Skip to main content
Detect scans devices for MCP server configurations in supported client applications. Deploy via your MDM or run manually to discover shadow MCP servers across your organization.

How It Works

  1. Configuration Discovery: The Runlayer CLI reads MCP configuration files from known locations
  2. Secure Submission: Configuration data is securely submitted to Runlayer
  3. Classification: Runlayer classifies each server as:
    • Managed: Running through Runlayer (approved and monitored)
    • Shadow: Configured outside Runlayer (flagged for review)
  4. Alerting: Administrators and security teams are notified of newly discovered shadow servers

Security Team Workflow

  • Get visibility into all MCP servers across your organization
  • Identify which AI tools employees are using (Cursor, Claude, VS Code, etc.)
  • Build an inventory of shadow integrations for risk assessment
  • Track trends in MCP adoption over time
When shadow MCPs are discovered, evaluate:
  • Source: Is the MCP from a known vendor or unknown source?
  • Permissions: What data and systems can it access?
  • User context: Who configured it and for what purpose?
  • Network exposure: Does it connect to external endpoints?
Based on risk assessment:
  • Low risk: Migrate to Runlayer-managed MCP for visibility
  • Medium risk: Require user to submit for approval review
  • High risk: Immediate remediation via MDM policy or direct intervention
  • Risky: Incident response, credential rotation, forensic analysis

Supported Clients

ClientmacOSWindowsPlugins
Cursor
VS Code
Claude Desktop / Cowork
Claude Code
Windsurf
Goose
Zed

Deployment

MDM Deployment

Deploy Detect across your organization directly from the Runlayer dashboard:
1

Navigate to Shadow MCPs

Go to SettingsShadow MCPs in the Runlayer dashboard
2

Configure Detect

Click Configure under the Detect section and select your MDM platform
3

Follow the Setup Guide

The in-app setup guide provides the deployment script and configuration for your MDM. Copy the generated script and API key, then follow the instructions for your platform.

Manual Installation

For testing or individual device setup, run the CLI directly. Install the Runlayer CLI: 
curl -LsSf https://astral.sh/uv/install.sh | sh
uvx runlayer --help
Configure credentials: Create an organization API key in the Runlayer dashboard (SettingsAPI Keys) with the Detect Scan role, then store it in the CLI: 
uvx runlayer org-api-key add mcp-watch --secret rl_org_your_key_here --host https://your-instance.runlayer.com
Run a scan: 
uvx runlayer scan --org-api-key mcp-watch

# Dry run - see what would be submitted without sending
uvx runlayer scan --org-api-key mcp-watch --dry-run

# Verbose output
uvx runlayer scan --org-api-key mcp-watch --verbose

Custom Integration

Use these modular components to build your own Detect integration when you need custom scheduling or deployment infrastructure. Install the CLI as a tool: 
uv tool install runlayer
Example: Cron Job (macOS/Linux) 
crontab -e

# Run daily at 9 AM
0 9 * * * /path/to/uvx runlayer scan
Example: Task Scheduler (Windows) 
$action = New-ScheduledTaskAction -Execute "uvx" -Argument "runlayer scan"
$trigger = New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -TaskName "Detect Scan" -Action $action -Trigger $trigger

Viewing Results

After a scan, view discovered servers in the Runlayer dashboard:
  1. Navigate to Analytics
  2. The Shadow MCP section shows:
    • Total devices scanned
    • Managed vs. shadow servers
    • Newly discovered shadow servers

Resolving Unmatched Usernames

Detect automatically resolves device usernames to Runlayer users using tiered matching (email, name patterns, etc.). Some usernames may remain unresolved due to typos, missing users, or ambiguous matches. Administrators can manually match these usernames from the dashboard.
1

Navigate to Shadow MCPs

Go to SettingsShadow MCPs in the Runlayer dashboard
2

Find Unresolved Usernames

Scroll to the Unresolved Usernames section below Detect Re-analysis. This section only appears when there are unresolved usernames.
3

Match Usernames to Users

For each unresolved username, search for the correct user in the dropdown and click Match to link the username to that user. All devices associated with that username will be updated.
Manual username matches are recorded in the audit log, including the admin who performed the match, the username, the matched user, and the number of devices affected.

Enforce

Block shadow MCP tool calls in real-time

Responding to Discoveries

Security team response framework

Re-analyzing Servers

Refresh server classifications after changes

Troubleshooting

Common issues and solutions