Every third-party MCP call is an unaudited attack surface.
Bindfort is the security gateway for the agent era. Supply-chain scanning, sandboxed execution, and signed proof-of-execution — binding every call between your agents and every MCP server.
"Defenses are predominantly tool-centric with persistent gaps at host orchestration, transport, and supply-chain layers — architectural misalignment, not bugs."
— MCP-DPT · arXiv 2604.07551, April 2026. The paper that set the research agenda Bindfort implements.
Six layers of defense
for the agent stack
Each layer maps to a published attack class. Each is inspectable, overridable, and runs at microsecond latency inside your own infrastructure.
Supply-chain scanner
Every registered MCP server is fingerprinted and cross-referenced against OSV, NVD, and GHSA in real time. Critical findings halt traffic instantly, with override policies for audited exceptions.
Sandboxed execution
Every MCP server runs in a namespaced syscall sandbox with seccomp filters. Network, filesystem, and process access is scoped per tool — zero lateral movement when a server is compromised.
Description poisoning
Pattern-matches documented prompt-injection vectors in tool descriptions before they reach your agent's context window. Blocks the class of attack that jailbreaks the LLM, not just the network.
Rugpull detection
SHA-256 binary hashes are bound at registration time. Any silent update — the classic supply-chain rugpull — triggers immediate quarantine and a signed alert to your SIEM.
Signed proof-of-execution
Every tool call returns a signed receipt bound to inputs, outputs, and timestamp. Agents can't hallucinate results — the signature proves the call actually happened, the way it's claimed. Internal chain uses HMAC-SHA256; customer verification uses ed25519 public keys.
Compliance-ready audit
Tamper-evident audit log chains every tool call with cryptographic linking. Exports to Splunk, Datadog, and Elastic. Maps to SOC 2 CC6/CC7 criteria and supports EU AI Act high-risk system logging requirements.
The MCP protocol gave every AI agent the keys to every tool.
Nobody gave the tools a reason to trust the agent.
— The core asymmetry Bindfort exists to fix
Not another MCP gateway.
The security layer they forgot.
Kong, IBM, Microsoft, and Cloudflare all ship MCP gateways. They solve routing. Bindfort solves the security layer — the one every other gateway assumes somebody else handles.
Kong · IBM · Microsoft · Cloudflare
- Route traffic. Issue tokens. Rate-limit requests.
- No supply-chain scanning — CVEs slip through
- Trust tool descriptions from any registry
- No binary integrity checks — rugpulls pass through
- Logs are log-shaped, not audit-grade
- Built on Python or Kubernetes — latency tax
Bindfort
- Everything gateways do — plus active defense
- Inline CVE scanning against OSV, NVD, GHSA
- Detects 10 tool-description injection patterns
- SHA-256-binds binaries — catches rugpulls in 1 call
- HMAC-signed receipts, tamper-evident, audit-ready
- Single Go binary · 11µs overhead · runs anywhere
Agent traffic never leaves your infrastructure. Bindfort calls home only for CVE feed updates and signed alert delivery. Your data stays yours.
Built on peer-reviewed
security research
Every Bindfort defense maps directly to a published attack taxonomy. We don't guess at threats — we implement the countermeasures researchers document.
MCP-DPT: Dynamic Policy Transformation for MCP
"Defenses are predominantly tool-centric with persistent gaps at host orchestration, transport, and supply-chain layers."
Read paper →Enterprise MCP Security: A Survey
Maps the full MCP threat landscape across auth, transport, tool supply chain, and agent orchestration.
Read paper →AgenticCyOps: Threat Modeling for Agentic Ops
Formalizes the attack surface unique to agents that orchestrate external tools at runtime.
Read paper →MCP Landscape & Threats
Establishes the core threat taxonomy: rugpulls, description poisoning, and transport-layer attacks.
Read paper →Questions security teams
always ask
How is this different from Kong, IBM ContextForge, or Microsoft MCP Gateway?
Those are routing gateways. They forward MCP traffic and handle auth. Bindfort is a security gateway — we assume the traffic is hostile until proven otherwise.
Supply-chain scanning, sandboxing, rugpull detection, and proof-of-execution are core features, not add-ons. We're also built in Go instead of Python or K8s-native, so overhead is ~11µs versus 1–5ms for most alternatives.
Will this slow down my agents?
Proxy overhead is ~11µs p50 / ~38µs p99 per call, measured on a single c7i.large with 512-byte payloads over local TCP at 5,000 req/sec sustained. That's lower than the network jitter between your agent and the MCP server.
CVE scanning runs out-of-band at registration time, not per-call. Full benchmark methodology and reproduction scripts will ship with v1.0.
What happens if a CVE is found in production?
Bindfort blocks traffic to the affected MCP server immediately. You get a Slack or PagerDuty alert with the CVE ID, CVSS score, and affected tool list.
Override policies let you allow specific CVEs with sign-off if the business context requires it — every override is audit-logged with the approver's identity.
Can I run this on-premises or air-gapped?
Yes. All tiers are self-hostable. Air-gapped mode uses offline CVE databases that can be updated via signed bundles. Common with defense, healthcare, and financial customers.
What MCP clients and servers do you support?
Any MCP-compliant client — Claude Desktop, Cursor, Copilot, Cline, custom agents — and any server using stdio, SSE, HTTP, or WebSocket transports. We're protocol-level compatible with the full MCP specification, including tool, resource, and prompt primitives.
How do I migrate from an existing gateway?
Bindfort runs as a sidecar in front of an existing gateway — point your agent clients at Bindfort, point Bindfort at your current gateway as an upstream. Zero rewrite, full observability, and you can rip out the old gateway once you're comfortable.
Is it open-source?
The CLI scanner is Apache 2.0 on GitHub — free forever. The gateway itself is source-available but commercially licensed. This is the modern security product model: you can audit the code, but production deployment requires a license.
Do you have SOC 2?
SOC 2 Type I audit is scheduled for Q4 2026. Type II expected Q2 2027. The product itself is audit-ready — tamper-evident logs, HMAC receipts, and access controls that map to SOC 2 CC6 and CC7 criteria.
For self-hosted deployments, most customers don't need our SOC 2 — your data never leaves your VPC.
How many do you actually trust?
Self-hosted. License-based. Production-grade from the first deploy.
No credit card · Priority onboarding for design partners