What types of AI agent security tools exist?

AI agent security tools fall into five categories: static scanners (check MCP servers before deployment), runtime firewalls and proxies (inspect traffic during execution), gateways (route and control access to tools), inference guardrails (classify prompts and completions), and governance platforms (discover and manage agents at enterprise scale). Most production deployments need tools from at least two categories.

What is the difference between an AI agent firewall and a gateway?

An agent firewall inspects the content of traffic between agents and external services, scanning for credential leaks, prompt injection, and data exfiltration. A gateway focuses on routing, access control, and policy enforcement, deciding which agents can reach which tools. Some tools combine both functions. The key question is whether the tool inspects content or just controls access.

Do I need a scanner if I already have a runtime firewall?

Yes. Scanners and firewalls catch different things at different times. A scanner checks MCP server configurations before deployment and flags known-vulnerable packages or suspicious tool descriptions. A runtime firewall catches attacks that happen during execution: credential leaks in tool arguments, prompt injection in responses, and tool description changes mid-session. Pre-deploy and runtime are complementary, not interchangeable.

Agent Security Tools

The AI agent security market has gone from nearly empty to crowded in under a year. Scanners, firewalls, proxies, gateways, guardrails, governance platforms. The names overlap. The categories blur. And most teams aren’t sure which ones they actually need.

This page maps the tool landscape by category. Each section explains what the tools in that category inspect, what they miss, and where they fit in a defense stack. Named tools are included as examples, not endorsements. Evaluate them against your own threat model.

Tool categories

AI agent security tools break into five groups based on when they run and what they inspect:

Category	When it runs	What it inspects
Scanners	Pre-deploy	MCP server configs, tool descriptions, known vulnerabilities
Runtime firewalls/proxies	During execution	HTTP traffic, MCP messages, tool arguments, tool responses
Gateways	During execution	Routing, access control, tool discovery
Inference guardrails	During execution	Prompts and completions (text classification)
Governance platforms	Continuous	Agent inventory, policy enforcement, compliance reporting

No single category covers the full attack surface. Scanners miss runtime attacks. Firewalls miss pre-deploy misconfigurations. Gateways miss content-level threats. A real defense stack combines at least two.

Scanners

Scanners check MCP servers and agent configurations before deployment. They run once (or in CI) and report findings. They don’t sit in the traffic path at runtime.

What they check: Tool descriptions for hidden instructions, known CVEs in MCP server packages, configuration mistakes (overly broad permissions, missing authentication), and supply chain risks in dependencies.

What they miss: Anything that happens at runtime. A tool description that’s clean at scan time can change mid-session (rug-pull). Credential leaks in tool arguments only happen during execution. Prompt injection arrives in responses the scanner never sees.

Examples:

mcp-scanner (Cisco): Scans MCP server configurations for tool poisoning, cross-origin escalation, and known vulnerability patterns. YARA rules plus LLM-based analysis.
Snyk agent-scan (Snyk, formerly Invariant): Scans installed MCP servers for tool poisoning and rug-pull risks. Pins tool descriptions and alerts on changes. Integrates with Snyk workflows.
Enkrypt AI: MCP security scanning as part of a broader AI security platform. Checks tool descriptions against attack patterns with continuous monitoring.

Scanners are the cheapest first step. Run them in CI on every MCP configuration change. But don’t confuse pre-deploy scanning with runtime protection. They solve different problems.

Runtime firewalls and proxies

Runtime tools sit in the traffic path between the agent and external services. Every request and response passes through them. They inspect content, not just routing.

What they inspect: HTTP request bodies, headers, and URLs for credential patterns (DLP). HTTP responses for prompt injection. MCP tool arguments for secret leaks. MCP tool responses for injection payloads. Tool descriptions for poisoning. DNS queries for exfiltration patterns.

What they miss: Local file system operations (no network hop to intercept). In-memory reasoning corruption. Attacks that don’t produce network traffic. These require agent-side hooks or sandboxing.

