Pipelock vs Runlayer is local enforcement vs managed governance — self-hosted scanning vs a cloud control plane.
The short version
Pipelock is an open-source network proxy. It scans HTTP, MCP, and WebSocket traffic for credential leaks, injection, SSRF, and tool poisoning. Runs locally as a single binary. Works with agents whose traffic is routed through it.
Runlayer is a managed control plane for AI agent tool access. It governs which MCP tools agents can use, integrates with identity providers (Okta, Entra), resolves credentials through 1Password, detects shadow MCP servers, and applies security models to tool calls. Available as SaaS or self-hosted/VPC deployment.
Pipelock enforces at the network layer. Runlayer governs at the tool access layer. One scans content. The other manages access and policy.
Feature comparison
| Feature | Pipelock | Runlayer |
|---|---|---|
| Architecture | Network proxy (single binary, self-hosted) | Managed control plane (SaaS or self-hosted/VPC) |
| Primary scope | HTTP, HTTPS, CONNECT, WebSocket, MCP content scanning | MCP tool governance, identity, credential management |
| DLP (credential scanning) | 48 built-in patterns, encoding-aware, env leak detection | Credential exfiltration detection (ToolGuard) |
| Prompt injection detection | 25 patterns, 6-pass normalization | ML-based security models (ToolGuard) |
| Tool poisoning | Rug-pull drift detection + description scanning | Pre-vetted catalog + ToolGuard runtime |
| SSRF protection | DNS rebinding, private IP, metadata blocking | Not documented |
| Identity integration | N/A (proxy-level) | Okta, Entra, SCIM, group sync |
| Credential management | N/A by design (capability separation) | 1Password runtime resolution |
| Shadow MCP detection | No | Yes (MCP Watch) |
| MCP server catalog | No | Yes (curated registry) |
| Kill switch | Yes (4 independent sources) | Not documented |
| Process sandbox | Yes (Landlock + seccomp + netns) | Not documented |
| Tamper-evident logging | Yes (hash-chained flight recorder) | Structured audit logs |
| Compliance mappings | OWASP, NIST, EU AI Act | SOC 2, HIPAA |
| Source availability | Open source (Apache 2.0 core) | Proprietary (CLI client on PyPI) |
| Self-hosted | Yes (default) | VPC/self-hosted option available |
| Pricing | Free (Apache 2.0), Pro starts at $49/mo | Enterprise, no public pricing |
Where Runlayer is better
Enterprise identity and access. Runlayer integrates with Okta and Entra for SSO, supports SCIM provisioning and group sync, and provides approval workflows for tool access. If your security team needs to control which teams can access which tools with SSO-backed authentication, Runlayer has that built in. Pipelock operates at the proxy level and doesn’t manage identity.
Credential management. Runlayer’s 1Password integration resolves secrets at runtime. Hash-based audit trails track credential usage without logging the credential itself. This is a real feature for teams that need centralized secret management for agent tools.
Shadow MCP detection. MCP Watch detects unauthorized MCP servers running on employee machines. This gives security teams visibility into which tools are actually running across the org. Pipelock discovers local MCP configurations but doesn’t do fleet-wide shadow scanning.
MCP server catalog. Runlayer maintains a curated registry of approved servers. Browse, discover, request access, deploy. This is an adoption and governance feature that Pipelock doesn’t offer.
ML-based scanning. ToolGuard uses custom security models for injection detection. ML-based detection can catch novel phrasings that pattern matching would miss. Pipelock uses deterministic pattern matching, which is transparent and inspectable but limited to known patterns and their encoding variants.
Enterprise customers and compliance. Runlayer has SOC 2 and HIPAA certification and named enterprise customers. That’s social proof and compliance readiness that matters for enterprise procurement.
Where Pipelock is better
Network-layer content scanning. Pipelock operates as an HTTP forward proxy, scanning HTTP, HTTPS (via CONNECT), and WebSocket traffic in addition to MCP. Agent activity that happens outside the MCP tool layer (fetching URLs, calling REST APIs, connecting to WebSocket endpoints) is visible to Pipelock because it’s in the network path. Runlayer’s primary focus is MCP tool governance.
Content inspection depth. Pipelock scans outbound requests for 48 credential patterns with base64, hex, and URL encoding awareness. It runs 25 injection patterns through 6 normalization passes on scanned responses. It also performs entropy analysis and environment variable leak detection.
SSRF protection. Pipelock blocks requests to private IP ranges, cloud metadata endpoints, and link-local addresses. DNS rebinding protection prevents bypass via DNS response manipulation. Network-layer SSRF protection requires being in the network path.
Open source. Pipelock’s scanning logic is open source (Apache 2.0). Every regex pattern, every normalization pass, every DLP check is in the public repo. You can audit it, fork it, run it entirely on your own infrastructure. Runlayer’s security models are proprietary.
Capability separation architecture. Pipelock is designed so the proxy holds no agent secrets; deployment (container isolation, network policy) enforces the separation boundary. This is an architectural choice: the scanning process and the secret-holding process are intended to run in separate trust zones, enforced by deployment configuration.
Process sandbox. Pipelock wraps any process with Landlock, seccomp, and network namespace isolation.
Different enforcement points
Runlayer and Pipelock answer different questions:
Runlayer answers: Who can access which tools? With what credentials? Under what policy? Did they have approval?
Pipelock answers: What’s in the network traffic? Are there leaked credentials in the request body? Is the response trying to inject instructions? Is the tool description poisoned?
One manages tool access. The other scans network content.
Agents don’t exclusively interact through managed tool calls. They also fetch URLs, call APIs, and connect to services over HTTP. A proxy in the network path sees that traffic regardless of which tool layer initiated it.
When to use each
Start here if you need both containment and content scanning. It gives you local, open-source enforcement that combines process containment with content scanning across HTTP, WebSocket, and MCP. Runlayer is strongest as an MCP governance and identity layer.
Use Runlayer if: Your primary requirement is enterprise MCP administration: SSO/SCIM, approval workflows, credential brokering, curated server catalogs, or shadow MCP detection. Those are governance capabilities that operate at the access-control layer rather than the network-traffic layer.
Use both if: You want Runlayer to govern who can access which tools, and Pipelock to inspect what flows through those tools and adjacent HTTP/MCP traffic.
Third-party feature descriptions are based on public materials reviewed in April 2026. Features and capabilities may change. Check each project’s current documentation for the latest.
Further reading
- What is an agent firewall? : full definition and evaluation checklist
- Agent Firewall vs Guardrails : why firewalls and governance tools complement each other
- Pipelock vs DefenseClaw : another enterprise comparison
- MCP Security : the full scope of MCP threats
- Runlayer
- Pipelock on GitHub