By NanoCo, the Tel Aviv startup behind the open-source NanoClaw agent framework, closed a $12 million seed round on May 20 and launched a managed enterprise product built on one premise: giving every employee their own isolated AI agent is fundamentally more secure than sharing one assistant across the company. With 250,000 downloads since January, developer community traction is real. With Docker and Vercel as investors — not just partners — there is an infrastructure bet behind the headline.
Why the Shared-Assistant Model Is a Liability
Microsoft Copilot is the dominant enterprise AI assistant. It is also a case study in what happens when a single agent shares permission scope across an organization. In January 2026, Copilot accessed protected emails in Sent Items and Drafts, bypassing DLP policies. CVE-2025-32711, dubbed EchoLeak with a CVSS score of 9.3, enabled zero-click data exfiltration from the Copilot context without user interaction. Microsoft’s own security blog lists excessive permissions as the most common Copilot misconfiguration — and Copilot makes existing permission errors immediately exploitable.
The structural problem is the shared model itself: one assistant inherits the permission intersection of every employee who uses it. A single misconfiguration becomes a company-wide blast radius. ChatGPT Enterprise, Glean, and most enterprise AI tools share this architecture. Security Magazine estimated that GenAI tools exposed an average of three million sensitive records per organization in 2026. That number will grow as agents gain write access to more systems.
NanoClaw’s Architecture: Container Isolation Over Guardrails
NanoClaw’s answer is OS-level isolation rather than application-layer guardrails. The entire core is roughly 500 lines of TypeScript — an intentional design choice by co-founder Gavriel Cohen, a former Wix engineer who built it because he could not audit OpenClaw’s estimated 800,000-line codebase in any reasonable amount of time. A security team can review NanoClaw’s core in about a day.
How it works in practice: a single Node.js process handles message ingestion, persists everything to SQLite, and spawns an isolated container for each agent session. Each container gets only the relevant user’s directory mounted — it has no visibility into other agents’ data or the host filesystem. The Docker partnership, announced in March, adds another layer: agents run inside MicroVM-based Docker Sandboxes, each with its own kernel and Docker engine, so even the Docker host cannot be escaped.
Credentials never reach the agent container. Outbound calls pass through a Rust-based OneCLI Agent Vault that injects real credentials at request time. Sensitive write operations — deleting files, modifying cloud environments — trigger a human approval card on Slack, Teams, or WhatsApp. The agent waits. Only an explicit approval from the employee releases the credential.
Getting Started in 5 Minutes
NanoClaw is MIT-licensed and self-hostable on macOS, Linux, or Windows with WSL2. Requirements: Docker, Claude Code, and a recent version of Bun.
git clone https://github.com/nanocoai/nanoclaw.git
cd nanoclaw
claude # then run /setupBun executes TypeScript directly with no compile step. Claude Code walks through setup interactively, asking questions and configuring everything based on your answers. Channel integrations — Slack, Teams, Telegram, WhatsApp, Discord, GitHub, and more — are added via /add-<channel> skills. Each agent maintains persistent memory across sessions, building what NanoCo calls an “LLM wiki” of the employee’s work, preferences, and active projects.
The managed enterprise tier is available separately through nanoclaw.dev — pricing is not yet public, but the target buyers are legal, sales, and developer teams that need compliance guarantees the self-hosted version does not provide out of the box.
What the Per-Employee Model Actually Costs
The security story is compelling. The economics are worth examining. Each employee’s agent maintains a persistent knowledge graph — storage and context-window costs that scale linearly with headcount. At 5,000 employees, that is 5,000 separate memory stores to maintain, back up, and provision. Docker MicroVM cold starts add measurable latency on first interaction compared to a persistent shared assistant. And NanoCo was incorporated in January 2026 and raised in May — the enterprise roadmap has not yet been proven at scale.
The “500 lines” number describes the core logic. The full system depends on Bun, Anthropic’s Claude Agent SDK, Docker, and the Baileys WhatsApp library. The auditable surface is larger than the headline figure. That said, 500 auditable lines at the core versus 800,000 largely-unreviewed lines is a real security difference, not a marketing one.
The Bet
NanoCo raised from Docker, Vercel, and Monday.com alongside Valley Capital Partners and angels including HuggingFace CEO Clem Delangue and Auth0 co-founder Matias Woloski. The origin story is six weeks from first commit to term sheet — driven not by a product vision but by a security conviction Gavriel Cohen could not shake while building his previous company. That is usually how the best enterprise infrastructure companies start: a founder who could not find the tool they needed and built it anyway.
The per-employee isolation model may become the standard for enterprise AI agents, or it may stay a niche for compliance-heavy industries. Either way, NanoClaw is a direct response to a real problem the dominant shared-assistant model has not solved — and it is open source, so you can clone it today and see if it holds up in your environment.
