Decoy Guard

Decoy Guard is the managed side of Decoy. Everything the open-source scanner and tripwires produce flows into Guard: trigger events, agent fingerprints, scan history, and a continuously updated MCP threat intel feed. You interact with Guard two ways: through the web dashboard and through the hosted MCP server, which lets your AI agent query its own security posture.

Free tier — five read-only tools

Point your agent at https://app.decoy.run/guard/{token} (see MCP Server setup) and these tools appear:

• decoy_status — current deployment status, active tripwires, trigger count
• decoy_triggers — recent tripwire trigger events
• decoy_agents — connected agents with fingerprint and last-seen
• decoy_scan_summary — latest scan findings by severity
• decoy_scan_run — run a scan on tool schemas you provide

Pro and Business tools

Pro unlocks active threat intelligence and assessment tools:

• decoy_risk — risk score and recommendations for your workspace
• decoy_feed — MCP threat feed (advisories, attack patterns)
• decoy_test_trigger — fire a test trigger to verify alerting
• decoy_redteam — run AI-powered adversarial testing against your servers

Business adds audit export, custom detection rules, and SAML SSO access to the dashboard itself.

Data flow

Every scan, trigger, and red-team run across every Decoy install feeds the same anonymized corpus. The more Decoy is used, the sharper Guard's threat feed gets, without any of your workspace data leaving your tenant.