Skip to main content
Ultra Guardrails let you define and enforce security policies across your MCP infrastructure. Every tool call passes through the guardrails engine before reaching upstream servers, giving you real-time protection against credential leakage, destructive actions, input manipulation, and more. Guardrails are configured in Ultra Hub and automatically synced to all connected gateways. Built-in guardrails are recommended during configuration, protecting your environment from the most common MCP security threats out of the box.

How Guardrails Work

When an MCP tool call arrives at an Ultra gateway, the guardrails engine evaluates it against all active guardrails in parallel. Each guardrail inspects the request (tool name, parameters, server context) and returns a decision. The strictest decision wins.

Enforcement Modes

Every guardrail runs in one of four enforcement modes:
ModeBehavior
BlockPrevents the request from reaching the upstream server. The client receives an error with the guardrail name and reason.
AlertAllows the request but generates a warning-level audit event. Use this to monitor potential issues without disrupting workflows.
MonitorAllows the request and records the event silently. Use this for visibility without notifications.
RedactAllows the request after masking matched content in both the request and response. Matched values are replaced with [REDACTED].
Guardrails are fail-closed. If an evaluation error occurs or an evaluator is unavailable, the request is blocked regardless of the configured enforcement mode.

Scoping

Guardrails can be configured at three levels, with higher levels taking precedence:
ScopeDescription
OrganizationApplies to all workspaces and gateways in your org. Org-level settings override everything below.
WorkspaceApplies to all gateways in a workspace. Overrides gateway-level settings.
GatewayApplies to a single gateway. Most granular scope.
This lets you set org-wide baseline policies while allowing workspaces or individual gateways to have stricter configurations where needed.

Built-in Guardrails

Ultra ships with built-in guardrails that are recommended during configuration. These cover the most critical MCP security risks and require no configuration to start protecting your environment. You can view the full list, descriptions, and configuration options for each guardrail in the Guardrails page in Ultra Hub.
GuardrailCategoryDescription
Parameter Validation and Input SanitizationInput ProtectionValidates tool call parameters against type constraints, range limits, and dangerous patterns like path traversal (../), dangerous CLI flags (--exec, --privileged), shell injection, and command chaining. Supports configurable allowed-directory restrictions and per-parameter blocklists.
Credential and Secret ProtectionData ProtectionDetects and blocks access to credential files (.env, .aws/credentials, .ssh/id_*, and more), secrets in tool parameters (API keys, tokens, private key headers), and cloud metadata endpoints. Automatically redacts matched secret values in audit log entries.
In-Line Authorization and Destructive Action BlockingAccess ControlBlocks destructive actions before they reach target systems. Covers destructive tool names (delete_*, drop_*, rm_*), dangerous SQL and shell operations in parameters, code/git write tools, and financial/payment tools. Each category can be independently enabled or disabled.
Rate LimitingInfrastructureConfigurable request rate limits per MCP server to prevent resource exhaustion and enforce usage quotas. Define rules with per-server or wildcard limits using fixed time windows.

Guardrail Categories

Guardrails are organized into categories that map to different areas of MCP security:
CategoryDescriptionBuilt-in Guardrails
Input ProtectionValidates and sanitizes incoming tool call parametersParameter Validation and Input Sanitization
Data ProtectionPrevents credential leakage and secret exposureCredential and Secret Protection
Access ControlEnforces authorization and blocks destructive actionsIn-Line Authorization and Destructive Action Blocking
Output SafetyFilters and validates tool call responses
InfrastructureRate limiting, circuit breaking, and availability protectionRate Limiting

Choosing Your Guardrail Configuration

Default Protection

Built-in guardrails are recommended during configuration and run in Block mode. For most organizations, enabling all built-in guardrails provides strong baseline security with no additional setup required. Before adding custom guardrails or changing enforcement modes, consider your team’s workflows.

Scoping Flow

When configuring guardrails, work from broad to specific:
  1. Start at the organization level — Set your baseline security posture. The built-in guardrails are recommended here. Most organizations should keep them all enabled in Block mode at the org level.
  2. Adjust at the workspace level — If certain teams need different policies (for example, a development workspace where destructive actions are acceptable for testing), override specific guardrails at the workspace level.
  3. Fine-tune at the gateway level — For individual gateways that need special treatment, apply gateway-level overrides. This is the most granular scope and is useful for edge cases.

