ClawHosters ClawHosters
Subs -10% SUB-10
Claws -25% LAUNCH-CLAWS
Runlayer Launches Enterprise MCP Security for OpenClaw: Shadow Detection and ToolGuard
$ ./blog/news
News

Runlayer Launches Enterprise MCP Security for OpenClaw: Shadow Detection and ToolGuard

ClawHosters
ClawHosters by Daniel Samer
3 min read

$11 million in funding. Khosla Ventures and Felicis leading the round. And now Runlayer just shipped two products that directly address the biggest headache in enterprise AI right now: nobody knows what MCP servers are running on their machines.

The timing for MCP security couldn't be more pointed. Microsoft published a security advisory the day before, basically telling companies that OpenClaw "is not appropriate to run on a standard personal or enterprise workstation." CrowdStrike and Snyk followed with their own warnings. The security community is nervous, and honestly? They probably should be.

What Runlayer Actually Built

Two products under the "OpenClaw for Enterprise" umbrella, according to VentureBeat's coverage:

OpenClaw Watch scans enterprise fleets via MDM integration to find shadow MCP servers. Think of it as an audit tool. If someone on your team spun up an MCP server that IT never approved, Watch finds it.

ToolGuard monitors every tool call in real time. The claim is 90%+ detection rate for credential exfiltration attempts (AWS keys, database credentials, Slack tokens), with sub-100ms latency. TechBuddies reports that prompt injection resistance goes from 8.7% to 95% with ToolGuard active.

Both products integrate with Okta and Microsoft Entra for identity management.

Who's Using It

Gusto, Instacart, Homebase, AngelList. All enterprise customers. TechCrunch covered the initial funding round back in November 2025, so this has been in the works for a while.

What This Means If You Run OpenClaw

Here's the thing. Runlayer targets a very specific audience: large enterprises with MDM fleets, SOC 2 requirements, and Okta-level identity management. That's probably not you if you're reading this blog.

For SMBs and developers who just want OpenClaw running without the security anxiety, managed hosting solves the same underlying problem from a different angle. You don't need shadow MCP detection if your hosting environment is already hardened. You don't need fleet-wide scanning if your instance runs on an isolated, pre-configured server.

Runlayer's $11M validates something we've been saying: MCP security matters. Their approach is enterprise governance. Ours is managed simplicity. Different segments, same core problem.

Check out our Safety Scanner if you want to see how we handle security on the managed hosting side.

Frequently Asked Questions

Shadow MCP detection identifies unauthorized MCP servers running across company devices. Runlayer's OpenClaw Watch uses MDM integration to scan corporate fleets and flag MCP servers that IT teams didn't approve, helping enterprises maintain control over their AI tool usage.

No. ToolGuard monitors tool calls at the application layer, catching credential exfiltration and prompt injection attacks. It works alongside network security, not instead of it. Think of it as runtime monitoring specifically for MCP tool interactions.

Probably not. Runlayer targets enterprises managing hundreds of devices with Okta and MDM. If you use managed hosting like ClawHosters, your instance already runs in an isolated, hardened environment with built-in security scanning. Different approach, same goal.
*Last updated: February 2026*

Sources

  1. 1 Microsoft published a security advisory
  2. 2 VentureBeat's coverage
  3. 3 TechBuddies reports
  4. 4 TechCrunch covered the initial funding round
  5. 5 hosting environment is already hardened
  6. 6 isolated, pre-configured server
  7. 7 Safety Scanner
$ ./related --posts