MCP Gateway
Secure every AI agent tool call
Your AI agents make tool calls with your credentials. CitrusGlaze's MCP Gateway evaluates every call against guardrails, Cedar policies, and secret detection — in under 10ms, 100% locally.
MCP servers are everywhere. Security isn't.
Thousands of MCP servers are live. Your agents connect to them with your credentials. Most security teams have no visibility into what's happening.
Three security layers. One tool call.
Every tool call passes through three independent security checks before execution. If any layer blocks, the agent gets a clear explanation of why.
evaluate_tool_call
Check if a tool call should be allowed, denied, or requires approval. Evaluates against MCPAnalyzer (dangerous patterns, blocked tools), Warden guardrails, and Cedar policy engine. Blocks rm -rf /, DROP TABLE, TerminateInstances, and more.
check_secret
Scan any content for secrets, credentials, API keys, and PII before it leaves your machine. 349+ patterns detect AWS keys, database URIs, private keys, JWTs, and more. Returns severity, type, and recommended action.
check_destination
Verify network destinations against the allowlist before any outbound connection. Blocks metadata endpoints (169.254.169.254), exfiltration services (webhook.site), and unknown hosts. Permits known AI providers.
Add one line to your agent config
CitrusGlaze runs as an MCP server. Add it to your agent's configuration and every tool call gets evaluated automatically.
Configure
Add CitrusGlaze as an MCP server in your agent's config. One line, no infrastructure.
Define policies
Write Cedar policies to control which tools can do what. Hot-reload — no restart needed.
Every call secured
Every tool call evaluated in <10ms. Blocked calls include a reason so the agent can adapt.
What it catches
BLOCKED
- ✗
bash: rm -rf /— destructive filesystem operations - ✗
sql: DROP TABLE users— destructive database operations - ✗
aws: TerminateInstances— cloud infrastructure destruction - ✗ Content containing AWS keys, database URIs, private keys
- ✗ Connections to metadata endpoints (169.254.169.254)
- ✗ Connections to exfiltration services (webhook.site, etc.)
ALLOWED
- ✓
read_file: /tmp/test.txt— safe read operations - ✓ Clean content with no secrets or credentials
- ✓ Connections to known AI providers (api.openai.com, etc.)
- ✓ Tool calls matching Cedar policy allow rules
REQUIRES APPROVAL
- ⚠
send_email— communication tools - ⚠ External API calls to unknown services
How it compares
| Capability | CitrusGlaze | Other MCP Gateways |
|---|---|---|
| Data processing | 100% local | Cloud-processed |
| Tool call evaluation | 3-layer (guardrails + Cedar + analyzer) | Server-level block/allow |
| Secret scanning | 349+ patterns, inline | SLM-based classification |
| Destination validation | Allowlist + metadata deny | Not available |
| Policy engine | Cedar (declarative, hot-reload) | UI-based rules |
| Agent coaching | Returns reason on block | Returns reason on block |
| Latency | <10ms | Milliseconds (cloud round-trip) |
Part of the 9-stage pipeline
The MCP Gateway uses the same security engine that powers the full CitrusGlaze proxy.
AppIdentification
Source app from SNI/process info
CedarPolicy
Evaluate action (may block/downgrade)
SecretScan
349+ secret patterns
InjectionDetect
18 pattern groups + heuristics
GuardrailCheck
Destination allowlist + content rules
LoopDetect
5 identical tool calls in 60s → block
HoneyTokenCheck
Exfiltration canary detection
ModelRouting
Cost-based model downgrade
Audit
Structured logging with timing
Secure your AI agents today
Add CitrusGlaze MCP Gateway to your agent config in one line. 100% local. Under 10ms.