The open-source security gateway for AI agents.
mcp-firewall sits between your MCP client and server, intercepting every tool call with enterprise-grade policy enforcement, real-time threat detection, and compliance-ready audit logging.
AI Agent ββ mcp-firewall ββ MCP Server
β
Policy Engine
Audit Trail
Threat Feed
AI agents can now execute tools β read files, run commands, query databases, make HTTP requests. Without guardrails, a single prompt injection can exfiltrate your credentials, execute arbitrary code, and chain tools for privilege escalation.
mcp-firewall is the WAF for AI agents.
pip install mcp-firewall
# Wrap any MCP server with zero config
mcp-firewall wrap -- npx @modelcontextprotocol/server-filesystem /tmp
# Generate a starter policy
mcp-firewall initEvery tool call passes through 8 inbound + 4 outbound security checks:
Inbound (request screening):
- Kill Switch β Emergency deny-all
- Agent Identity β RBAC per AI agent
- Rate Limiter β Per-agent, per-tool, global
- Injection Detector β 50+ patterns
- Egress Control β Block SSRF, private IPs, cloud metadata
- Policy Engine β OPA/Rego + YAML policies
- Chain Detector β Dangerous tool sequences
- Human Approval β Optional interactive prompt
Outbound (response scanning):
- Secret Scanner β API keys, tokens, private keys
- PII Detector β Email, phone, SSN, IBAN, credit cards
- Exfil Detector β Embedded URLs, base64, DNS tunneling
- Content Policy β Custom domain-specific rules
Simple YAML for common rules:
agents:
claude-desktop:
allow: [read_file, search]
deny: [exec, shell, rm]
rate_limit: 100/min
rules:
- name: block-credentials
match: { arguments: { path: "**/.ssh/**" } }
action: denyFull OPA/Rego for complex policies:
package mcp-firewall.policy
allow {
input.agent == "cursor"
input.tool.name == "read_file"
not sensitive_path(input.tool.arguments.path)
}mcp-firewall wrap --dashboard -- python my_server.py
# β Dashboard at http://localhost:9090Live event feed, analytics, alert history, and policy playground.
Every event is cryptographically signed (Ed25519) with a hash chain for tamper detection. Export to SIEM (CEF/LEEF), Syslog, CSV, or JSON.
mcp-firewall audit verify # Verify chain integrity
mcp-firewall audit export --format cef --output siem.logAuto-generated evidence for regulatory audits:
mcp-firewall report dora # EU Digital Operational Resilience Act
mcp-firewall report finma # Swiss Financial Market Authority
mcp-firewall report soc2 # SOC 2 Type II evidenceCommunity-maintained detection rules (like Sigma for SIEM):
mcp-firewall feed update # Pull latest rules
mcp-firewall feed list # Show active rulesRules detect known-bad patterns: webhook exfiltration, credential harvesting, cloud metadata SSRF, and more.
Pre-deployment security scanning (powered by mcpwn):
mcp-firewall scan -- python my_server.pyWorks with every MCP client β zero code changes:
{
"mcpServers": {
"filesystem": {
"command": "mcp-firewall",
"args": ["wrap", "--", "npx", "@modelcontextprotocol/server-filesystem", "/home"]
}
}
}Compatible with: Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, and any MCP client.
βββββββββββββββ ββββββββββββββββββββββββββββββββ βββββββββββββββ
β MCP Client ββββββΊβ mcp-firewall ββββββΊβ MCP Server β
βββββββββββββββ β β βββββββββββββββ
β Inbound ββΊ Policy ββΊ Outboundβ
β β β β β
β βΌ βΌ βΌ β
β [Audit] [Alerts] [Metrics] β
β β β
β βΌ β
β [Dashboard] [Reports] β
βββββββββββββββββββββββββββββββ--β
| Feature | mcp-firewall | Agent-Wall | LlamaFirewall | MintMCP |
|---|---|---|---|---|
| MCP-native proxy | β | β | β | β (SaaS) |
| Open source | β | β | β | β |
| OPA/Rego policies | β | β | β | β |
| Agent RBAC | β | β | β | β |
| Signed audit trail | β | β | β | β |
| Compliance reports | β | β | β | SOC2 only |
| Threat feed | β | β | β | β |
| Alerting | β | β | β | β |
| Dashboard | β | Basic | β | β |
| Cost tracking | β | β | β | β |
| Built-in scanner | β | β | β | β |
- Developers: Protect your machine when trying new MCP servers
- Security Teams: Enforce tool usage policies across the organization
- Compliance Officers: Generate audit evidence for DORA, FINMA, SOC 2
- CISOs: Visibility and control over AI agent behavior
- Red Teamers: Test AI agent security posture
mcp-firewall works as a Python library, not just an MCP proxy. Use it with OpenClaw, LangChain, CrewAI, or any custom agent:
from mcp_firewall.sdk import Gateway
gw = Gateway() # or Gateway(config_path="mcp-firewall.yaml")
# Check before executing a tool
decision = gw.check("exec", {"command": "rm -rf /"}, agent="my-agent")
if decision.blocked:
print(f"Blocked: {decision.reason}")
# Scan tool output for leaked secrets
result = gw.scan_response("AWS_KEY=AKIAIOSFODNN7EXAMPLE")
print(result.content) # "AWS_KEY=[REDACTED by mcp-firewall]"See examples/openclaw_integration.py for a full example.
mcpwn β Security scanner for MCP servers. While mcp-firewall protects at runtime, mcpwn finds vulnerabilities before deployment.
| Tool | When | What |
|---|---|---|
| mcpwn | Pre-deployment | Find vulnerabilities in MCP servers |
| mcp-firewall | Runtime | Block attacks, enforce policies, audit logging |
Scan first, then protect:
# Step 1: Scan for vulnerabilities
mcp-firewall scan -- python my_server.py
# Step 2: Protect at runtime
mcp-firewall wrap -- python my_server.pySee CONTRIBUTING.md for guidelines.
Security issues: see SECURITY.md.
AGPL-3.0 β see LICENSE.
Commercial licensing available for organizations that cannot use AGPL. Contact [email protected].
Built by Robert Ressl β Associate Director Offensive Security at Kyndryl. CISSP, OSEP, OSCP, CRTO. After 100+ penetration tests and red team engagements across banking, insurance, and critical infrastructure, I saw the gap: AI agents are the new attack surface, and MCP is the protocol everyone uses but nobody secures.
mcp-firewall is the firewall that MCP needs.