Security gateway for MCP agents.

Block injection attacks, unauthorized access, and unsafe tool calls before they reach your production systems.

Deploy to cloud
Open source MIT licensed Available on PyPI
Defense architecture
active
L1
Rules Enginefast

Block known attack patterns — path traversal, reverse shells, metadata poisoning, and SSRF — before they reach your systems. No model judgment required.

L2
Semantic Scorerasync

Detect subtle evasion attempts that signature rules miss. Optional intent scoring when you need deeper inspection beyond pattern matching.

L3
Behavioralstateful

Spot unusual behavior across sessions — unexpected data patterns, abnormal tool-call sequences, and signs of compromise before they escalate.

Interception_Log::Simulated
0x7F2C
id: "ssrf_aws_metadata"
name: "AWS IMDSv2 Token Fetch"
layer: "L1_DETERMINISTIC"
action: "BLOCK_AND_ALERT"
severity: "CRITICAL"
Integration protocol
01
01INSTALL

Run 'vanguard start' to launch the local gateway.

02
02CONFIGURE

Gateway mode: point your MCP client to the proxy URL. Stdio mode: wrap the upstream server command.

03
03INTERCEPT

Tool calls and server metadata are inspected before execution.

04
04AUDIT

Emit audit logs and telemetry. Optionally route blocked events to external evidence systems.

Deployment & Operations

Two Deployment Modes

Localstdio Wrapper

Wraps the upstream MCP server command. Runs on the same machine as the agent. No network exposure — ideal for development and single-tenant deployments.

HostedSSE/HTTP Gateway

Exposes the proxy as a network service. Requires API key or JWT auth configuration. Enables multi-tenant and remote MCP server access.

Fail-Closed by Design

McpVanguard defaults to deny, not allow. When in doubt, it blocks. This applies to every layer:

Rule timeout
Regex evaluation exceeding timeoutBLOCK
Regex error
Malformed pattern or ReDoS triggerBLOCK
Semantic failure
LLM scorer unavailable or returns errorBLOCK
Missing manifest
Tool not in authorized allowlistBLOCK

CLI Tooling

vanguard start

Launch the local gateway or stdio proxy

vanguard audit

Run compliance checks against active rules

vanguard update

Pull signed rule updates from the registry

vanguard ui

Open the audit dashboard in your browser

Example Configuration
.env
VANGUARD_MODE=enforce
VANGUARD_RULES_DIR=./rules
VANGUARD_API_KEY=sk-live-...
VANGUARD_SEMANTIC_ENABLED=false
rules/jailbreak.yaml (excerpt)
rules:
  - id: jailbreak_001
    severity: CRITICAL
    pattern: "ignore.*instructions"
    action: BLOCK
    reason: "Instruction override attempt"
Related Glossary Terms
MCP

The Model Context Protocol — the open standard McpVanguard secures.

Prompt Injection

Adversarial text that overrides LLM instructions — detected by McpVanguard's metadata inspection and jailbreak.yaml ruleset.

Tool-Call Hijacking

Unauthorized tool invocation constrained by McpVanguard's policy enforcement boundary.

SSRF (AI Context)

Agent-driven exploitation of internal services — blocked by network.yaml destination allowlists.

Path Traversal

Filesystem escape via relative paths — normalized and blocked at the proxy boundary.

Deterministic Proxy

Rule-based, non-probabilistic enforcement — the architectural foundation of McpVanguard.

Execution Boundary

The formally defined perimeter that McpVanguard enforces for every agent session.

Per-Action Verification

Every tool call is verified independently — McpVanguard's core security philosophy.