Inventory
Know every MCP server and tool
Bindfort is designed to record the servers your agents can reach, the tools each server exposes, and the package/version running behind them.
Bindfort
Runtime security, speed, and evidence for MCP-based AI agents. We assume the traffic is hostile until proven otherwise.
Secure every MCP tool call before the agent reaches it
Bindfort sits between agents and MCP servers, checks installed-tree risk, enforces policy before execution, and produces verifiable receipts without turning every tool call into a latency bottleneck.
0.9us dispatch. Go microbenchmarks on the local policy path.
5 of 5 official MCP servers. Known-vulnerable transitives in our installed-tree audit.
5 design partners. Guided technical walkthroughs only; no self-serve signup.
Product / what it does
Bindfort is the checkpoint between AI agents and MCP servers.
Your agents do not call third-party MCP servers directly. They call Bindfort first. Bindfort checks whether the tool is known, whether the server is vulnerable, whether the caller is allowed, and whether the action can continue under the current policy.
1Agent requests a tool
2Bindfort checks identity, server risk, tool scope, and policy
3Policy decides whether the call continues or stops with evidence
1 / Caller
AI agent
Claude, Cursor, Copilot, custom agent
2 / Checkpoint
Bindfort
- Who is calling?
- Is this server safe?
- Is this tool allowed?
- Can we prove the result?
3 / Destination
MCP server
GitHub, filesystem, database, browser, internal tools
Risk
Scan the installed tree
It checks the runtime dependency tree against OSV, GHSA, and NVD instead of trusting only the top-level package name.
Policy
Decide before the call
Each request is evaluated against identity, server state, tool scope, credentials, and allow/deny rules before it reaches the MCP server.
Proof
Create Article 12 evidence
Verified tool-call paths produce receipts and audit records that show which policy handled the action, what result came back, and what evidence can feed EU AI Act review.
Compliance use case / sovereignty / audit evidence
Compliance evidence, without exporting agent telemetry
EU AI Act readiness is one buyer reason to ask what an AI agent did before it touched a tool, but it is not the only reason Bindfort exists. The core security need is broader: teams need fast policy decisions, dependency visibility, and verifier-backed evidence for sensitive MCP tool calls.
The 2 August 2026 (Aug 2, 2026) EU AI Act milestone makes this concrete for EU buyers: Article 12 points to automatic event logging; Annex IV points to technical documentation. Bindfort turns MCP tool calls into evidence fields operators can review: caller, server identity, tool, policy decision, timestamped result, receipt hash, and verifier output. Self-hosted deployments keep telemetry, policy records, and receipts under customer control.
Article 12automatic event logging
Annex IVtechnical documentation evidence
Aug 2, 2026EU AI Act readiness milestone
Customer controlself-hosted VPC or EU-controlled deployment option
Bindfortsigned MCP receipts verified by CLI
bindfort verify receipts.jsonl --key-file receipt.keyEU AI Act evidence gateway
What Bindfort evidence maps to
Bindfort helps MCP-based AI agent operators produce verifier-backed runtime evidence for EU AI Act logging, technical documentation, and sovereignty review.
Reference
Buyer question
Bindfort evidence
Article 11 / Annex IV
Technical documentation support
Receipts, scanner findings, policy decisions, and server fingerprints.
Article 12
Automatic event logging support
Receipt JSONL, timestamps, caller/tool/server identity, hashes, and verifier output.
Article 15
Cybersecurity and robustness support
Policy enforcement, dependency scanning, isolation direction, and tamper-evident records.
Article 26
Deployer log retention and monitoring support
Customer-controlled receipt and audit records in the operator environment.
Article 27
Impact-assessment support
Pilot evidence, tool inventory, risk review artifacts, and documented gaps.
Bindfort supports evidence collection and review. It does not by itself make an AI system compliant or replace legal, conformity-assessment, or governance work.
Local verification
See policy enforcement and EU audit evidence working locally
The current local path validates configuration, builds, runs tests, allows an approved MCP tool call, denies a blocked tool before upstream execution, and verifies receipt evidence for Article 12 logging and Annex IV documentation work.
