Ultra’s anomaly detection uses an LLM-as-judge approach to evaluate every MCP tool call for security risks. It runs asynchronously by default — your MCP requests are never slowed down — and maintains per-session history so the judge can spot suspicious patterns across a conversation.Documentation Index
Fetch the complete documentation index at: https://docs.ultra.security/llms.txt
Use this file to discover all available pages before exploring further.
How It Works
Every MCP tool call is evaluated by a Claude model acting as a security judge. The judge analyzes the tool name, arguments, response, and session history to assign a risk score (0.0–1.0) and a risk level.What the Judge Detects
The security judge evaluates each tool call for these anomaly categories:| Category | What It Catches |
|---|---|
| Injection | Prompt injection, SQL injection, command injection, path traversal in parameters |
| Exfiltration | Data sent to unauthorized destinations, sensitive data in tool parameters |
| Privilege Escalation | Accessing admin tools or elevated operations without authorization context |
| Reconnaissance | Systematic enumeration of resources, servers, or capabilities |
| Unusual Pattern | Calls at unusual times, abnormal frequency, unexpected tool combinations |
| Data Volume | Unusually large responses or bulk data access patterns |
| Rug Pull | Tool descriptions containing hidden instructions or imperative commands |
Risk Levels
| Level | Score Range | Description |
|---|---|---|
| None | 0 | No risk detected — completely normal operation |
| Low | Below 0.30 | Normal operations — routine tool calls with no suspicious indicators |
| Medium | 0.30 – 0.59 | Slightly unusual activity — worth logging but rarely actionable |
| High | 0.60 – 0.89 | Suspicious behavior — potential security concern, review recommended |
| Critical | 0.90 and above | Highly dangerous activity — likely malicious, immediate action recommended |
The vast majority of tool calls (~99%) will score as low or medium. High and critical scores are rare and indicate genuinely suspicious behavior like prompt injection attempts, unauthorized data access, or privilege escalation.
Configuration Reference
| Field | Type | Default | Description |
|---|---|---|---|
anomaly.enabled | bool | false | Master switch for anomaly detection |
anomaly.api_key | string | — | Anthropic API key (or set ANTHROPIC_API_KEY env var) |
anomaly.model | string | claude-sonnet-4-20250514 | Claude model used by the LLM judge. Do not change unless directed by Ultra support |
anomaly.rate_limit | int | 60 | Max evaluations per minute. Do not change unless directed by Ultra support |
anomaly.mode | string | passive | passive (async) or blocking (sync) |
anomaly.block_threshold | string | high | Min risk level to block requests (blocking mode only). Options: low, medium, high, critical |
anomaly.alerting.slack_webhook_url | string | — | Slack incoming webhook URL for alert notifications |
anomaly.alerting.min_risk_level | string | high | Minimum risk level that triggers an alert. You will be alerted on anything at or above this level |
Blocking Threshold Reference
| Threshold Setting | What Gets Blocked | Use Case |
|---|---|---|
critical | Only scores ≥ 0.90 | Maximum permissiveness — only block the most dangerous calls |
high | Scores ≥ 0.60 | Recommended default — blocks suspicious activity while allowing normal operations |
medium | Scores ≥ 0.30 | Aggressive — may block some legitimate edge-case tool calls |
low | Scores > 0 | Very aggressive — blocks nearly everything flagged. Not recommended for most deployments |
Next Steps
Dashboard
View anomaly events in the web dashboard
Audit Log
Security audit events for all MCP operations