Skip to main content
Hooks intercept MCP tool calls to enforce security policies before execution. Unlike MCP Watch (which discovers configurations), Hooks actively control what shadow MCPs can do in real-time.

How It Works

When hooks are installed, they intercept MCP tool calls before execution:
  1. User invokes a tool — The AI assistant requests a tool call from a shadow MCP
  2. Hook intercepts — The call is captured before reaching the MCP server
  3. Policy evaluation — The call is checked against your organization’s policies
  4. Decision — The call is either:
    • Allowed — Proceeds to the MCP server normally
    • Blocked — Prevented and logged for security review
  5. Audit logging — All intercepted calls are logged for visibility

What Gets Intercepted

Hooks intercept tool calls from shadow MCP servers (those configured directly in the client, not through Runlayer). Tool calls to Runlayer-managed MCPs are handled by the Runlayer proxy and are not affected by hooks.

Supported Clients

ClientmacOSWindows
CursorComing soon
Additional client support is in active development. Check the Runlayer dashboard for the latest supported clients.

Installation

Installation Overview

Manual installation and MDM options

SimpleMDM

Deploy to macOS via SimpleMDM

Jamf Pro

Deploy to macOS via Jamf Pro

Shadow MCP Overview

Understanding the shadow MCP problem

MCP Watch

Discover shadow servers via scheduled scans

Policies

Configure access control policies

Audit Logs

View intercepted tool calls