01Free
Scanner
On-demand security scan of MCP configs. ~30s, server-side, nothing stored.
Learn more →Cavexia Agentic Security Systems is the security platform for AI agent infrastructure. We scan MCP configs on demand, monitor them continuously, alert your team when things drift, publish a public threat intel feed, and ship enterprise services including SSO, on-prem deployment, and compliance evidence packs.
Try it now — we've pre-loaded the scanner with a real MCP config that has issues. Hit Scan to see what we find.
Paste your config or drop a JSON file. No login. We don't store your data.
Tip: Claude Desktop's config lives at ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows). Click Load Claude Desktop to pick yours and scan it for real findings.
Every finding is severity-graded and ships with an actionable remediation. No vague warnings.
Inspector RCEs, path traversals, supply-chain disclosures.
Zero-width unicode, bidi overrides, base64 payloads, prompt injection.
GitHub maintainer changes, archived repos, low-trust accounts.
Unpinned versions, insecure HTTP, shell pipes, leaky env vars.
Add an MCP config to your inventory and Cavexia re-scans hourly, alerts you when a maintainer changes, a new CVE drops for a package you use, or a config introduces a hygiene regression. Diffs and acknowledgments live in a dashboard built for security teams, not for dashboards.
Every scan produces a cryptographically signed report. Free or Enterprise, same signature, same verifiability. Send it to a customer, attach it to a SOC 2 audit, archive it as evidence. Free across all tiers, by design.
From a free one-shot scanner to on-prem enterprise. Use what you need.
On-demand security scan of MCP configs. ~30s, server-side, nothing stored.
Learn more →Cryptographically signed scan reports. Verifiable, archivable, audit-friendly.
Learn more →Browse MCP vulnerability advisories or submit your own.
Learn more →Hourly re-scans of tracked MCP configs. Catch drift before it ships.
Learn more →Get notified when monitored configs change or new findings appear.
Learn more →Execute MCP servers in a sandbox to verify behavior without trusting the source.
Learn more →Push alerts into Slack channels or your own incident pipeline.
Learn more →Full team activity history. Who scanned what, when, and what they did about it.
Learn more →/api/scan with bearer-token auth. Drop Cavexia into your CI/CD pipeline.
Learn more →SSO (SAML/OIDC), on-prem, custom detection rules, dedicated TAM, HIPAA / SOC 2 / EU AI Act evidence.
Learn more →Three recent advisories from the Cavexia threat intel feed — public, community-contributed, no login required.
Most teams need on-demand scans during config changes. Paid tiers are for when you want to know the moment something drifts.
On-prem deployment, SSO (SAML and OIDC), custom detection rules tailored to your stack, a dedicated technical account manager, and evidence packs for HIPAA, SOC 2, and EU AI Act audits. We sign mutual NDAs before the first call.