Open-Source AI Agent Security Monitor with MCP Security Gateway
AI agents are the fastest-growing attack surface in enterprise software:
- 1 in 8 AI breaches are linked to agentic systems (HiddenLayer 2026)
- 76% of organizations cite shadow AI as a top risk
- Only 6% have advanced AI security controls
- CVE-2025-6514 (CVSS 9.6) demonstrated critical MCP vulnerabilities
- The Clinejection attack (Feb 2026) turned an AI coding bot into a supply chain vector affecting 5M+ users
- Zero open-source tooling comprehensively addresses agentic AI runtime security
AgentGate fills this gap.
- MCP Security Gateway — Intercepts and enforces policies on all MCP tool calls
- Attack Detection — Prompt injection, data exfiltration, privilege escalation, tool abuse
- Behavioral Anomaly Detection — ML-based (Isolation Forest) behavioral baseline monitoring
- RAG Poisoning Scanner — Detects poisoned documents in knowledge bases
- Shadow AI Discovery — Identifies unauthorized agents and MCP connections
- Transparent Risk Scoring — Documented algorithm with full methodology
- YAML Policy Engine — Configurable policies mapped to OWASP & MITRE frameworks
- AI Intelligence — LangChain-powered summaries, recommendations, NL queries
- Real-time Dashboard — Dark/light mode React UI with live feeds and analytics
- Compliance Reports — PDF reports for OWASP Agentic Top 10 & MITRE ATLAS
- Live Demo Agent — Real LangChain agent routed through the security gateway
- DevSecOps Pipeline — Bandit, Trivy, Gitleaks, pip-audit, OWASP ZAP scanning
graph LR
A[AI Agent] -->|MCP| B[Gateway]
B --> C{Analysis Engine}
C --> D[Attack Detector]
C --> E[Behavioral Analyzer]
C --> F[RAG Scanner]
C --> G[Shadow AI]
D --> H[Policy Engine]
E --> H
H -->|ALLOW| I[MCP Server]
H -->|BLOCK| A
H --> J[Dashboard]
H --> K[Alerts]
| Layer | Technology |
|---|---|
| Backend | Python 3.11, FastAPI, SQLAlchemy, Pydantic v2 |
| ML/AI | scikit-learn, LangChain, OpenRouter |
| Frontend | React 18, Tailwind CSS, Recharts, Lucide React |
| Database | PostgreSQL 16 (prod) / SQLite (dev) |
| Deployment | Docker, Docker Compose |
| CI/CD | GitHub Actions |
| Security | Bandit, Trivy, Gitleaks, pip-audit, OWASP ZAP |
# Clone and start
git clone https://github.com/yourusername/agentgate.git
cd agentgate
docker-compose up --build
# Open dashboard
open http://localhost:3000
# Seed demo data
docker exec -it agentgate-backend-1 python seed_data.py| Variable | Default | Description |
|---|---|---|
DATABASE_URL |
SQLite | Database connection string |
OPENROUTER_API_KEY |
- | OpenRouter API key for AI features |
OPENROUTER_MODEL |
openai/gpt-4o-mini-2024-07-18 |
LLM model |
API_KEY |
agentgate-demo-key-2026 |
API authentication key |
SLACK_WEBHOOK_URL |
- | Slack alert webhook |
TEAMS_WEBHOOK_URL |
- | Teams alert webhook |
ALERT_ENABLED |
false |
Enable alert delivery |
| Category | Detection | Policy |
|---|---|---|
| A01 - Prompt Injection | Pattern + ML | BLOCK at 0.7 confidence |
| A02 - Sensitive Data Exposure | PII/credential regex | BLOCK |
| A03 - Sandboxing Failures | Tool abuse patterns | ALERT |
| A04 - Unauthorized Code Execution | Privilege escalation | BLOCK at 0.7 |
| A05 - SSRF Vulnerabilities | URL pattern analysis | ALERT |
| A06 - Excessive Permissions | Unapproved server blocking | BLOCK |
| A07 - Data Leakage | Behavioral anomaly detection | ALERT |
| A08 - Insufficient Logging | Full audit trail | Always logged |
| A09 - Overreliance | Agent quarantine | BLOCK quarantined |
| A10 - Model Theft | Access monitoring | ALERT |
| Technique | ID | Detection |
|---|---|---|
| Prompt Injection via MCP | AML.T0051 | Pattern + ML classifier |
| Data Exfiltration via Tools | AML.T0048 | PII/credential scanning |
| Privilege Escalation | AML.T0052 | Sensitive path + code detection |
| Tool Shadowing | AML.T0054 | Levenshtein + description analysis |
See DEMO.md for instructions.
Mode 1 — Simulated Traffic (2 min): Dashboard with seed data + curl attacks
Mode 2 — Live Agent Interception (3 min): Real LangChain agent routed through AgentGate
# Run the live demo
bash demo/run_demo.sh- ARCHITECTURE.md — System architecture
- API_DOCS.md — API reference
- RISK_SCORING.md — Risk scoring methodology
- THREAT_MODEL.md — Threat model
- DEMO.md — Demo instructions
- Kubernetes Helm charts
- SIEM integration (syslog/webhook)
- Browser extension for real-time monitoring
- Slack bot for interactive investigation
- Multi-agent orchestration monitoring
- Agent-to-agent communication monitoring
Contributions welcome! Please open an issue or PR.
MIT License