See What Your AI Agents Do. Control What They Can't.

Visibility and enforcement for every MCP server, skill, plugin, and remote endpoint — before it reaches your AI stack.

$ curl -fsSL https://truvant.ai/install.sh | sh
or download the binary directly

Policy Enforcement in Action

can you ssh into my server chomicz.com and tell me if it's sync'd with ntp?

Bash(ssh chomicz.com "timedatectl status")
  BLOCKED: Truvant policy prevents execution of 'ssh chomicz.com timedatectl status'
  Run 'mcpctl policy check ssh chomicz.com timedatectl status' for details.
can you check my postgres db to see what tables we have using kubectl?

Bash(kubectl get pods --all-namespaces | grep -i postgres)
  BLOCKED: Truvant policy prevents execution of 'kubectl get pods --all-namespaces'
  Run 'mcpctl policy check kubectl get pods --all-namespaces' for details.
/plugin

Plugins Discover Installed Marketplaces

superpowers
from superpowers-marketplace
Version: 4.0.3

  Error: Failed to install: Failed to clone repository:
  BLOCKED: Truvant policy prevents execution of 'git clone --depth 1
  --recurse-submodules --shallow-submodules https://github.com/obra/superpowers.git
  /Users/mike/.claude/plugins/cache/temp_git_...'
  Run 'mcpctl policy check git clone --depth 1 --recurse-submodules
  --shallow-submodules https://github.com/obra/superpowers.git ...' for details.

AI agents can only execute commands explicitly allowed by your security policy — including plugin installations.
Plugin supply chain case study →   |   Rogue AI database deletion →

Features

Pre-Install Scanning

SAST, SCA, and secrets detection on MCP server packages, skills, and plugins before they enter your environment. Know what you're running before you run it.

Policy Enforcement

Security policies gate every installation — MCP servers, skills, and plugins that don't meet your score threshold are blocked automatically. Command-level policies control what AI agents can execute.

Continuous Monitoring

Background agent watches for supply-chain changes — new versions, dependency shifts, permission escalations — and alerts your team in real time.

Standards & CI/CD Integration

SARIF v2.1.0 output plugs directly into GitHub Code Scanning, GitLab SAST, and Azure DevOps. Every finding maps to MITRE ATLAS, OWASP Top 10 for LLM, and OWASP Top 10 for Agentic Applications.

See What You Get

Real output from Truvant. No mockups.

Security Scan Results

Every MCP server, skill, and plugin gets a risk score and detailed findings mapped to industry frameworks.

mcpctl scan @anthropic/mcp-server-slack

npm:@anthropic/mcp-server-slack
================================================================================
Score:     72/100 - Medium Risk
Publisher: Anthropic
Status:   scanned

Findings Summary:
  Critical: 0  High: 2  Medium: 5  Low: 3

--------------------------------------------------------------------------------

[High] CVE-2024-48930 - Prototype Pollution in lodash
  lodash@4.17.19 → 4.17.21
  Location: node_modules/lodash
  MITRE ATLAS: AML.T0010 | OWASP LLM: LLM05

[High] MCP002 - Overly Broad Tool Schema
  Tool 'execute_query' accepts arbitrary SQL without input validation
  Location: src/tools.ts:42
  MITRE ATLAS: AML.T0042 | OWASP LLM: LLM07 | OWASP Agentic: OASP-AGENT-01

[Medium] SEC012 - Hardcoded Webhook URL
  Slack webhook URL found in configuration file
  Location: src/config.ts:15
  MITRE ATLAS: AML.T0012 | OWASP LLM: LLM06

Policy: PASS (score 72 ≥ threshold 60)

Remote Endpoint Trust Scores

AI-powered research agent probes remote MCP endpoints for TLS configuration, publisher verification, and tool risk classification.

mcpctl inspect mcp.slack.com

slack-mcp (http:mcp.slack.com)
================================================================================
Trust:     91/100 - High Trust ✓
Publisher: Slack Technologies
Status:   verified

Trust Signals:
  TLS:        A+
              TLSv1.3 | TLS_AES_256_GCM_SHA384 | DigiCert Inc
  Auth:       OAuth2
              Scopes: channels:read, chat:write
  Publisher:  Verified
              Slack Technologies, San Francisco, CA
  Compliance: SOC2, ISO 27001

Tools: 42 total, 3 flagged
   send_message         [L1_WRITE]    Send a message to a channel
   list_channels        [L1_READ]     List available channels
   upload_file          [L2_WRITE]    Upload a file to a channel
   delete_channel       [L3_DESTRUCTIVE] Permanently delete a channel
   execute_workflow     [L3_DESTRUCTIVE] Run arbitrary workflow

Fleet Management Dashboard

Centralized visibility across every host, MCP server, plugin, and skill in your organization.

