Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ultra.security/llms.txt

Use this file to discover all available pages before exploring further.

Ultra Guardrails let you define and enforce security policies across your MCP infrastructure. Every tool call passes through the guardrails engine before reaching upstream servers, giving you real-time protection against credential leakage, destructive actions, input manipulation, and more. Guardrails are configured in Ultra Hub and automatically synced to all connected gateways. Built-in guardrails are recommended during configuration, protecting your environment from the most common MCP security threats out of the box.

How Guardrails Work

When an MCP tool call arrives at an Ultra gateway, the guardrails engine evaluates it against all active guardrails in parallel. Each guardrail inspects the request (tool name, parameters, server context) and returns a decision. The strictest decision wins.

Enforcement Modes

Every guardrail runs in one of four enforcement modes:
ModeBehavior
BlockPrevents the request from reaching the upstream server. The client receives an error with the guardrail name and reason.
AlertAllows the request but generates a warning-level audit event. Use this to monitor potential issues without disrupting workflows.
MonitorAllows the request and records the event silently. Use this for visibility without notifications.
RedactAllows the request after masking matched content in both the request and response. Matched values are replaced with [REDACTED].
Guardrails are fail-closed. If an evaluation error occurs or an evaluator is unavailable, the request is blocked regardless of the configured enforcement mode.

Scoping

Guardrails can be configured at three levels, with higher levels taking precedence:
ScopeDescription
OrganizationApplies to all workspaces and gateways in your org. Org-level settings override everything below.
WorkspaceApplies to all gateways in a workspace. Overrides gateway-level settings.
GatewayApplies to a single gateway. Most granular scope.
This lets you set org-wide baseline policies while allowing workspaces or individual gateways to have stricter configurations where needed.

Built-in Guardrails

Ultra ships with built-in guardrails that are recommended during configuration. These cover the most critical MCP security risks and require no configuration to start protecting your environment. You can view the full list, descriptions, and configuration options for each guardrail in the Guardrails page in Ultra Hub.
GuardrailCategoryDescription
Parameter Validation and Input SanitizationInput ProtectionValidates tool call parameters against type constraints, range limits, and dangerous patterns like path traversal (../), dangerous CLI flags (--exec, --privileged), shell injection, and command chaining. Supports configurable allowed-directory restrictions and per-parameter blocklists.
Credential and Secret ProtectionData ProtectionDetects and blocks access to credential files (.env, .aws/credentials, .ssh/id_*, and more), secrets in tool parameters (API keys, tokens, private key headers), and cloud metadata endpoints. Automatically redacts matched secret values in audit log entries.
In-Line Authorization and Destructive Action BlockingAccess ControlBlocks destructive actions before they reach target systems. Covers destructive tool names (delete_*, drop_*, rm_*), dangerous SQL and shell operations in parameters, code/git write tools, and financial/payment tools. Each category can be independently enabled or disabled.
PII and Personal Data ProtectionData PrivacyDetects personally identifiable information (PII) in tool call parameters and resource URIs, including email addresses, US Social Security numbers, phone numbers, credit cards (Luhn-validated), IBANs, cryptocurrency wallet addresses, BIC/SWIFT codes, and IPv4 addresses. Each PII category is independently toggleable, and a per-tool or per-resource bypass list lets you exempt internal tools that legitimately handle PII (such as HR or CRM lookups).
Rate LimitingInfrastructureConfigurable request rate limits per MCP server to prevent resource exhaustion and enforce usage quotas. Define rules with per-server or wildcard limits using fixed time windows.

PII and Personal Data Protection

The PII guardrail scans request parameters and resource URIs for personal data and emits a violation for each match. When run in Redact mode, matched values are replaced with [REDACTED] in the request payload, the response echo, and the audit trail before reaching the upstream server. Default configuration. The guardrail is enabled by default in Block mode with the high-precision categories turned on (email, US SSN, phone numbers, credit cards with Luhn validation, IBAN, and crypto addresses). Lower-precision categories that frequently collide with non-PII identifiers are off by default and can be enabled per workspace:
  • BIC / SWIFT codes — off by default. Format collides with enum values, error codes, and UUID fragments.
  • Public IPv4 addresses — off by default. Many tool calls legitimately reference public IPs.
  • Private IPv4 addresses — off by default. Internal network references are rarely sensitive.
Response scanning. Tool call responses are not scanned by default because most response payloads legitimately contain the PII the caller requested (HR or CRM lookups, customer records). Enable Scan Responses for PII when tools return untrusted content or when compliance requires bidirectional scanning. Response scanning is capped to the first 256 KB of body data with bounded JSON traversal. Bypass list. The bypass_tools list skips PII detection for matching tools or resources. Use exact names (e.g., salesforce_search) or prefixes ending in * (e.g., workday_*, workday://*). Matching is case-insensitive and applies to both request redaction and response scanning. Use this for internal tools that are expected to handle PII so the guardrail does not interfere with their normal operation.
PII categories are detected via regular expressions, with additional validation for high-noise patterns: credit cards are validated against the Luhn check digit, IBANs are restricted to country codes in the SWIFT registry, and BIC codes are validated against ISO 3166-1 alpha-2 country codes. Some structurally similar strings (like long base58 hashes resembling Bitcoin addresses) can still false-positive — start in Alert mode if you are unsure how the guardrail will behave against your traffic.

