Treat live spend as a security signal. Block injection and PII leaks, enforce principal-keyed FinOps caps, and govern the full MCP path — embed or proxy. Under 5ms overhead.
No other tool has all three
Privacy-first, in-process, MCP-native — plus FinOps and a CI testing companion. One permissively licensed stack.
Static tool-definition checks before deploy
mcp-bastion scan tools.json
Red-team harness against your policy
mcp-bastion redteam
Runtime middleware on every MCP method
bastion.yaml
mcp-bastion dashboard --demo · optional local metrics UI
Add enterprise-grade security without changing business logic
from mcp_bastion import MCPBastionMiddleware, compose_middleware
# One object. All 18 security pillars.
bastion = MCPBastionMiddleware(
enable_prompt_guard=True, # Block jailbreaks
enable_pii_redaction=True, # Mask SSN, email, phone
enable_rate_limit=True, # Stop runaway agents
)
middleware = compose_middleware(bastion)
Defense-in-depth for every MCP server. Each pillar runs independently.
Meta PromptGuard blocks jailbreaks locally
Presidio masks SSN, email, phone
Token bucket per session
Auto-disable failing tools
Tool-level permissions by role
Block code injection, path traversal
Principal-keyed session & daily FinOps caps
Degrade model, force discovery filter, block expensive chains
Signed session export — policy hash, controls fired, spend
Mandatory proxy auth — un-bypassable network hop
Nonce-based replay prevention
Deduplicate similar queries
Validate tool input types
Structured JSON audit trail
OTLP spans for Grafana, Datadog
Slack, webhook, cost anomaly alerts
Real-time requests, cost, blocked stats
Tamper-proof forensic audit trail
Plug in OPA or Cedar policy engines
Heuristic semantic policy checks
Opt-in enterprise controls for production MCP deployments. All default off — enable only what you need in bastion.yaml.
The exfiltration canary adds a separate trailing text block on prompts/get and resources/read (original JSON/code bodies stay intact), then blocks tool arguments that echo the session token.
Host orchestrators can also read bastion_canary_snippet from request metadata for custom system prompts.
LLM scanner and ATR rules are opt-in; expect up to ~2.5s latency (scanner) or per-rule regex cost when enabled.
Session token echo detection in tool args
Community threat rules merged into scanners
Optional Ollama tier, fail-open
Background regex rule refresh
Threshold-based containment actions
mask / hash / remove on tool outputs
Log would-block without denying
mcp-bastion report CLI
One-line install for every major LLM framework
| Feature | MCP-Bastion | Others |
|---|---|---|
| Active defense | Auto-block | Logging only |
| Data privacy | 100% local | External APIs |
| Cost protection | Cost-as-policy FinOps | Billing only |
| Category | Runtime governance | Scanner or gateway |
| Architecture | Drop-in middleware | Standalone proxy |
| Latency | <5ms | 50-200ms |
| Test coverage | 92%+ gate | Unknown |
Monitor requests, blocked attacks, PII redacted, cost tracking, and alerts in real time
Requests, blocked %, PII redacted, cost per user
Scrape /metrics for Grafana and Datadog
Instant notifications on injection, cost spikes
Most MCP security tools focus on logging or require external APIs. MCP-Bastion provides active, local defense.
| Capability | MCP-Bastion | MCP Guardian | MCP Gateways |
|---|---|---|---|
| Prompt injection blocking | Local ML model | WAF rules only | External API |
| PII redaction | Presidio (local) | No | Some (cloud) |
| Data leaves your network | Never | No | Yes |
| Denial-of-wallet protection | FinOps budgets | Rate limit only | Rate limit only |
| Architecture | Drop-in middleware | Standalone proxy | Hosted gateway |
| Latency overhead | <5ms | 10-50ms | 50-200ms |
| Policy-as-code | YAML + OPA + Cedar | Config file | Dashboard UI |
| Framework integrations | 17+ packages | Generic only | Varies |
| Cost | Free (MIT) | Free | $$$ |
| Test coverage | 100% | Unknown | Unknown |
Attackers embed "ignore previous instructions" in tool arguments. Without active defense, your agent executes malicious commands on your infrastructure.
Tool results containing SSN, emails, and phone numbers flow directly into LLM context windows. One leaked prompt and your customer data is exposed.
An infinite loop calling a paid API can rack up thousands in minutes. Token budgets and session timeouts stop this before it starts.
SOC2, HIPAA, and GDPR require audit trails for data access. MCP-Bastion logs every tool call with structured, tamper-proof entries.
Get started in under 60 seconds. No config needed.