Govern every MCP server before it touches your data.
MCP servers connect agents to your tools, data, and systems, and most arrive with no review. Bastion risk-scores every server before it connects, flags the rogue ones, and inspects every tool call in flight.
[Problem]
An MCP server is a key to your systems.
Every server an agent connects to can read files, call tools, and reach internal systems. Most are installed in seconds, with permissions no one reviewed.
01
New servers appear overnight.
A developer connects an MCP server from a registry of thousands. It requests broad scopes, and nobody signs off before it is live.
02
Rogue servers hide in plain sight.
Tool poisoning, tool shadowing, and impersonating servers look legitimate until they exfiltrate a secret or hijack a tool call.
03
One bad scope exposes everything.
A single over-permissioned server can read your environment files, your codebase, or your production database.
[How it works]
Score it, watch it, gate it.
Bastion treats every MCP server as untrusted until it earns a score. Connections are gated before they open, and every tool call after that is inspected.
Pre-connection risk scoring
Code, requested permissions, maintainer reputation, and known vulnerabilities are scored before a server is allowed to connect. Below your threshold, it is blocked.
Rogue server detection
Catch impersonating, shadowed, and poisoned servers, plus prompt injection hidden in tool descriptions, before they reach an agent.
Tool-call inspection
Every tool call is inspected inline. PII and tokens are masked, and calls that cross a policy line are redacted or blocked.
Identity-based controls
Decide who can connect which server, enforced through your existing identity provider and approval workflows.
[Threats]
Built for the MCP attack surface.
Tool poisoning, tool shadowing, prompt injection via tool descriptions, command injection, and fake servers. Bastion was built for the ways MCP actually gets abused, and it covers MCP without the MCP-only blind spot, alongside every other AI surface.
Active MCP Connections
github-mcp v2.1.0 approved
slack-mcp v1.4.2 approved
rogue-db-tool v0.3.1EXPOSED: DB_PASSWORD
file-reader v1.0.0scope: /etc/passwd
[Trust]
Works everywhere. Leaks nothing.
LLM and client agnostic
Bastion sits in front of MCP traffic from any client, so coverage does not depend on which agent or IDE your team uses.
- >Works across Claude Code, Cursor, Windsurf, and custom clients
- >Official and homegrown MCP servers alike
- >No vendor lock-in, no MCP-only blind spot
- >Detects new servers the moment they connect
Privacy by design
Inspection runs locally on the device. Nothing leaves your network by default, and logging is opt-in.
- >Detection engine runs locally on the endpoint
- >Tool-call inspection without shipping payloads off-device
- >Request and response logging is opt-in
- >Self-hosted or managed, your choice
Managed and current
Our threat intelligence team maintains MCP risk scoring and detections as new servers and attacks emerge.
- >Risk scores updated as servers change ownership or behavior
- >New MCP attack detections shipped continuously
- >Approval workflows and allow lists you control
- >Evidence mapped to ISO 27001, ISO 42001, EU AI Act, and SOC 2
[FAQ]
Frequently asked questions
Any server that is not what it claims to be: one that impersonates a trusted server, hides malicious instructions in its tool descriptions (prompt injection), shadows a legitimate tool to intercept calls, or quietly exfiltrates data. Bastion flags these before an agent ever connects.
Before a server is allowed to connect, Bastion analyzes its code, the permission scopes it requests, its maintainer and update history, and any known vulnerabilities, then produces a score. Servers below your approval threshold are blocked automatically.
Rarely. Approved servers connect normally, and every rule can start in monitor-only mode so you see what would be blocked before enforcing anything. Tool calls are inspected, not bottlenecked.
Either. The detection engine runs locally on the endpoint, and you decide whether anything is logged centrally. Deploy fleet-wide via your MDM and manage policies from your AI tools over MCP itself.
MCP-only tools cover one vector. Bastion governs MCP and the browser, the IDE, the terminal, models, and agents through one proxy, with the same policies and the same evidence.
[Coverage]
One proxy. Every surface.
This is one of four layers in Bastion's AI governance module. Explore the rest.
[Get Started]
Stop trusting MCP servers by default.
Score every server before it connects and inspect every tool call after, across whichever clients your team already uses.