78
Avg Trust Score
▲ 3 from last week
24
Monitored Hosts
across 3 teams
7
Open Violations
▼ 2 from last week
3
Flagged Servers
L3+ tools detected
Host MCP Servers Plugins Violations Last Seen
eng-mac-014 8 3 2 2m ago
eng-mac-027 6 5 1 5m ago
devops-linux-03 12 2 0 1m ago
sec-mac-001 4 1 4 12m ago

Agent Monitoring

Lightweight agent runs as a system service, watching for new installations, config changes, and policy violations.

mcpctl agent status

Agent Status
============

Trust service:      https://trust.truvant.ai
Authentication:   Authenticated (mike@company.com)
Last trust comm:  2026-02-02T14:30:00Z (12m ago)

Known servers:    15
Plugins tracked:  8
Skills tracked:   3
Last periodic scan: 2026-02-02T14:25:00Z (17m ago)
Recent signals:   2
Signal directory: /Users/mike/.truvant/signals

Warning: 2 server(s) below score threshold (70)

Full Audit Trail

Every command your AI agents execute is logged locally with the decision, matched rule, and calling agent. Your security team sees exactly what happened, when, and why.

cat ~/.truvant/signals/policy-decisions/policy-decisions.jsonl | jq -c '.'

// 14:30 — Claude clones a repo → allowed by git whitelist
{"timestamp":"2026-02-02T14:30:15Z", "decision":"allowed", "binary":"git",
 "args":["clone","https://github.com/company/repo.git"],
 "matched_rule":{"type":"whitelist","pattern":"git"},
 "context":{"user":"alice", "agent":"claude", "working_dir":"/Users/alice/projects"}}

// 14:35 — Claude installs a package → default allow
{"timestamp":"2026-02-02T14:35:42Z", "decision":"allowed", "binary":"npm",
 "args":["install","express"],
 "matched_rule":{"type":"default_allow"},
 "context":{"user":"alice", "agent":"claude", "working_dir":"/Users/alice/projects/myapp"}}

// 14:42 — Claude tries force push → BLOCKED by deny pattern
{"timestamp":"2026-02-02T14:42:11Z", "decision":"blocked", "binary":"git",
 "args":["push","--force","origin","main"],
 "matched_rule":{"type":"deny_pattern","pattern":"push.*--force"},
 "context":{"user":"alice", "agent":"claude", "working_dir":"/Users/alice/projects/myapp"}}

// 15:10 — Cursor tries privileged Docker container → BLOCKED
{"timestamp":"2026-02-02T15:10:33Z", "decision":"blocked", "binary":"docker",
 "args":["run","--privileged","alpine"],
 "matched_rule":{"type":"deny_pattern","pattern":"--privileged"},
 "context":{"user":"bob", "agent":"cursor", "working_dir":"/home/bob/infra"}}
mcpctl agent signals

Recent signals (3):

TIMESTAMP         SERVER              SCORE  SEVERITY  SOURCE
2026-02-02 15:30  suspicious-mcp      35     critical  npm:@untrusted/mcp-pkg@1.2.3
2026-02-02 14:15  risky-plugin        48     high      npm:@unknown/claude-plugin@0.3.1
2026-02-01 22:45  legacy-db-server    62     medium    git:github.com/intern/db-mcp@main

Signal directory: /Users/mike/.truvant/signals
Signal files are consumed by SIEM (Microsoft Defender for Endpoint)

Audit logs rotate automatically (5 MB / 7 days). Signal files are consumed by SIEM (Microsoft Defender for Endpoint).

CI/CD Integration

SARIF v2.1.0 output drops into GitHub Code Scanning, GitLab SAST, and Azure DevOps with zero adapters.

# .github/workflows/mcp-security.yaml

- name: Scan MCP servers
  run: mcpctl scan --format sarif --output results.sarif

- name: Upload to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Every finding includes MITRE ATLAS, OWASP LLM, and OWASP Agentic framework references in the SARIF taxonomy.

See Everything. Control Everything.

Fleet-wide visibility into every AI agent extension, with policy enforcement that actually stops threats — not just alerts.

Admin dashboard showing hosts, alerts, MCP servers, plugins, and skills across the organization

Security Posture at a Glance

Hosts, alerts, MCP servers, plugins, skills, and at-risk items — across your entire organization.

Policy management interface with allow/deny rules for command binaries

Define What AI Agents Can Do

Command-level policies for kubectl, terraform, aws, psql, and more. Allow or deny at the binary level.

Audit log showing git command allowed by whitelist policy with full event details

Every Action Logged

Full audit trail with filters by severity, binary, hostname. Expand any event to see the policy rule that matched.

MCP server detail showing critical risk score, violation history, and host tracking

Drill Into Risk Details

Violation scores, risk timelines, and host tracking for every flagged MCP server, plugin, or skill.

Request a demo →

Scan. Gate. Enforce. Monitor.

Other tools monitor agent behavior at runtime. Truvant controls what agents can install, what commands they can run, and what tools they can call — before anything executes. No other product does all four for AI agent extensions.

