MCP Gateway

Every MCP tool an agent touches, gated and logged.

The Model Context Protocol opens your tools to autonomous agents. Cortex puts a managed registry, per-tenant allowlists, DLP on input and output, rate limits, risk scoring, a kill switch, and a full transaction log in front of every call — so MCP is safe to run in regulated work.

Aligned with EU AI Act · NIST AI RMF · ISO 42001

MCP Gateway
tool reqtool reqtool reqfirewallallowlistDLP in/outrate limitrisk scoreallowdeny
mcp ▸ managed registry · kill switch armed
The problem

MCP is a wide-open door unless something governs it.

MCP lets any agent discover and call your servers' tools — read records, move money, send messages. Out of the box there is no approval step, no allowlist, no data-loss check, no rate limit, and no record of what was called. Cortex makes the gateway the only way in: a server can't be invoked until it's approved, every call is scanned both ways, and one click blocks it instantly.

Managed MCP registryApprove before invokeDLP in / outRate limitsTransaction logkill switch armed
One gateway, every control

What sits between an agent and a tool call.

Each control is enforced at invoke time, fail-closed. A request that fails any check is denied and the attempt is still recorded.

Managed registry

Every MCP server is registered and discovered through Cortex. New servers land in status='pending' and cannot be invoked until an admin approves them.

Allowlists

Per-server tool allowlists scope exactly which discovered tools an agent may call — and per-tenant scoping keeps one tenant's servers invisible to another.

DLP in and out

Inbound text is scanned for prompt-injection and PII before the call; outbound results are PII-redacted before they reach the agent.

Full transaction log

Every governed invocation — allowed or blocked — is recorded with redacted I/O, the deny reason, and latency, ready for an auditor.

How a governed invoke works

From register to approved, scanned, logged.

An MCP server earns the right to be called. The gateway then checks it on every single request.

  1. 01

    Register

    A server is added to the managed registry as status='pending'. Until it's approved, every invoke is refused with 403 — no tool runs by default.

  2. 02

    Approve & scope

    An admin approves the server, sets its risk tier (low / medium / high), and defines the tool allowlist. An empty allowlist means all discovered tools; an explicit list locks it down.

  3. 03

    Gate every call

    gateInvoke checks approved + enabled + tool-allowlisted, then runs DLP on the input (high-injection text is blocked), executes the JSON-RPC tools/call, and redacts PII from the output.

  4. 04

    Log & control

    The call lands in the transaction log with redacted I/O and latency. One block flips the kill switch — every subsequent invoke returns 403 until you re-approve.

Prove it — don't just claim it

The gate is fail-closed, and we can show you every refusal.

These are the actual enforcement results — the gateway denies first and asks questions never. Each denial is recorded, so 'it was blocked' is something you can hand an auditor, not just assert.

  • Invoke a pending server → 403 — no tool runs until it’s approved.
  • Prompt-injection in the input (“ignore all previous instructions…”) → 403 DLP.
  • Tool not on the server’s allowlist → 403 — scope is explicit.
  • Hit the block kill switch → every invoke returns 403 instantly.
MCP Gateway
tool reqtool reqtool reqfirewallallowlistDLP in/outrate limitrisk scoreallowdeny
mcp ▸ managed registry · kill switch armed
The fine print, in plain sight

DLP, risk scoring, rate limits, and the call ledger.

The gateway doesn't just allow or deny — it inspects, scores, throttles, and records, on input and output alike.

DLP — inbound
  • Prompt-injection detection
  • PII detection in arguments
  • High-injection text blocked
  • Recorded with the deny reason
DLP — outbound
  • PII redaction on results
  • Redacted before the agent sees it
  • Same redaction stored in the log
  • No raw secrets in the trail
Risk & rate
  • Per-server risk tier (low / med / high)
  • Per-agent & per-tenant allowlists
  • Rate limits & usage quotas
  • Server risk scoring
Transaction log
  • Every invoke — allowed or blocked
  • Redacted I/O + latency
  • Deny reason on every refusal
  • Exportable for audit
Tooling Agent
agent · did:cortex:7cf07f61
active
Ownerit-ops@northwind
Risk tierMedium
Expiry2026-12-31
Allowed models
claude-opus
Allowed actions
mcp:searchmcp:lookup
Stop it in one move

A kill switch you can hit before the call lands.

block is an instant, server-wide kill switch — the moment you flip it, every governed invoke refuses, no matter which agent or workflow asks. approve re-enables it. Allowlists are scoped to the agent identity that's calling, so the gateway always knows who's reaching for which tool.

  • Block one server → all its tools go dark, fleet-wide.
  • Per-agent allowlists tie tools to the calling identity.
  • Re-approve to bring a server back online.
Security & compliance

MCP that passes the security review.

Fail-closed approval, DLP on both directions, per-tenant isolation, a kill switch, and a complete call ledger — mapped to the frameworks your auditors already use.

SOC 2ISO 27001ISO 42001HIPAAGDPREU AI ActNIST AI RMFFINRA

Open your tools to agents — on your terms.

Put a managed gateway in front of every MCP server: approved before invoke, scanned both ways, logged, and one click from a full stop.