How It Works
- Configuration Discovery: The Runlayer CLI reads MCP configuration files from known locations
- Secure Submission: Configuration data is securely submitted to Runlayer
- Classification: Runlayer classifies each server as:
- Managed: Running through Runlayer (approved and monitored)
- Shadow: Configured outside Runlayer (flagged for review)
- Alerting: Administrators and security teams are notified of newly discovered shadow servers
Security Team Workflow
Discovery and Inventory
Discovery and Inventory
- Get visibility into all MCP servers across your organization
- Identify which AI tools employees are using (Cursor, Claude, VS Code, etc.)
- Build an inventory of shadow integrations for risk assessment
- Track trends in MCP adoption over time
Risk Assessment
Risk Assessment
When shadow MCPs are discovered, evaluate:
- Source: Is the MCP from a known vendor or unknown source?
- Permissions: What data and systems can it access?
- User context: Who configured it and for what purpose?
- Network exposure: Does it connect to external endpoints?
Response Actions
Response Actions
Based on risk assessment:
- Low risk: Migrate to Runlayer-managed MCP for visibility
- Medium risk: Require user to submit for approval review
- High risk: Immediate remediation via MDM policy or direct intervention
- Malicious: Incident response, credential rotation, forensic analysis
Supported Clients
| Client | macOS | Windows |
|---|---|---|
| Cursor | ✓ | ✓ |
| VS Code | ✓ | ✓ |
| Claude Desktop | ✓ | ✓ |
| Claude Code | ✓ | ✓ |
| Windsurf | ✓ | ✓ |
| Goose | ✓ | ✓ |
| Zed | ✓ | ✓ |