Guardrail Categories

Guardrails are organized into categories that map to different areas of MCP security:
CategoryDescriptionBuilt-in Guardrails
Input ProtectionValidates and sanitizes incoming tool call parametersParameter Validation and Input Sanitization
Data ProtectionPrevents credential leakage and secret exposureCredential and Secret Protection
Data PrivacyDetects and protects personally identifiable informationPII and Personal Data Protection
Access ControlEnforces authorization and blocks destructive actionsIn-Line Authorization and Destructive Action Blocking
Output SafetyFilters and validates tool call responses
InfrastructureRate limiting, circuit breaking, and availability protectionRate Limiting

Choosing Your Guardrail Configuration

Default Protection

Built-in guardrails are recommended during configuration and run in Block mode. For most organizations, enabling all built-in guardrails provides strong baseline security with no additional setup required. Before adding custom guardrails or changing enforcement modes, consider your team’s workflows.

Scoping Flow

When configuring guardrails, work from broad to specific:
  1. Start at the organization level — Set your baseline security posture. The built-in guardrails are recommended here. Most organizations should keep them all enabled in Block mode at the org level.
  2. Adjust at the workspace level — If certain teams need different policies (for example, a development workspace where destructive actions are acceptable for testing), override specific guardrails at the workspace level.
  3. Fine-tune at the gateway level — For individual gateways that need special treatment, apply gateway-level overrides. This is the most granular scope and is useful for edge cases.

When to Change Enforcement Modes

ScenarioRecommended Mode
Production environments with sensitive dataBlock — Prevent threats from reaching upstream servers
New deployment, evaluating guardrail coverageAlert — See what would be caught without disrupting workflows
Development or staging environmentsMonitor — Log everything for visibility, allow all requests
Handling sensitive data that must not appear in logsRedact — Mask matched content in requests and responses

Adding Guardrails Beyond Defaults

Consider enabling additional guardrails if your environment involves:
  • Custom internal tools — Create custom guardrails (see below) to enforce organization-specific policies on tool names, parameters, or servers
  • Multi-tenant environments — Layer workspace-level and gateway-level guardrails to isolate tenants
  • Compliance requirements — Check the framework coverage tags on each guardrail to map your coverage against AARM, SAFE, and AUIC-1 frameworks
  • Sensitive data workflows — Switch credential protection to Redact mode if you need requests to proceed but want secrets masked

Custom Guardrails

Beyond the built-in guardrails, you can create custom guardrails to enforce organization-specific security policies. Custom guardrails use the same evaluation engine and enforcement modes as built-in guardrails.

Creating a Custom Guardrail

  1. Navigate to Guardrails in the Ultra Hub sidebar
  2. Click + Create Custom Guardrail in the top-right corner
  3. Fill in the guardrail details:
    • Name — A descriptive name (e.g., “Block /secrets directory access”)
    • Description — What the guardrail does and why

Trigger Conditions

Trigger conditions define when the guardrail fires. Each condition has three parts: a field, an operator, and a value. You can add multiple conditions joined with AND logic using + Add condition (AND). Available fields:
FieldDescription
Tool NameThe name of the MCP tool being called
Server NameThe upstream server handling the request
Resource URIThe resource being accessed
Any ParameterMatches against all parameter values
Parameter…Matches against a specific named parameter
User IDThe authenticated user’s identity ID. Empty string for unauthenticated requests.
User EmailThe authenticated user’s email address. Empty string for unauthenticated requests.
User NameThe authenticated user’s display name. Empty string for unauthenticated requests.
Client IDThe MCP client name from the connection handshake (e.g., claude-desktop, cursor). Empty string when unknown.
Client VersionThe MCP client version from the connection handshake (e.g., 1.2.3). Empty string when unknown.
Trigger conditions match against values at any depth in the request parameters, not just top-level fields. If a tool call includes nested objects or arrays, the condition will evaluate against values found within them as well.
User and client identity fields are always present in the evaluation context. When the request is unauthenticated or the client identity is unknown, these fields contain an empty string. Keep this in mind when writing regex conditions — patterns that match empty strings (like .*) will match unauthenticated requests.
Available operators:
OperatorDescription
equalsExact match
not equalsDoes not match exactly
containsValue includes the specified string
not containsValue does not include the specified string
starts withValue begins with the specified string
not starts withValue does not begin with the specified string
ends withValue ends with the specified string
not ends withValue does not end with the specified string
matches regexValue matches a regular expression pattern
in listValue is one of a comma-separated list
greater thanNumeric comparison
less thanNumeric comparison
When matching against email domains, prefer not ends with over not contains. For example, not ends with "@company.com" correctly blocks attacker@company.com.evil.com, while not contains "@company.com" would let it through because the substring match succeeds.

