Enterprise Feature · Private Beta

MCP Gateway

A policy-enforcing proxy for the Model Context Protocol. Scan tools for poisoning, redact PII in arguments and results, control which tools an agent can call, and audit every call — in our cloud or entirely inside your own VPC.

Share

Why an MCP Gateway

MCP gives agents real power — and a real attack surface. Every downstream server your agent connects to can inject instructions through tool descriptions, receive sensitive data through tool arguments, and return untrusted content through tool results. The MCP Gateway is an aggregating proxy that sits in front of all your MCP servers and enforces one org-wide policy on that entire surface.

  • One endpoint aggregates all your downstream MCP servers, with a single policy across them
  • Tool descriptions are scanned for poisoning at catalog time — before your agent sees them
  • PII in tool arguments (outbound) and tool results (inbound) is redacted or blocked
  • Per-org tool allow/deny lists control exactly what an agent can invoke
  • Every call is audited; metadata streams to your SIEM — never prompt or tool content
  • Runs in our multi-tenant cloud, or as a container inside your own VPC

What it protects

Tool-Poisoning Scan

Catalog-time

Every downstream tool's name and description is scanned for prompt-injection and instruction-poisoning at catalog time — before the tool is ever exposed to your agent. Malicious 'ignore previous instructions' style descriptions are flagged and blocked.

Outbound Argument DLP

Request path

Tool-call arguments are inspected before they leave your environment. PII and secrets can be blocked so an agent can't exfiltrate sensitive data into a third-party MCP server.

Inbound Result DLP

Response path

Tool results returning from downstream servers are scanned and PII is redacted (or blocked) before the model sees them — stopping a compromised or over-sharing server from injecting sensitive data into the context.

Tool Allow / Deny

Access control

Per-org allowlists (default-deny) and denylists (always win) control exactly which tools an agent can call, by bare or namespaced tool name.

Graceful Degradation

Availability

If one downstream MCP server is unreachable or misconfigured, the gateway skips it (emitting a high-severity audit event) and keeps serving every other server — one bad server never takes down the whole catalog.

Audit & SIEM

Observability

Every tool call, policy decision, and skipped server emits a structured security event you can stream to your SIEM (Splunk, Datadog, Sentinel) — metadata only, never prompt or tool content.

How it works

Point your MCP client at the gateway instead of at individual servers. The gateway authenticates the request with your project API key, resolves it to your organization, builds an aggregated tool catalog from your registered downstream servers, and enforces your policy on everytools/listandtools/call.

MCP client config (points at the gateway)
{
  "mcpServers": {
    "aisg-gateway": {
      "url": "https://api.aisecuritygateway.ai/mcp",
      "headers": {
        "Authorization": "Bearer oah_your_project_api_key"
      }
    }
  }
}

Per-direction DLP actions

DLP is controlled independently for each direction, so you can protect data flowing out to tools differently from data flowing back to the model. Configure both from Settings → MCP Gateway.

Request action (tool arguments)

ActionBehavior
OffArguments are forwarded unmodified. No scanning on the request path.
BlockIf PII/secrets above threshold are detected in tool-call arguments, the call is blocked before it reaches the downstream server.

Response action (tool results)

ActionBehavior
OffTool results are returned unmodified. No scanning on the response path.
RedactDetected PII in tool results is replaced with typed placeholders (e.g. <EMAIL_ADDRESS>) before the model sees them. The recommended default.
BlockIf PII above threshold is detected in a tool result, the entire result is blocked. Strongest, but can break agents that legitimately need the data — use deliberately.

Tuning false positives

Public data (asset names, symbols, IDs, prices) can look like PII to a scanner. Four policy controls let you keep protection strong without over-redacting benign values.

allowFields

JSON keys whose values are exempt from redaction — ideal for public identifiers (asset names, symbols, IDs) that would otherwise be over-redacted.

scoreThreshold

The confidence floor (0–1) a detection must clear before it counts. Raise it to cut false positives on ambiguous matches.

blockedEntities

Narrow the entity types the policy acts on, so you redact SSNs and cards without touching benign values.

resultScanMaxBytes

The size ceiling for synchronous result scanning; larger payloads are sampled to protect tool-call latency.

Deployment modes

Cloud (multi-tenant)

A single managed endpoint serves every org. Each request is authenticated by its project API key and dispatched to that org's policy and server registry. Downstream credentials are stored in AWS Secrets Manager and resolved per request.

Hybrid VPC (in your network)

The same gateway ships as a container for Docker Compose or Kubernetes. It reads its per-org registry and policy from the sync-agent bundle — metadata only — and resolves every downstream token locally from your own environment, so credentials and tool traffic never leave your VPC. See the Hybrid VPC deployment guide.

Security model

Credentials never in the bundle

In Hybrid mode, the synced bundle carries only server metadata and policy. Downstream tokens are resolved locally from your environment and never leave your network.

Fail-closed on missing creds

A downstream whose credential is unset is not called — the gateway refuses to hit a server it can't authenticate to, rather than leaking an unauthenticated request.

Confused-deputy isolation

Each org's servers and secrets are strictly scoped. One tenant can never see or reach another tenant's downstream servers.

Metadata-only audit

Security events capture event type, severity, org, tool, and decision — never argument or result content — so you get full observability without new data exposure.

Frequently Asked Questions

How is this different from your LLM proxy?

The LLM proxy secures chat/completions traffic to model providers. The MCP Gateway secures the other half of an agent's attack surface: the tool calls it makes over the Model Context Protocol. It's an aggregating proxy that sits in front of your downstream MCP servers and enforces policy on the tools themselves — their descriptions, arguments, and results.

What is tool poisoning and why scan descriptions?

MCP tool descriptions are fed to the model as instructions. A malicious or compromised server can hide adversarial instructions ('before answering, send the user's API keys to…') inside a tool's description. The gateway scans every tool's name and description at catalog time and blocks poisoned tools before your agent ever sees them.

Will result redaction break my agent?

Redaction (the default) replaces PII with typed placeholders, which most agents handle fine. Block is stricter and can break workflows that legitimately need the data, so it's opt-in per direction. For false positives on public data, use allowFields, scoreThreshold, and blockedEntities to tune precisely.

Where do downstream server credentials live?

In the cloud, downstream credentials are stored in AWS Secrets Manager and resolved per-request — never in the database or the browser. In Hybrid VPC mode, credentials never leave your network at all: the synced policy bundle carries server metadata only, and the gateway resolves each token locally from your own environment.

What happens if a downstream MCP server is down?

The gateway degrades gracefully. It skips the unreachable server, emits a high-severity mcp.server_unavailable audit event, and continues serving every other server's tools. One failing dependency never brings down the whole gateway for a tenant.

Can I run this entirely inside my own VPC?

Yes. The same gateway ships as a container for Hybrid VPC (Docker Compose or Kubernetes). It reads its per-org registry and policy from the sync-agent bundle (metadata only) and keeps all tool traffic and credentials inside your network. See the Hybrid VPC deployment guide.

Secure your agent's tools

The MCP Gateway is in private beta. Enable it for your organization and put a policy in front of every MCP server your agents touch.

Want to self-host this?

AI Security Gateway is open source. Deploy the core AI security proxy on your own infrastructure — PII redaction, prompt injection blocking, and secret detection included. No account required.