Secure MCP agents
before they act.
McpVanguard sits between agents and tools, inspecting each proposed tool call before execution, enforcing policy, and recording the decision.
From model intent to policy verdict
When an agent proposes a tool call, McpVanguard turns that moment into an explicit security decision before the upstream MCP server is reached.
Tool call proposed
The agent asks to call a tool with arguments.
Normalize
Decode, canonicalize, and annotate risky input patterns.
Enforce policy
Apply rules, safe zones, auth context, semantic advice, and risk signals.
Compose verdict
Resolve findings into ALLOW, WARN, REVIEW, SHADOW-BLOCK, or BLOCK.
Execute or block
Allowed calls continue. Blocked calls never reach the upstream server.
Runtime enforcement path
Layered controls let semantic scoring add context without becoming the only thing standing between an agent and a privileged action.
Preflight
Normalize encodings, Unicode, size, depth, and scorer-targeting patterns before deeper inspection.
Rules + Safe Zones
Block known high-risk paths, network destinations, command patterns, and boundary escapes deterministically.
Camouflage
Detect fake approvals, trust labels, policy-waiver language, multilingual reassurance, and scorer-targeting text.
Semantic Advisor
Score ambiguous intent and raise severity when useful. It can escalate, but it cannot downgrade deterministic blocks.
Behavioral / Risk
Track repeated enumeration, suspicious sequences, pacing, and exfiltration-like behavior across the session.
One explicit verdict before execution.
Choose your enforcement profile
Start with the profile that matches your operational risk. Strict is powerful, but it is not always the right first step.
Monitor
Safe rolloutAudit-only discovery. See what agents are trying to do before you enforce.
Balanced
Recommended defaultDefault developer enforcement. Blocks high-confidence risks while keeping normal tool workflows moving.
Strict
Production-sensitiveFail-closed semantic behavior, stricter deterministic boundaries, and stronger risk enforcement. Tune for admin and research workflows.
Why layering matters
In corpus-scoped release research, semantic scoring alone missed cases that deterministic policy caught. That shaped the architecture: semantic scoring advises; it does not own the boundary.
Malicious cases blocked by semantic scoring alone in this corpus.
Malicious cases blocked by deterministic policy in the same run.
Malicious cases blocked when the layered path was composed.
Install and deploy
Run locally in front of stdio MCP servers, or expose McpVanguard as a hosted SSE / Streamable HTTP gateway with API key or JWT protection.
Commands
pip install mcp-vanguardvanguard start --profile balanced --server "your-mcp-server-command"vanguard sse --profile balanced --server "your-mcp-server-command"vanguard audit-compliancevanguard benchmark-run --profile strictDeployment paths
Local stdio wrapper
Wrap existing MCP server commands without rewriting the server.
Hosted gateway
Expose a protected SSE / Streamable HTTP gateway for remote workflows.
Built for the MCP boundary, not as your only sandbox.
McpVanguard does not replace OS isolation, container boundaries, cloud IAM, or least-privilege tool design. It enforces policy at the MCP execution boundary so proposed tool calls are inspected before they reach real systems.
The Model Context Protocol - the open standard McpVanguard secures.
Adversarial text that redirects agent behavior before unsafe tool calls are inspected at runtime.
Unauthorized tool invocation constrained by McpVanguard's policy enforcement boundary.
Agent-driven exploitation of internal services constrained by destination policy and safe-zone boundaries.
Filesystem escape via relative paths normalized and blocked at the execution boundary.
Rule-based, non-probabilistic enforcement - the primary path for known MCP hazards.
The formally defined perimeter that McpVanguard enforces for every agent session.
Every tool call is verified independently - McpVanguard's core security philosophy.