Product Features

Wrap any MCP server with a security proxy. Every tool call is checked against 15,923 rated servers, scanned for secrets/PII, and logged. Works with Claude Desktop, Cursor, Windsurf — any MCP client.

Automatic security checks for every MCP tool call in Claude Code. Grade F tools get blocked, Grade D triggers a warning. Zero dependencies.

Three-phase runtime security for OpenClaw agents: before_tool_call (Trust Score + DLP), after_tool_call (output scanning + audit), message_sending (outbound DLP). Three policy modes.

Scan any MCP server for 46 security rules, 5-dimension description quality scoring, and architecture analysis. Output as table, JSON, SARIF, or auto-generated policy YAML.

Detect secrets (API keys, tokens, private keys — 50+ patterns) and PII (credit cards, SSN, email, phone) in tool parameters and outputs. Redact, mask, or block. Included in all packages above.

YAML-based rules with three presets (strict, balanced, permissive). Auto-generated policy templates from scan data — 15,923 servers covered. Included in all packages above.

Generate up to 10 API keys (sr_pro_…) per account. Keys authenticate SDK uploads, Trust Registry queries, and Dashboard API access. Rotate or revoke instantly from your Account page.

Every tool call intercepted by RuntimeGuard is streamed to your cloud audit log with full context: session ID, tool name, decision (allow / deny / escalate), PII detected, and policy matched. 90-day retention on Pro, 1 year on Business+.

Real-time metrics at a glance: total events, block rate, top triggered rules, DLP detections, and risk trend over time. Drill down by session, tool, or time range.

Create and manage security policies through the web UI or API. Define rules per tool, set allow / deny / escalate actions, and attach conditions. Changes take effect immediately — no restarts needed.

Define alert rules that fire when security conditions are met (e.g., > 10 blocks in 5 minutes). Deliver alerts via webhook to Slack, PagerDuty, or any HTTP endpoint. Track delivery status and retry failed deliveries.

Query MCP server security ratings in real-time. The Pro API returns ratings with zero delay (free tier has a 24h cache). Use the bulk endpoint on Business+ to export the full registry.

Run `spiderrating proxy` to wrap any MCP server. Every tool call flows through RuntimeGuard locally, and audit events are uploaded to your cloud Dashboard when a Pro key is configured.

Invite team members, assign roles (owner / admin / member / viewer), and manage permissions. Control who can edit policies, view audit logs, or manage API keys.

Enforce single sign-on for your organization. Connect your SAML 2.0 identity provider (Okta, Azure AD, Google Workspace) so team members authenticate through your corporate IdP.

Configure organization-wide settings from a single API: org name, domain, default team role, 2FA enforcement, notification preferences, DLP toggle, SSO enforcement, and more. Partial updates via PATCH.

Track API call volume per endpoint, view monthly usage history, and monitor quota consumption. Pro tier includes 50K calls/month, Business 500K, Enterprise 5M. Top-endpoint breakdown helps optimize integration patterns.

Restrict API access to trusted networks with CIDR-based IP allowlisting. Supports IPv4 and IPv6, up to 50 rules per tenant. Enable/disable the allowlist globally without deleting entries.

List active sessions, view IP addresses and user agents, revoke individual sessions, or force-logout all sessions for a user. Admin endpoints allow organization-wide session visibility and control.

Export audit events and admin logs in CSV or JSON format. PII fields are automatically masked with [REDACTED]. Exports include up to 50,000 rows with Content-Disposition headers for direct download.

Set per-data-type retention policies: audit events (7–365 days), admin audit logs (7–365 days), and alert delivery history (7–180 days). Trigger manual purges or let the system auto-purge on schedule.