The GrAIdient

Runlayer just raised $11M to secure MCP, and I’m both relieved and alarmed

by

Andrew
in

What Changed-and Why It Matters

Runlayer, a startup focused on securing the Model Context Protocol (MCP), launched from stealth with $11 million in seed funding led by Khosla Ventures’ Keith Rabois and Felicis. The company is pitching an all‑in‑one MCP security platform-gateway, threat detection, observability, enterprise automation, and granular permissions integrated with Okta/Entra-just as MCP becomes the default connective tissue between AI agents and enterprise systems. The business impact: if you’re moving agentic workflows into production, you now have a purpose‑built control plane to impose least‑privilege access, monitor tool calls, and block risky behavior before it hits core systems.

Runlayer says it has “dozens” of customers in four months, including eight unicorns or public companies (Gusto, Rippling, dbt Labs, Instacart, Opendoor, Ramp). It also added David Soria Parra, the lead creator of MCP, as an angel and advisor. Pricing was not disclosed.

Key Takeaways

  • MCP adoption is surging across model vendors (OpenAI, Microsoft, AWS, Google) and enterprises, but the protocol leaves security to implementers—creating real gaps.
  • Runlayer’s bundle goes beyond a gateway: per‑request inspection, cross‑server observability, permission mapping to human identities, and a catalog of IT‑approved MCP servers.
  • Recent incidents (e.g., prompt‑injection‑driven data exfiltration from private GitHub repos; an Asana MCP server bug later patched) validate the need for runtime controls.
  • Competition exists (Cloudflare, Docker, Wiz, and startups like the open source Obot), but most solutions are gateway‑only; depth of MCP‑aware telemetry and policy is the differentiator to test.
  • Expect operational trade‑offs: added latency, integration complexity, and governance muscle required to avoid “security theater” around prompt injection.

Breaking Down the Announcement

Runlayer positions itself as a zero‑trust layer for AI agents using MCP. Core components:

  • Gateway: Identifies agents and brokers access to MCP servers so tool calls are mediated rather than direct.
  • Threat detection: Inspects every MCP request to flag or block risky tool invocations and data movements (e.g., anomalous read/write patterns, sensitive resource access).
  • Observability: Centralized audit trails across all MCP servers IT allows—who ran what tool, with what parameters, and what data moved.
  • Enterprise automation: A workspace for IT to publish vetted automations for business users, implying a controlled path from prototype to production workflows.
  • Granular permissions: Maps agent capabilities to the underlying human’s entitlements via Okta/Entra, enforcing least privilege by design.

The user experience mirrors an identity portal: business users see an Okta‑like catalog of pre‑vetted MCP servers, and agents inherit the same read/write permissions as the humans behind them. Founder Andrew Berman (previously Nanit; Vowel, acquired by Zapier in 2024) built early MCP servers at Zapier, which helps explain the product’s focus on operational guardrails over developer ergonomics alone. Advisors include Travis McPeak (Cursor) and Nikita Shamgunov (Neon).

Security Context: Why Now

MCP is an open protocol released in late 2024 to help agents securely reach tools and data. In practice, “securely” depends on each server’s implementation. As adoption spread, researchers demonstrated prompt‑injection‑based attacks against MCP servers that leaked private GitHub repo data, and Asana disclosed and fixed a vulnerability that could have exposed customer data. These aren’t theoretical. MCP enables agents to read, move, and modify data and execute business processes—so the blast radius of misconfigurations or prompt‑level attacks is materially higher than standard chat applications.

Enterprises need agent‑aware identity, policy, and runtime controls. Standard network and API gateways help, but they generally lack MCP semantics (tool call types, resources, and agent context) needed to write precise policies and catch misuse in real time.

Competitive Angle: Fit and Trade‑offs

Compared with gateway‑centric offerings from Cloudflare, Docker, and Wiz, Runlayer’s pitch is depth of MCP awareness and integrated telemetry. If you already standardize on a security vendor, verify whether they parse MCP tool schemas, enforce least‑privilege at the resource level, and provide full auditability of agent actions. Most won’t—yet.

Open source options like Obot are attractive for cost and control, but require in‑house security engineering to achieve production‑grade observability, policy, and identity mapping at scale. Runlayer consolidates these layers, but introduces platform risk (vendor lock‑in, coverage gaps across diverse MCP servers and clients) and potential latency from in‑line inspection. Plan to benchmark end‑to‑end agent workflows; even tens to hundreds of milliseconds per call can add seconds across multi‑step automations.

What This Changes for Operators

If your agents can alter records, initiate payments, or trigger workflows, you need an MCP‑aware policy and audit layer before wider rollout. Runlayer offers a faster path than stitching together a generic API gateway, SIEM, and custom policy engine. That said, no gateway eliminates prompt injection or spec‑level oversights; you still need content filters, approval steps for destructive actions, and continuous red teaming of tool prompts and agent planning.

Recommendations

  • Inventory and classify MCP assets: catalog all MCP servers, tools, clients, and connected systems. Assign data sensitivity and action criticality (read, write, execute).
  • Enforce least privilege via identity: map agent rights to human entitlements with Okta/Entra groups; prohibit shared or service accounts without scoped tokens and rotation.
  • Pilot a control plane: evaluate Runlayer alongside existing vendors on three metrics—policy coverage (tool/resource‑level), telemetry depth (per‑request lineage), and latency impact.
  • Embed safety in workflows: require human approvals for high‑risk tool calls, add egress filters and DLP on outputs, and implement kill‑switches per agent and per server.
  • Operationalize audits: stream MCP events to your SIEM, define detection rules for anomalous tool usage, and schedule quarterly red‑team exercises targeting MCP servers.

Bottom line: MCP is quickly becoming the backbone of enterprise agent integrations, and its security posture depends on you. Runlayer’s integrated approach will appeal to teams that want an MCP‑native guardrail layer now. Validate depth over demos, measure latency, and prove least‑privilege enforcement before scaling to mission‑critical automations.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *