Secure your MCP servers in 10 seconds

You have MCP servers running. Claude Desktop, Cursor, VS Code, maybe a custom one. Every tool call your agent makes goes straight to the server. No scanning, no access control, no logs.

Here is how to put a security layer in front of all of them.

Install

# Go
go install github.com/oktsec/oktsec/cmd/oktsec@v0.12.0

# or Homebrew
brew install oktsec/tap/oktsec

Run

oktsec run

That is it. One command. Here is what happens:

1. Scans your machine for MCP clients (Claude Desktop, Cursor, VS Code, Windsurf, Cline, and 12 more)
2. Finds every MCP server configured in each client
3. Generates a security config with observe-mode defaults
4. Creates Ed25519 keypairs for identity verification
5. Wraps each MCP server through the oktsec proxy
6. Starts scanning with a real-time dashboard

No config file to write. No YAML to edit. No manual setup.

What you see

A TUI shows events in real time. Every tool call your agent makes passes through 230 detection rules before execution:

oktsec v0.12.0 | observe mode | 3 agents | 230 rules

EVENTS
12:04:01 claude-desktop  Read     /src/main.go         clean    2ms
12:04:03 claude-desktop  Bash     npm install express   clean    3ms
12:04:05 claude-desktop  Write    /src/config.yaml      clean    2ms
12:04:08 claude-desktop  Bash     curl http://evil.com  block    1ms  TC-005

The dashboard at http://127.0.0.1:8080/dashboard shows the full picture: pipeline health, agent list, event timeline, rule matches, session inventory.

What it scans for

230 rules across 16 categories:

• Prompt injection. Fake system tags, impersonated tokens, concealment instructions
• Credential leaks. API keys, AWS secrets, GitHub tokens in tool arguments
• Shell injection. Command chaining in Bash tool calls (; rm -rf /, | curl evil.com)
• Data exfiltration. Base64-encoded content, suspicious outbound URLs
• MCP attacks. Parameter injection, tool description manipulation
• Supply chain. Malicious package installs, untrusted registries

When a rule matches, the verdict changes from clean to flag, quarantine, or block depending on severity. In observe mode nothing is blocked, just logged. Switch to enforce mode when ready:

oktsec run --enforce

Per-agent tool policies

If you run multiple agents or MCP servers, you can control what each agent is allowed to do. Edit ~/.oktsec/config.yaml:

agents:
  coding-agent:
    allowed_tools:
      - Read
      - Write
      - Bash
    tool_policies:
      Bash:
        rate_limit: 10/min
    egress:
      allowed_domains:
        - github.com
        - npmjs.com

  research-agent:
    allowed_tools:
      - Read
      - WebSearch
    # No Bash, no Write, no file system access

If coding-agent tries to call WebSearch or research-agent tries to call Bash, oktsec blocks it.

MCP gateway mode

For more control, oktsec can front your MCP servers as a gateway:

gateway:
  enabled: true
  port: 8081
  backends:
    - name: filesystem
      transport: stdio
      command: npx
      args: ["-y", "@modelcontextprotocol/server-filesystem", "/workspace"]
    - name: github
      transport: http
      url: http://localhost:3000/mcp

The gateway adds per-tool spending limits, approval thresholds, and tool namespacing when backends have conflicting tool names.

Audit trail

Every event is logged in a SQLite database with a SHA-256 hash chain. Each entry is signed with the proxy's Ed25519 key. If anyone modifies a log entry, the chain breaks.

# Query the audit log
oktsec audit --limit 20

# Verify chain integrity
oktsec audit --verify

# Export as SARIF
oktsec audit --export sarif > report.sarif

Optional: LLM analysis layer

For attacks that pattern matching misses (fabricated compliance requirements, domain spoofing, out-of-scope actions hidden in workflows), enable the LLM analysis layer:

llm:
  enabled: true
  provider: claude
  model: claude-sonnet-4-6
  api_key_env: ANTHROPIC_API_KEY

It runs async after the deterministic scan. Never blocks. Analyzes flagged messages and suggests new rules.

What it does not do

• It does not modify your MCP servers. The proxy is transparent.
• It does not require cloud connectivity. Everything runs locally.
• It does not need an LLM for core scanning. The 230 rules are deterministic.
• It does not persist data outside your machine. SQLite file in ~/.oktsec/.

Numbers

• 230 detection rules, 16 categories
• 40ms average scan latency
• 17 MCP clients auto-discovered
• 844 tests, race detector on
• Apache 2.0

Links

• GitHub: github.com/oktsec/oktsec
• IPI Arena benchmark: oktsec.com/research/ipi-arena-benchmark/