Free Tools Pricing
Log in Sign up →

Your AI has root access

Your AI tools have
no guardrails

MCP servers run with full access to your API keys, files, and databases. One proxy between your AI and the damage.

Your AI can see everything

Your AI tools have
no boundaries

Your AI tools have access to everything on your machine. This scans what they can see and blocks what they shouldn't touch.

Field report: MCP security

MCP configs are
wide open

MCP configs store secrets in plaintext. Agent graphs inherit permissions without boundaries. These tools audit and enforce.

devsafe mcp gateway default-deny
Default-deny Hash-chained audit From $19/mo

How it works

The difference is what sits between

Raw MCP gives every tool full access. DevSafe MCP Gateway enforces boundaries.

Without DevSafe Wide open
AI client connects directly to MCP server
API keys stored in plaintext config files
Every tool available. No permission boundaries
No record of what tools were called
One compromised server = full access to everything
With DevSafe MCP Gateway Default-deny
Proxy intercepts every JSON-RPC message
Credentials injected from encrypted vault
Per-tool allow/deny with default-deny
Every call logged to hash-chained audit
Blocked tools return clean error responses
Default-deny
Every tool blocked until you allow it
AES-256-GCM
Vault credentials encrypted at rest
SHA-256 chain
Tamper-evident audit log
From $19/mo
Unlimited MCP servers and tool permissions
Zero deps
Single Go binary, no external services

Capabilities

Everything between your AI and the damage

Eight features that make every MCP connection auditable and controlled.

Auto-discovery

Finds servers from Claude Desktop, Cursor, VS Code. No manual configuration required.

Per-tool permissions

Allow or deny individual tools per server. Grant read access, block delete. Granular control.

Encrypted vault

API keys from DevSafe Vault, not plaintext configs. Injected at runtime, never written to disk.

Hash-chained audit

Every call logged with SHA-256 chain integrity. Each entry depends on the previous one.

Tools/list filtering

AI client never sees tools it cannot use. Blocked tools are invisible, not just denied.

Default-deny

Nothing runs until you explicitly allow it. Every new tool starts blocked. Opt in, not opt out.

Tamper detection

devsafe mcp audit verify catches any modification to the log chain.

Single binary

No Node.js, no Python, no Docker. One Go binary. Download, run, done.

Comparison

See how we compare

Side by side. No footnotes needed.

DevSafe MCPRaw MCPCustom Scripts
Per-tool permissions Yes No Partial
Encrypted credentials Yes No No
Tamper-evident audit Yes No No
Auto-discovery Yes No No
Default-deny Yes No Partial
Tool list filtering Yes No No
Single binary YesN/A No
Zero configuration Yes Yes No

Pricing

Simple plans.
No per-server fees.

Every plan includes auto-discovery, audit logging, and the single binary. Pay for scale, not per connection.

FreeTry it out
$0 / mo
  • Everything you need to start:
  • Proxy 1 MCP server
  • 5 MCP tool permissions
  • Audit log
  • Auto-discovery
  • CLI access
Start free
TeamCollaborate + control
$29 / user / mo · billed annually
  • Everything in Pro, plus:
  • Shared policies
  • Team audit dashboard
  • SSO integration
  • Compliance reporting
Build team plan
BusinessScale your org
$49 / user / mo · billed annually
  • All features included:
  • Up to 200 seats
  • SSO / SAML / OIDC
  • Org-wide policy templates
  • Compliance audit export
  • Dedicated onboarding
Get notified when ready

Questions

Honest answers. No hedging.

What is MCP?

Model Context Protocol lets AI assistants call external tools.

Claude Desktop, Cursor, and VS Code all use it. DevSafe MCP Gateway secures those connections.

Do I need to change my MCP config?

No. DevSafe discovers your existing servers and proxies them.

Your AI client connects to DevSafe instead of directly to the server.

What happens when a tool is blocked?

The AI client receives a clean JSON-RPC error response. No crash, no timeout.

The blocked call is logged to the audit chain.

Can the audit log be tampered with?

Each entry includes the SHA-256 hash of the previous entry. Changing any entry breaks the chain.

Run devsafe mcp audit verify to check.

Where are my API keys stored?

In DevSafe Vault, encrypted with AES-256-GCM.

Keys are injected into the server process at runtime and never written to disk in plaintext.

Stop giving AI tools
the keys to everything.

Default-deny. Encrypted vault. Tamper-evident audit.

Secure your MCP servers

Your AI should ask
before it acts.

One tool blocks what your AI shouldn't touch. Takes 2 minutes to set up.

Get started free

Ship agents with
permission boundaries.

Per-tool allow/deny. Context window auditing. Credential injection from encrypted vault.

Deploy the gateway

Newsletter

Research that matters to your stack

One email when we publish something worth your time. Pick what matters to you.

No spam. Unsubscribe anytime.

What topics interest you?

Threats
Tutorials
Engineering
AI Security
Product
Everything

Skip this step