Capability Truvant HiddenLayerAI model security ZenityAI agent governance ObsidianSaaS security StraikerAI agent guardrails
Pre-Install Artifact Scanning
Source Code Analysis (SAST) Static analysis of MCP server and plugin source code YesPython, shell, JS/TS No No No No
Dependency Vulnerabilities (SCA) Known CVEs in transitive dependencies YesOSV + Trivy/Grype No No No No
Secrets Detection Hardcoded API keys, tokens, private keys in source Yes25 rule types No No No No
Container Image Scanning Layer extraction, SBOM generation Yes No No No No
MCP Tool Schema Analysis Tool poisoning, shadowing, overly broad schemas Yes No PartialConfig-level No PartialHygiene checks
Skill & Plugin Scanning Prompt injection, data exfiltration, role hijacking Yes37+ skill, 52+ hook rules No No No No
Install-Time Enforcement
Plugin Install Interception Quarantine, scan, and gate before plugins load YesScan before load No No No No
Risk Threshold Policy Gate Org-configurable score thresholds with admin overrides YesServer-side policy No No No No
Admin Approval Workflow Dashboard review of blocked plugins with approve/deny YesSARIF + findings in dashboard No No No No
AI Tool Integration Seamless enrollment into Claude Code, Cursor, Copilot YesAutomatic enrollment No No No No
Runtime Enforcement
System Command Interception Block ssh, kubectl exec, git push --force from agents YesSubcommand-level granularity No No No No
AI Agent Caller Detection Only enforce on AI agents — humans pass through unaffected YesClaude, Cursor, Copilot No No No No
MCP Tool-Call Policy (HTTP) Per-tool allow/deny on remote MCP endpoints YesPer-tool allow/deny PartialBehavioral monitoring YesAgent-level interception No YesMCP proxy server
MCP Tool-Call Policy (Local Stdio) Policy enforcement on local MCP servers (npx, uvx) YesTransparent enforcement No PartialEndpoint agent No No
Tamper Protection Detects and alerts on bypass attempts YesMandatory enforcement mode No No No No
Monitoring & Compliance
Continuous Monitoring File watcher, periodic rescan, drift detection Yesfsnotify + periodic rescan YesRuntime behavioral YesAgent observability YesSaaS activity YesRuntime inspection
SIEM Integration Signal files for endpoint security and SIEM platforms YesMDE signal files, JSONL Unclear Unclear YesSentinel, CrowdStrike Unclear
SARIF CI/CD Output GitHub Code Scanning, GitLab SAST, Azure DevOps Yesv2.1.0, --format sarif YesModel scanning only No No No
Threat Framework Mapping MITRE ATLAS, OWASP LLM, OWASP Agentic YesAll three frameworks YesMITRE ATLAS YesOWASP, MITRE, NIST No YesOWASP, MITRE, NIST
Remote Endpoint Trust Scoring TLS, publisher, CVE tracking for MCP endpoints YesAI research agent No PartialAllowlist/blocklist No PartialRisk scoring
Deployment & Integration
Single Binary CLI curl | sh install, works without cloud dependency YesGo binary, offline-capable NoEnterprise SaaS NoEnterprise SaaS NoEnterprise SaaS NoEnterprise SaaS
Works Offline / Local-First Scanning and enforcement without cloud connectivity YesCloud enriches, not required No No No No
Multi-Agent Support Claude Code, Cursor, Copilot, any CLI-based agent YesAgent-aware enforcement Partial YesSaaS + endpoint PartialSaaS agents only Yes

They monitor behavior. We control the entire extension lifecycle. Get started →

How It Works

1

Install

One curl command. Linux (macOS coming soon).

2

Scan

mcpctl scan @anthropic/mcp-server-slack analyzes any MCP server, skill, or plugin for vulnerabilities, secrets, and risky tool definitions. Use --format sarif to feed results directly into your CI/CD pipeline.

3

Enforce

Security policies decide pass/fail. Passing artifacts are automatically added to your Claude Code config. Failing ones are blocked.

4

Monitor

mcpctl agent start runs continuously, watching for changes and sending alerts to Slack, PagerDuty, or webhooks.

Architecture

🖥️

Claude Desktop

Claude Code, Cursor, VS Code

🛡️

Truvant CLI

Scan, enforce, monitor

📦

AI Extensions

npm, git, containers

Local Scanning & Policy
🔍 MCP Protocol
🧪 SAST
📚 SCA / CVE
🔑 Secrets
🧩 Skills & Hooks

Policy Engine

Risk scoring, thresholds, categories

Pass → Install Fail → Block
Command Interception

Command Policy

Block dangerous commands

Audit Log
Remote MCP Endpoints
☁️

Trust Service

TLS, publisher, CVE tracking

AI Research Agent

Multi-turn investigation

PostgreSQL

Trust scores, inventory

Supported Identity Providers

Truvant supports any OIDC-compliant identity provider for organization authentication.

Google Workspace
Okta
Azure AD / Entra ID
Auth0
OneLogin
Keycloak
Any OIDC Provider

Secure your AI stack in under 5 minutes.

One command to install. Authenticate when you're ready.

$ curl -fsSL https://truvant.ai/install.sh | sh