Skip to main content
Detect scans devices for MCP server configurations in supported client applications. Deploy via your MDM or run manually to discover shadow MCP servers across your organization.

How It Works

  1. Configuration Discovery: The Runlayer CLI reads MCP configuration files from known locations
  2. Secure Submission: Configuration data is securely submitted to Runlayer
  3. Classification: Runlayer classifies each server as:
    • Managed: Running through Runlayer (approved and monitored)
    • Shadow: Configured outside Runlayer (flagged for review)
  4. Alerting: Administrators and security teams are notified of newly discovered shadow servers

Security Team Workflow

  • Get visibility into all MCP servers across your organization
  • Identify which AI tools employees are using (Cursor, Claude, VS Code, etc.)
  • Build an inventory of shadow integrations for risk assessment
  • Track trends in MCP adoption over time
When shadow MCPs are discovered, evaluate:
  • Source: Is the MCP from a known vendor or unknown source?
  • Permissions: What data and systems can it access?
  • User context: Who configured it and for what purpose?
  • Network exposure: Does it connect to external endpoints?
Based on risk assessment:
  • Low risk: Migrate to Runlayer-managed MCP for visibility
  • Medium risk: Require user to submit for approval review
  • High risk: Immediate remediation via MDM policy or direct intervention
  • Malicious: Incident response, credential rotation, forensic analysis

Supported Clients

ClientmacOSWindows
Cursor
VS Code
Claude Desktop
Claude Code
Windsurf
Goose
Zed

Deployment

MDM Deployment

Deploy Detect across your organization directly from the Runlayer dashboard:
1

Navigate to Shadow MCPs

Go to SettingsShadow MCPs in the Runlayer dashboard
2

Configure Detect

Click Configure under the Detect section and select your MDM platform
3

Follow the Setup Guide

The in-app setup guide provides the deployment script and configuration for your MDM. Copy the generated script and API key, then follow the instructions for your platform.

Manual Installation

For testing or individual device setup, run the CLI directly. Install the Runlayer CLI: 
curl -LsSf https://astral.sh/uv/install.sh | sh
uvx runlayer --help
Configure credentials: Create an organization API key in the Runlayer dashboard (SettingsAPI Keys) with the Detect Scan role, then store it in the CLI: 
uvx runlayer org-api-key add mcp-watch --secret rl_org_your_key_here --host https://app.runlayer.com
Run a scan: 
uvx runlayer scan --org-api-key mcp-watch

# Dry run - see what would be submitted without sending
uvx runlayer scan --org-api-key mcp-watch --dry-run

# Verbose output
uvx runlayer scan --org-api-key mcp-watch --verbose

Custom Integration

Use these modular components to build your own Detect integration when you need custom scheduling or deployment infrastructure. Install the CLI as a tool: 
uv tool install runlayer
Example: Cron Job (macOS/Linux) 
crontab -e

# Run daily at 9 AM
0 9 * * * /path/to/uvx runlayer scan
Example: Task Scheduler (Windows) 
$action = New-ScheduledTaskAction -Execute "uvx" -Argument "runlayer scan"
$trigger = New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -TaskName "Detect Scan" -Action $action -Trigger $trigger

Viewing Results

After a scan, view discovered servers in the Runlayer dashboard:
  1. Navigate to Analytics
  2. The Shadow MCP section shows:
    • Total devices scanned
    • Managed vs. shadow servers
    • Newly discovered shadow servers

Enforce

Block shadow MCP tool calls in real-time

Responding to Discoveries

Security team response framework

Re-analyzing Servers

Refresh server classifications after changes

Troubleshooting

Common issues and solutions