Pipelock vs Runlayer is local enforcement vs managed governance — self-hosted scanning vs a cloud control plane.

The short version

Pipelock is an open-source network proxy. It scans HTTP, MCP, and WebSocket traffic for credential leaks, injection, SSRF, and tool poisoning. Runs locally as a single binary. Works with agents whose traffic is routed through it.

Runlayer is a managed control plane for AI agent tool access. It governs which MCP tools agents can use, integrates with identity providers (Okta, Entra), resolves credentials through 1Password, detects shadow MCP servers, and applies security models to tool calls. Available as SaaS or self-hosted/VPC deployment.

Pipelock enforces at the network layer. Runlayer governs at the tool access layer. One scans content. The other manages access and policy.

Feature comparison

FeaturePipelockRunlayer
ArchitectureNetwork proxy (single binary, self-hosted)Managed control plane (SaaS or self-hosted/VPC)
Primary scopeHTTP, HTTPS, CONNECT, WebSocket, MCP content scanningMCP tool governance, identity, credential management
DLP (credential scanning)48 built-in patterns, encoding-aware, env leak detectionCredential exfiltration detection (ToolGuard)
Prompt injection detection25 patterns, 6-pass normalizationML-based security models (ToolGuard)
Tool poisoningRug-pull drift detection + description scanningPre-vetted catalog + ToolGuard runtime
SSRF protectionDNS rebinding, private IP, metadata blockingNot documented
Identity integrationN/A (proxy-level)Okta, Entra, SCIM, group sync
Credential managementN/A by design (capability separation)1Password runtime resolution
Shadow MCP detectionNoYes (MCP Watch)
MCP server catalogNoYes (curated registry)
Kill switchYes (4 independent sources)Not documented
Process sandboxYes (Landlock + seccomp + netns)Not documented
Tamper-evident loggingYes (hash-chained flight recorder)Structured audit logs
Compliance mappingsOWASP, NIST, EU AI ActSOC 2, HIPAA
Source availabilityOpen source (Apache 2.0 core)Proprietary (CLI client on PyPI)
Self-hostedYes (default)VPC/self-hosted option available
PricingFree (Apache 2.0), Pro starts at $49/moEnterprise, no public pricing

Where Runlayer is better

Enterprise identity and access. Runlayer integrates with Okta and Entra for SSO, supports SCIM provisioning and group sync, and provides approval workflows for tool access. If your security team needs to control which teams can access which tools with SSO-backed authentication, Runlayer has that built in. Pipelock operates at the proxy level and doesn’t manage identity.

Credential management. Runlayer’s 1Password integration resolves secrets at runtime. Hash-based audit trails track credential usage without logging the credential itself. This is a real feature for teams that need centralized secret management for agent tools.

Shadow MCP detection. MCP Watch detects unauthorized MCP servers running on employee machines. This gives security teams visibility into which tools are actually running across the org. Pipelock discovers local MCP configurations but doesn’t do fleet-wide shadow scanning.

MCP server catalog. Runlayer maintains a curated registry of approved servers. Browse, discover, request access, deploy. This is an adoption and governance feature that Pipelock doesn’t offer.

ML-based scanning. ToolGuard uses custom security models for injection detection. ML-based detection can catch novel phrasings that pattern matching would miss. Pipelock uses deterministic pattern matching, which is transparent and inspectable but limited to known patterns and their encoding variants.

Enterprise customers and compliance. Runlayer has SOC 2 and HIPAA certification and named enterprise customers. That’s social proof and compliance readiness that matters for enterprise procurement.

Where Pipelock is better

Network-layer content scanning. Pipelock operates as an HTTP forward proxy, scanning HTTP, HTTPS (via CONNECT), and WebSocket traffic in addition to MCP. Agent activity that happens outside the MCP tool layer (fetching URLs, calling REST APIs, connecting to WebSocket endpoints) is visible to Pipelock because it’s in the network path. Runlayer’s primary focus is MCP tool governance.

Content inspection depth. Pipelock scans outbound requests for 48 credential patterns with base64, hex, and URL encoding awareness. It runs 25 injection patterns through 6 normalization passes on scanned responses. It also performs entropy analysis and environment variable leak detection.

SSRF protection. Pipelock blocks requests to private IP ranges, cloud metadata endpoints, and link-local addresses. DNS rebinding protection prevents bypass via DNS response manipulation. Network-layer SSRF protection requires being in the network path.

Open source. Pipelock’s scanning logic is open source (Apache 2.0). Every regex pattern, every normalization pass, every DLP check is in the public repo. You can audit it, fork it, run it entirely on your own infrastructure. Runlayer’s security models are proprietary.

Capability separation architecture. Pipelock is designed so the proxy holds no agent secrets; deployment (container isolation, network policy) enforces the separation boundary. This is an architectural choice: the scanning process and the secret-holding process are intended to run in separate trust zones, enforced by deployment configuration.

Process sandbox. Pipelock wraps any process with Landlock, seccomp, and network namespace isolation.

Different enforcement points

Runlayer and Pipelock answer different questions:

Runlayer answers: Who can access which tools? With what credentials? Under what policy? Did they have approval?

Pipelock answers: What’s in the network traffic? Are there leaked credentials in the request body? Is the response trying to inject instructions? Is the tool description poisoned?

One manages tool access. The other scans network content.

Agents don’t exclusively interact through managed tool calls. They also fetch URLs, call APIs, and connect to services over HTTP. A proxy in the network path sees that traffic regardless of which tool layer initiated it.

When to use each

Start here if you need both containment and content scanning. It gives you local, open-source enforcement that combines process containment with content scanning across HTTP, WebSocket, and MCP. Runlayer is strongest as an MCP governance and identity layer.

Use Runlayer if: Your primary requirement is enterprise MCP administration: SSO/SCIM, approval workflows, credential brokering, curated server catalogs, or shadow MCP detection. Those are governance capabilities that operate at the access-control layer rather than the network-traffic layer.

Use both if: You want Runlayer to govern who can access which tools, and Pipelock to inspect what flows through those tools and adjacent HTTP/MCP traffic.

Third-party feature descriptions are based on public materials reviewed in April 2026. Features and capabilities may change. Check each project’s current documentation for the latest.

Further reading

Ready to get started?