Why we built Decoy

I spent most of 2025 building MCP integrations. By the end of the year, I was using agents that could touch my filesystem, query my databases, post to my Slack, and deploy code. Often all in the same session. Often against servers I hadn't personally audited. The tooling to check any of that was my own eyeballs.

That's the gap Decoy fills.

The thesis

Every protocol that becomes a platform gets a security layer. HTTP got WAFs and DAST scanners. npm got Snyk. Containers got Twistlock. The pattern is always the same: protocol ships, adoption hockey-sticks, attack surface becomes obvious, tooling emerges.

MCP is at step three. Adoption is through the roof. The attack surface is now obvious. Step four is what we're building.

The product, in four lines

• Scan — npx decoy-scan runs static checks against every MCP server on your machine. Tool classification, prompt-injection detection, toxic-flow analysis, manifest drift, skill scanning. Zero dependencies, no account.
• Red Team — npx decoy-redteam --live executes 53 adversarial attacks against your servers. SQL injection, prompt override, credential extraction, protocol abuse, privilege escalation. Dry-run by default.
• Tripwire — Decoy tools installed alongside real servers that only a compromised agent would call. Every trigger is signal.
• Guard — The dashboard. Continuous scans, threat intel, agent fingerprinting, SSO, compliance reports. $29/user/mo Team, $99/user/mo Business. Free forever for individuals.

Three OSS packages, one SaaS, all built to answer a single question: is this agent session safe?

What's next

We ship weekly. The team is small on purpose. The protocol is young and the right moves change fast. If you're seeing MCP-specific threats in the wild and want to compare notes, email tony@decoy.run.