Skip to content
Offline · no cloud sync

Top 5 riskiest servers

View all 128
ServerCritHighMedRisk score

OWASP Agentic Top 10 exposure

LLM01Prompt injection
42LLM02Insecure output handling
28LLM06Sensitive info disclosure
61LLM07Insecure plugin design
34LLM08Excessive agency
18
Injection & manipulationData exposureAgency & access

Protection coverage

Coverage
96%
137 of 142 checks enabled · +38 Pro detections available
Top 5 disabled checks

Suggested policies

Open Inbox →
87%
Promote insecure-transport check to Block
87% of top-quartile fleets enforce TLS on network MCPs at block-self approval or stricter. You're on Alert.
72%
Enable filesystem path-allowlist enforcement
Most peer fleets block `..` traversal at the scanner level rather than relying on runtime sandboxing.
64%
Suppress legacy template-injection rule
64% of fleets running Jinja-free MCPs suppress this with a 'compensating-control' reason.
41%
Bind tool-count cap per agent
Agents bound to ≤24 tools have 38% lower blast-radius scores in incident retrospectives.

Top detections · 24h

hits across the fleet
check.mcp.unbound_token
142
check.tool.path_allowlist
96
check.prompt.injection
74
check.transport.stdio_preferred
58
check.tool.unauthorized
38
check.data.pii_leakage
12

Posture summary

Worst-day decisions8 days ago · 5× normal
187
Best-day decisions5 days ago · weekend
14
Median session lengthacross 47 active agents
22m
Coverage driftrule pack vs. prod observations
-2.1%
GrantLock Posture — Pre-runtime control plane for agentic AI