Model Context Protocol

We build the MCP servers. You govern the access.

Model Context Protocol is how AI agents reach your tools and data. We build the servers and the policy layer in front of them, so an agent uses only what you allow.

Talk to an engineer See our MCP servers

7: production MCP servers
33: SAP collections exposed, by sensitivity
1h: SPIFFE/SPIRE identity per server

MCP request path

Requester AI agent Tool call

Authenticate Authorize Audit

Your systems SAP ByDesign Collaboration Security tools

7servers governed

1hSVID per server

100%calls logged

Our MCP practice

We don’t just connect to MCP. We build production servers across ERP, collaboration and security operations, govern them as non-human identities, and hold them to the protocol’s own security guidance. Most teams do one of those, if any.

How it works

Every tool call passes through policy.

MCP is the open standard for connecting AI agents to real tools and data. The catch the spec states plainly: it cannot enforce security itself. An agent with tool access is only as safe as the controls around it. So agents never touch your systems directly. Every request is mediated by a server we build and gated by policy that decides what each agent may do.

Building MCP servers is becoming common. Governing what agents may do with them is not.

Policy gate

read_sales_orderAllow

export_employee_recordsDeny

query_finance_kpiAllow

delete_projectHuman review

Select a call to see the policy decision.

How MCP should be built

The protocol gives you a connection. Not a guardrail.

The MCP specification is explicit that it cannot enforce security at the protocol level. Every safeguard is the builder’s responsibility. These are the principles the spec and the OWASP GenAI guidance call for, and how we hold to them.

01
Least privilege, per tool. Each server gets only the capabilities it needs, granted and revoked per tool, never a blanket session.
02
Authorize the call, not the session. A valid login is no blank cheque. Capability-based access control decides what each identity may do.
03
Human in the loop for irreversible actions. Deletes, exports and transfers need a person. Anything outside policy escalates automatically.
04
Authenticated and bound. No server runs open. Each gets a short-lived SPIFFE/SPIRE identity with per-server token binding.
05
Treat tool output as untrusted. Arguments are checked for injection and responses are sanitized before they reach the model.
06
Audit every call. Who called what, with which arguments, and what came back, logged like any privileged automation.

What we build

Production MCP servers, running today.

Built for real systems, across the domains our customers actually run on.

SAP Business ByDesign

An agent queries live ERP data in plain language, on-premises, with no external model. Every collection is classified by sensitivity before it is exposed.

FinanceSalesHRProjects

21 tools across 33 collections · sensitivity-classified

Secure collaboration

Agents search, summarize and act inside your on-premises collaboration platform, under per-message AES-256-GCM encryption and the same DLP and role-based access that govern your people.

AES-256-GCM45+ DLP patternsRole-based access

On-premises · encrypted · access-controlled

Security operations toolset

A suite of MCP servers that give security agents controlled access to exactly the systems they need during an engagement, and nothing more.

filesystemgitdatabaseterminalforensicsvalidationgateway

7 MCP servers

What we govern

An MCP server is a non-human identity. We govern it like one.

An MCP server holds credentials and reaches into your systems, exactly like a service account or an AI agent. So it runs under the same machine-identity governance fabric as every other workload, not a gate bolted on the side.

At the data layer: every tool is classified by data sensitivity, arguments are checked for injection before they run, responses are sanitized, and every call is logged for audit.

This is the same control plane behind our AI Governance. See how it works

Discover

Found even when unregistered, via an 8-phase OWASP NHI scan.

Identify

A short-lived SPIFFE/SPIRE identity, rotated hourly.

Scope

Capability-based access. Only what it was granted.

Risk-tier

By severity, mapped to MITRE ATT&CK.

Decide

Allow, deny, or escalate to a person.

Watch

Anomaly detection flags behavioral drift.

Proof, not promises

We build it, govern it, and run it in production.

We build MCP servers for the enterprise systems you run, and govern every one as a non-human identity. SAP Business ByDesign, on-premises collaboration and a security operations toolset are live today, each discovered, scoped to least privilege, and logged on every call. The systems are yours to choose. The controls are the part most teams skip.

very different domains already shipped: ERP, collaboration, security ops

SPIFFE/SPIRE identity per server, auto-rotated

Scoped

least privilege per tool, granted and revoked, never a blanket session

Spec

built to the MCP specification and OWASP GenAI guidance

Give your agents tools. Keep the controls.

Whether you are exposing your own systems over MCP or connecting to ours, we build the servers and the policy layer that keeps them safe.

Schedule a scoping call