$go run ./cmd/bindfort validate --config configs/config.yaml
[ok] configuration valid for environment "development"
$go test ./... && go build ./...
[ok] tests passed / build passed
$go run ./cmd/demo
tools/call echo -> allowed by policy
tools/call blocked_tool -> denied before upstream execution
bindfort verify receipts.jsonl -> [OK] receipt log verified
tamper one receipt line -> [FAIL] hmac mismatch
$
Speed and MCP security evidence from the current verification and research pass
0.9us
dispatch overhead
Go microbench / in-memory upstream / policy path only
5/5
official MCP servers flagged
installed-tree audit found two HIGH advisories in every official server we tested / read audit
43%
MCP servers vulnerable
external ecosystem scan reported command-injection exposure / BlueRock scan
Product status / verified modules
What is working now, and what still needs launch hardening
Bindfort is past diagrams and into a working local path, but it is not yet a self-serve production product. These are the modules currently verified and the remaining work before first design-partner deployment.
Installed-tree scanning
The scanner path is built around the runtime dependency tree, not only top-level package names. This is the core lesson from the MCP transitive dependency research.
Verified core
Inline policy enforcement
The local demo now proves both sides of the policy gate: an approved tool call succeeds and a denied tool is stopped before it reaches the upstream MCP server.
Verified locally
Receipt evidence
Tool-call results include receipt evidence with HMAC and server fingerprint fields. For EU buyers, this becomes the audit artifact behind Article 12-style traceability: who called which MCP tool, under which policy, and what result came back. The localbindfort verify path now proves receipt-log integrity after the run and fails on tampered records.
Generated + verified locally
Annex IV documentation support
Receipts, policy decisions, scanner findings, and server fingerprints give operators structured evidence they can attach to technical documentation, supplier review, and Annex IV readiness work.
Technical documentation
Isolation hardening
The product direction is clear: run untrusted MCP servers with scoped filesystem, network, and process access. First-user packaging still needs a clean deployment profile.
Next hardening
EU-first deployment packaging
Bindfort now has first-user packaging docs, a Compose skeleton, and a pilot checklist aligned to EU audit and sovereignty expectations. Before broader launch it still needs one external pilot run and production-grade deployment packaging.
Packaging skeleton ready
Research / evidence
Research that explains the MCP risk
Start with the evidence behind the product: installed-tree dependency risk, runtime reachability, and the minimum checks before agents use MCP servers.
Bindfort Research / May 2026
Installed-tree scanning catches what shallow MCP scans miss
A shallow package scan can return clean while the installed dependency tree still carries known high-severity advisories.
Read the report ->Bindfort Research / Runtime validation
Presence is not reachability
Dependency presence is only the first question. Runtime validation asks whether an agent can actually drive traffic into the affected path.
Read validation notes ->Bindfort Checklist
What operators should check before agents use MCP servers
Inventory, dependency depth, host/origin boundaries, policy enforcement, and receipts are the minimum review set before production use.
Open checklist ->Real MCP incidents
This already happened
The security case does not depend on one regulation. These disclosed MCP incidents show why fast policy checks, dependency visibility, and receipt evidence need to exist before tools run.
CVE-2025-54136
Cursor MCPoison trust bypass
Approved MCP configuration could be changed later without the user seeing a fresh trust decision, turning an approved setup into persistent code execution risk.
Config drift / trust boundaryCheck Point Research ->
CVE-2025-6514
mcp-remote command execution
Connecting an MCP client through mcp-remote to an untrusted server could trigger arbitrary operating-system command execution on the client host.
Transport bridge / RCEJFrog Security Research ->
CVE-2025-53109 / 53110
EscapeRoute filesystem path escape
Anthropic's Filesystem MCP server contained path-scope bypasses that let attackers escape the intended directory boundary and access host files.
Filesystem boundaryCymulate ->
April 2026
Systemic MCP SDK command execution
OX Security reported a design-level command execution surface in MCP STDIO handling across official SDK implementations and downstream products.
