Overview
The riskiest things in your fleet right now: open findings by severity, top servers, and OWASP Agentic Top 10 exposure.
Top 5 riskiest servers
View all 128Protection coverage
Coverage
96%
137 of 142 checks enabled · +38 Pro detections available
Top 5 disabled checks
Suggested policies
Open Inbox →87%
Promote insecure-transport check to Block
87% of top-quartile fleets enforce TLS on network MCPs at block-self approval or stricter. You're on Alert.
72%
Enable filesystem path-allowlist enforcement
Most peer fleets block `..` traversal at the scanner level rather than relying on runtime sandboxing.
64%
Suppress legacy template-injection rule
64% of fleets running Jinja-free MCPs suppress this with a 'compensating-control' reason.
41%
Bind tool-count cap per agent
Agents bound to ≤24 tools have 38% lower blast-radius scores in incident retrospectives.
Top detections, last 30 days
Open in Findings →Top detections · 24h
hits across the fleetcheck.mcp.unbound_token142
check.tool.path_allowlist96
check.prompt.injection74
check.transport.stdio_preferred58
check.tool.unauthorized38
check.data.pii_leakage12
Posture summary
Worst-day decisions8 days ago · 5× normal
187Best-day decisions5 days ago · weekend
14Median session lengthacross 47 active agents
22mCoverage driftrule pack vs. prod observations
-2.1%