrived on the vendor’s timeline, not the community’s.

RunZero’s Censys scan identified over 21,000 exposed OpenClaw instances on the public internet at the time of disclosure. Because the code is open, every operator — self-hosted or managed — could evaluate the risk and act immediately.

The argument against security through obscurity

Some vendors argue that keeping security code closed prevents attackers from finding vulnerabilities. The decades-long track record of this approach suggests otherwise. Closed-source software accumulates vulnerabilities found by attackers with time and motivation, not by defenders with access. Open source shifts the discovery advantage to the security community.

OpenClaw’s open codebase means that container isolation flags, KMS encryption flows, session token verification, and network architecture are reviewed by every security engineer who evaluates the platform. Each review is a free audit. Each audit finds edge cases that internal teams miss.

Closed-source AI platforms ask you to trust their internal security team exclusively. Open-source platforms invite the entire security community to participate. One of these approaches scales.

What this means for your evaluation

If you are evaluating AI agent platforms for your organization, ask these questions:

  1. Can I read the code that handles my secrets? Not a whitepaper. Not a diagram. The actual encryption and decryption code.
  2. Can I audit the container isolation model? The Docker configuration, the security flags, the network topology.
  3. Can I verify session management? The token signing, the timing-safe comparison, the HMAC implementation.
  4. When a CVE is disclosed, can I assess my exposure independently? Without waiting for the vendor to tell me whether I am affected.

With Alpha Agent, the answer to all four is yes. The security model is the code, and the code is public.

Go deeper

Review our full security architecture. Read the technical deep dives on container isolation, KMS encryption, and zero trust architecture. Explore the source at openclaw.ai.

Security claims without auditable code are just marketing. We would rather show you the implementation.