Examples:

Pipelock: Open-source agent firewall. Content-inspecting egress proxy for HTTP and MCP traffic. Scans for credential leaks (DLP with multi-layer decode), prompt injection (6-pass normalization), SSRF, tool poisoning, and rug-pulls. Runs as a single binary. Supports domain allowlists, MCP wrapping via stdio or HTTP, hash-chained audit logging, and Claude Code hooks. GitHub.
iron-proxy: Open-source Go proxy for MCP and HTTP traffic. Focuses on domain allowlisting with MITM TLS interception. Content scanning capabilities are not documented in public docs at the time of writing.
Promptfoo: Open-source LLM testing and red teaming framework. Includes an MCP proxy mode for intercepting tool calls. OpenAI announced plans to acquire Promptfoo in March 2026 (pending closing). Primary focus is evaluation and red teaming rather than inline blocking.

The core question for any runtime tool: does it inspect content or just control access? Domain allowlisting stops requests to unapproved servers but won’t catch a credential leaked to an approved domain.

Gateways

Gateways focus on routing, discovery, and access control for MCP servers. They decide which agents can reach which tools and manage the connection lifecycle.

What they handle: Tool discovery (agents find available servers through the gateway), access control (per-agent or per-team permissions), connection management (transport bridging between stdio and HTTP), and routing (multiple MCP servers behind one endpoint).

What they miss: Content-level threats. A gateway that routes traffic to an MCP server doesn’t inspect whether the tool arguments contain leaked credentials or whether the response contains injection. Access control says “this agent can use this tool.” Content inspection says “this specific tool call is safe.”

Examples:

Docker MCP Gateway: Manages containerized MCP servers. Provides tool-level access control and transport bridging. Agents connect to the gateway, which routes to the appropriate container. Focuses on isolation and management rather than content scanning.
Runlayer: Cloud-hosted MCP gateway with hosted MCP servers, access control, and usage analytics. Provides a registry of available servers and manages connections.
agentgateway (Solo.io/Linux Foundation): Open-source gateway for A2A (agent-to-agent) and MCP traffic. Focuses on routing, authentication, and observability across multiple agent protocols.

Gateways and firewalls are complementary. The gateway controls who can talk to what. The firewall controls what’s allowed in the conversation. Large deployments often run both.

Governance platforms

Governance platforms operate at the organizational level. They discover agents running across teams, enforce centralized policies, and produce compliance reports.

What they handle: Agent discovery (finding every agent and MCP server in the organization), policy enforcement (centralized rules for what agents can do), compliance reporting (mapping agent activity to frameworks like SOC 2, NIST, EU AI Act), and risk scoring.

What they miss: Packet-level inspection. Governance platforms set policy. Enforcement still requires runtime tools (firewalls, proxies, gateways) that actually sit in the traffic path. A policy that says “no credential exfiltration” needs a DLP scanner to enforce it.

Examples:

Zenity: Agent security governance. Discovers agents, assesses risks, enforces policies. Backed by $38M Series B.
Noma Security: AI security platform covering model supply chain, runtime monitoring, and agent governance.
Microsoft Agentic Trust (AGT): Open-source framework for verifiable agent identity, capabilities, and trust boundaries.

Governance matters when you have dozens of teams running hundreds of agents. If you have three agents, start with runtime controls. Add governance when the management problem outgrows spreadsheets.

How to choose

If you need…	Start with…	Examples
Pre-deploy config checking	Scanner	mcp-scanner, mcp-scan
Credential leak prevention	Runtime firewall with DLP	Pipelock
Prompt injection blocking	Runtime firewall with injection scanning	Pipelock, inference guardrails
MCP tool access control	Gateway	Docker MCP Gateway, agentgateway
Domain-level egress control	Proxy with allowlists	Pipelock, iron-proxy
Multi-team agent management	Governance platform	Zenity, Noma
Compliance evidence	Firewall with audit logging + governance	Pipelock (flight recorder), Zenity
Red teaming and evaluation	Testing framework	Promptfoo

For a single team running agents with network access: start with a runtime firewall (covers the widest attack surface with the least integration), add a scanner in CI, and add governance when the fleet grows.

For an enterprise with many teams: start with governance to get visibility, then deploy runtime firewalls per-team to enforce the policies.

AI Agent Security Tools: Scanners, Firewalls, and Gateways

Tool categories

Scanners

Runtime firewalls and proxies

Gateways

Governance platforms

How to choose

Further reading