How IronClaw Works

From deployment to AI-powered operations with cryptographic trust. Here's exactly what happens when you bring VIRP and IronClaw into your network.

1

Deploy IronClaw

Clone the repo from GitHub and deploy on any Linux host. IronClaw includes the VIRP trust layer, telemetry collectors, and the AI orchestration engine. Open source under Apache 2.0.

# Deploy from GitHub
$ git clone https://github.com/nhowardtli/ironclaw.git
$ cd ironclaw && make install
# VIRP trust layer active
2

Connect Your Devices

Add your firewalls, switches, servers, and access points. IronClaw connects over your existing management network using standard protocols — no agents to install.

# Supported connection methods:
FortiGate, Palo Alto → REST API
Cisco IOS/NX-OS → SSH
Windows Servers → WinRM
Linux / Proxmox → SSH
Network devices → SNMP v2c/v3
3

AI Scans & Monitors

Once connected, the engine immediately begins polling telemetry — configs, logs, performance metrics, and security state. Data flows into the local Wazuh SIEM for correlation. Claude AI analyzes your topology, identifies misconfigurations, and maps findings against compliance frameworks.

# What happens automatically:
• Configuration audit against CIS Benchmarks
• Firewall policy chain analysis
• VLAN segmentation validation
• Open port / exposed service detection
• Failed auth & anomaly detection via Wazuh
• Compliance mapping (NIST, HIPAA, PCI)
4

Investigate with AI Forensics

Ask questions in plain English. "Who logged into the firewall last night?" "Show me all failed SSH attempts this week." Claude queries your SIEM indices, firewall logs, and endpoint data, then returns a correlated forensic timeline — not raw log dumps.

# Example query → response
Q: "Who changed firewall policy 14?"

A: admin (10.0.10.50) at 02:14 AM
    Added "all" to destination in policy 14
    Risk: Unrestricted VLAN access
    Recommendation: Restrict to specific subnets
5

Remediate in One Click

When a finding surfaces, click "Fix it for me." Claude generates the vendor-specific remediation command — FortiOS CLI, Cisco IOS, PowerShell, or Linux shell. The command is validated against a safety library, executed on the device, and verified. Full audit trail, full rollback capability.

# Remediation pipeline:
1. AI generates fix → config firewall policy
2. Command validated against safety rules
3. Pre-change snapshot taken
4. Fix executed on device
5. Post-change verification
6. Audit log entry created
✓ Rollback available for 30 days
Architecture

What stays on-prem. What doesn't.

Your logs, configs, credentials, and telemetry never leave your network. Only natural-language AI queries reach the Anthropic API.

Your Network (On-Prem)

  • IronClaw + VIRP trust layer
  • Wazuh SIEM & log storage
  • VIRP O-Node collectors
  • Device credentials & configs
  • HMAC-signed observations
  • Remediation execution engine
AI queries only AI responses

Anthropic Cloud

  • Claude AI reasoning engine
  • Natural language processing
  • Remediation command generation
  • Compliance analysis
  • Your API key, your account
  • No data retention by Anthropic
Data Flow

Collect. Analyze. Act.

Three continuous loops running inside IronClaw, 24/7.

Collect

Agentless collectors poll devices via SNMP, SSH, REST APIs, and WinRM on configurable intervals. Raw telemetry flows into the local time-series cache and Wazuh SIEM.

Analyze

Claude AI processes telemetry in context — understanding your topology, VLAN segmentation, and device roles. It distinguishes a lab VLAN open port from a production DMZ exposure.

Act

Findings surface with one-click remediation. Vendor-specific commands are generated, safety-checked, executed, and verified — with full rollback and audit logging.

Get the code

VIRP and IronClaw are open source under Apache 2.0.

IronClaw on GitHub Contact Us