SDK architectureOX Security ->
FAQ / current readiness
What works today
and what is roadmap
Today
How does this help with the EU AI Act?Today
Article 12 requires high-risk AI systems to technically allow automatic event logging over the system lifetime. Bindfort is positioned to provide the MCP tool-call side of that record: caller, tool, server identity, policy decision, timestamped result, and receipt evidence.
Annex IV is about technical documentation. Bindfort does not make a system compliant by itself, but its receipts, dependency findings, policy records, and server fingerprints are the kind of structured evidence EU operators need for audit files and design-partner reviews ahead of the 2 August 2026 AI Act milestone.
The local verification path can generate a verifier-backed evidence bundle from receipt logs withbindfort evidence bundle.
Why does EU sovereignty matter here?Today
Agent security evidence should not require exporting sensitive tool inputs, internal system names, or audit trails to another jurisdiction. Bindfort is designed for self-hosted deployment, EU-controlled evidence retention, and Poland-based EU market positioning from the start.
Can I verify a receipt today?Today
In the current verification path, the local demo writes receipt evidence with HMAC and server fingerprint fields. The bindfort verify receipts.jsonl command recomputes the HMAC chain from a signing key kept outside the log, exits non-zero on tampering, and reports the receipt that failed.
The verifier is a shipped CLI command in the local verification path. The remaining launch work is external pilot validation and production-grade install artifacts around it.
After verification, bindfort evidence bundle writes a local manifest, Article map, and operator README without copying raw receipt logs by default.
Is Bindfort ready for users today?Today
It is ready for a guided technical walkthrough and design-partner evaluation. The verified path currently covers config validation, build, tests, policy allow/deny behavior, and receipt evidence.
It is not yet a self-serve production product. First-user packaging and operator docs now exist as a guided path; the remaining launch work is one real pilot environment, release artifacts, and production operations packaging.
What should a first evaluation prove?Today
A first evaluation should show that Bindfort can sit between an agent and an MCP server, enforce a deny rule before the tool call reaches the server, allow known-safe calls, and produce audit evidence that can be reviewed after the run.
How is this different from a routing MCP gateway?Today
Routing gateways forward MCP traffic and usually focus on auth, rate limits, and transport. Bindfort focuses on security evidence before and after the call: installed dependency risk, policy decision, tool-call outcome, and receipt records.
What happens if a CVE is found today?Today
Today, a guided evaluation can show scanner findings, policy decisions, and receipt verification for a controlled MCP server path. Bindfort is not yet a packaged self-serve production CVE response system.
Live blocking, alert routing, affected-tool reporting, and exception review are v1.0 roadmap items, not shipped behavior on the current page.
Can this run in an EU-controlled environment?Today
That is the intended deployment posture for design partners: keep agent traffic, tool-call evidence, and audit records under the operator's control instead of requiring sensitive traces to leave the environment.
v1.0 roadmap
What about SOC 2?v1.0 roadmap
Bindfort is not claiming SOC 2 certification today. The current value is that policy decisions, receipt records, scanner findings, and server fingerprints can support future control evidence for audits.
Formal SOC 2 mapping, auditor-ready exports, and control evidence workflows are v1.0 roadmap work. Self-hosting helps with data control, but it does not remove the buyer's audit obligations.
What deployment and migration work is roadmap?v1.0 roadmap
Roadmap work includes air-gapped packaging, offline vulnerability data updates, signed update flow, documented gateway-adapter patterns, and broader compatibility testing across transports.
Founder
Built by O.G. in Poland.
Oleg is a Go and cloud engineer building Bindfort after seeing the same pattern repeat in agent systems: MCP tools get connected faster than they get reviewed. Bindfort exists to put a small, verifiable security gateway between AI agents and the internal systems they can reach.
Taking 5 design partners for EU-controlled MCP security pilots.
Prepare MCP tool calls for security review
The first call is a technical walkthrough, not a self-serve signup. We are prioritizing teams that already use MCP servers, connect agents to internal tools, need faster tool-call control, or want Article 12 and Annex IV evidence before the 2 August 2026 AI Act milestone.
5 design-partner slots while packaging, deployment docs, and pilot materials are finalized.