Enforcement Action

Choose the enforcement action for your custom guardrail:
  • Block — Hard block with denial receipt. The request is stopped and the client receives an error.
  • Alert — Notify but allow action. The request proceeds and a warning event is generated.
  • Monitor — Log only, no notification. The request proceeds silently.
  • Redact — Mask sensitive data in transit. Matched content is replaced with [REDACTED].

Example: Block Access to Secrets Directory

To create a guardrail that blocks any tool call attempting to access files in a /secrets/ directory:
  1. Name: Block /secrets directory access
  2. Description: Prevents any tool from reading or writing files in the /secrets directory
  3. Trigger Conditions:
    • Field: Any Parameter | Operator: contains | Value: /secrets/
  4. Enforcement Action: Block

Example: Alert on Unrecognized Servers

To get notified when tool calls hit a server outside your approved list:
  1. Name: Alert on unapproved servers
  2. Description: Flags tool calls routed to servers not in the approved list
  3. Trigger Conditions:
    • Field: Server Name | Operator: not equals | Value: approved-server-1
    • Field: Server Name | Operator: not equals | Value: approved-server-2
  4. Enforcement Action: Alert

Example: Restrict command execution to internal users

To block execute_command tool calls from users outside your organization:
  1. Name: Block external users from execute_command
  2. Description: Only users with a @company.com email can run execute_command
  3. Trigger Conditions:
    • Field: Tool Name | Operator: equals | Value: execute_command
    • Field: User Email | Operator: not ends with | Value: @company.com
  4. Enforcement Action: Block

Dry-run testing

Before enforcing a guardrail in production, you can dry-run it against historical traffic to preview what it would catch. Dry-run evaluates a saved guardrail against stored traces and returns which requests would have triggered, without affecting live traffic. Dry-run works for all guardrail types.

Running a dry-run

  1. Navigate to Guardrails in the Ultra Hub sidebar
  2. Select a guardrail to open the detail panel
  3. Click Dry Run to evaluate the guardrail against recent traces
The dry-run evaluates the guardrail at the current scope (organization, workspace, or gateway) and returns:
  • Traces evaluated — Total number of historical traces tested
  • Would trigger — Number of traces that would have been caught
  • Events — Details of each trace that would have triggered, including the action that would be taken (block, alert, monitor, or redact) and the matched request context

When to use dry-run

ScenarioWhy dry-run helps
Enabling a new guardrailPreview impact before switching to Block mode
Tuning rate-limit thresholdsSee how different requests_per_window and window_seconds values affect real traffic
Changing enforcement modesUnderstand what would change if you move from Monitor to Block
Custom guardrail validationVerify your trigger conditions match the intended requests
Start guardrails in Monitor mode, run a dry-run after a few hours of traffic, review the results, then promote to Block once you are confident in the coverage.

Viewing Enforcement Events

Every guardrail evaluation is recorded as a GUARDRAIL event in the audit log, regardless of outcome. You can view these in the Audit Log page alongside TOOL CALL events.

Grouped evaluations

When multiple guardrails evaluate a single request, their results share the same trace_id and are displayed as a single collapsible row in the audit log. The group row shows:
  • A Guardrail [N] badge indicating how many evaluations occurred
  • The strongest outcome across all evaluations (deny > redact > alert > monitor > allow)
  • The highest severity across all evaluations (critical > error > warning > info)
Click the expand arrow to reveal every individual evaluation in the group. Each evaluation card shows the guardrail name, enforcement mode, severity, and match count. Click any card to open the full Audit Detail panel for that evaluation. This grouping keeps the audit log readable when many guardrails are active. A single tool call that triggers five guardrails appears as one row instead of five.

Audit detail

Clicking a guardrail event (or an individual evaluation inside a group) opens the Audit Detail panel, which shows:
  • Event type and severity — GUARDRAIL badge with INFO, WARNING, or ERROR severity
  • Timestamp — When the evaluation occurred
  • Context — The tool/action being evaluated, the MCP server it targeted, the MCP client that made the request, and the outcome (ALLOW, BLOCK, ALERT, MONITOR, REDACT)
  • User identity — Name, email, and user ID of the person whose request triggered the evaluation
  • Raw details — Full JSON including the guardrail’s enforcement mode, guardrail ID, which guardrail was evaluated (e.g., parameter-validation, credential-protection), type (builtin or custom), any matches, request context, and trigger details

Severity mapping

OutcomeSeverityDescription
AllowINFOGuardrail evaluated and found no issues
MonitorINFOGuardrail matched but is in monitor mode
AlertWARNINGGuardrail matched and generated a notification
RedactWARNINGGuardrail matched and masked sensitive content
BlockERRORGuardrail matched and prevented the request
Each tool call generates one guardrail event per active guardrail. These events share a trace_id and are grouped into a single expandable row in the audit log.

Next Steps

Anomaly Detection

LLM-powered security analysis for MCP tool calls

Audit Log

View guardrail enforcement events alongside all MCP activity

RBAC

Control who can configure and view guardrails

Dashboard

Monitor guardrail activity in the web dashboard