OSS
Source-built scanner
Apache-2.0. Build it yourself, hack the rules, ship to your CI.
- · Full threat catalog
- · OWASP ASI mapping
- · Self-hosted only
v0.1.0 · Apache-2.0
Pre-runtime control plane for MCP configurations.
GrantLock scans MCP server configurations against an OWASP-mapped threat catalog before agents reach production. Open source. Runs locally. Zero telemetry by default.
Free Binary
Signed cross-platform binary
Email-gated download. Cosign-verified. Auto-update channel.
- · Pre-built for 5 platforms
- · Auto-update opt-in
- · Anonymous telemetry on by default (toggleable)
Cloud
Continuous posture + remediation
Per-org dashboard, premium rules, compliance reports. Coming Q3 2026.
- · Premium rule channel
- · Compliance PDFs (OWASP, AARM, NIST AI RMF)
- · Multi-team posture
How it fits
Three architectural bets — config-time scanning, an OWASP-mapped rule engine, and capability-graph reasoning — no other tool combines these.
Pre-runtime, not at runtime
Scan MCP server configs and tool surfaces before they're connected to a live agent — find unsafe capabilities at code-review or CI, not in incident-review.
OWASP-mapped rule engine
Every finding cites an ASI01–ASI10, OWASP MCP, or NIST AI RMF requirement. Reports are auditor-ready.
Capability-graph reasoning
We model identities, servers, tools, and resources as a graph and reason about reachable data — not just per-tool checks.
Open by default
Source available, threat catalog in YAML, rules extensible. We share the engine because the customers we want will read the source.
Ship safer agents in five minutes.
Free for individuals and small teams. No account required for source-built use.