When to Change Enforcement Modes

ScenarioRecommended Mode
Production environments with sensitive dataBlock — Prevent threats from reaching upstream servers
New deployment, evaluating guardrail coverageAlert — See what would be caught without disrupting workflows
Development or staging environmentsMonitor — Log everything for visibility, allow all requests
Handling sensitive data that must not appear in logsRedact — Mask matched content in requests and responses

Adding Guardrails Beyond Defaults

Consider enabling additional guardrails if your environment involves:
  • Custom internal tools — Create custom guardrails (see below) to enforce organization-specific policies on tool names, parameters, or servers
  • Multi-tenant environments — Layer workspace-level and gateway-level guardrails to isolate tenants
  • Compliance requirements — Check the framework coverage tags on each guardrail to map your coverage against AARM, SAFE, and AUIC-1 frameworks
  • Sensitive data workflows — Switch credential protection to Redact mode if you need requests to proceed but want secrets masked

Custom Guardrails

Beyond the built-in guardrails, you can create custom guardrails to enforce organization-specific security policies. Custom guardrails use the same evaluation engine and enforcement modes as built-in guardrails.

Creating a Custom Guardrail

  1. Navigate to Guardrails in the Ultra Hub sidebar
  2. Click + Create Custom Guardrail in the top-right corner
  3. Fill in the guardrail details:
    • Name — A descriptive name (e.g., “Block /secrets directory access”)
    • Description — What the guardrail does and why

Trigger Conditions

Trigger conditions define when the guardrail fires. Each condition has three parts: a field, an operator, and a value. You can add multiple conditions joined with AND logic using + Add condition (AND). Available fields:
FieldDescription
Tool NameThe name of the MCP tool being called
Server NameThe upstream server handling the request
Resource URIThe resource being accessed
Any ParameterMatches against all parameter values
Parameter…Matches against a specific named parameter
Trigger conditions match against values at any depth in the request parameters, not just top-level fields. If a tool call includes nested objects or arrays, the condition will evaluate against values found within them as well.
Available operators:
OperatorDescription
equalsExact match
not equalsDoes not match exactly
containsValue includes the specified string
not containsValue does not include the specified string
starts withValue begins with the specified string
ends withValue ends with the specified string
matches regexValue matches a regular expression pattern
in listValue is one of a comma-separated list
greater thanNumeric comparison
less thanNumeric comparison

Enforcement Action

Choose the enforcement action for your custom guardrail:
  • Block — Hard block with denial receipt. The request is stopped and the client receives an error.
  • Alert — Notify but allow action. The request proceeds and a warning event is generated.
  • Monitor — Log only, no notification. The request proceeds silently.
  • Redact — Mask sensitive data in transit. Matched content is replaced with [REDACTED].

Example: Block Access to Secrets Directory

To create a guardrail that blocks any tool call attempting to access files in a /secrets/ directory:
  1. Name: Block /secrets directory access
  2. Description: Prevents any tool from reading or writing files in the /secrets directory
  3. Trigger Conditions:
    • Field: Any Parameter | Operator: contains | Value: /secrets/
  4. Enforcement Action: Block

Example: Alert on Unrecognized Servers

To get notified when tool calls hit a server outside your approved list:
  1. Name: Alert on unapproved servers
  2. Description: Flags tool calls routed to servers not in the approved list
  3. Trigger Conditions:
    • Field: Server Name | Operator: not equals | Value: approved-server-1
    • Field: Server Name | Operator: not equals | Value: approved-server-2
  4. Enforcement Action: Alert

Viewing Enforcement Events

Every guardrail evaluation is recorded as a GUARDRAIL event in the audit log, regardless of outcome. You can view these in the Audit Log page alongside TOOL CALL events. Clicking a guardrail event opens the Audit Detail panel, which shows:
  • Event type and severity — GUARDRAIL badge with INFO, WARNING, or ERROR severity
  • Timestamp — When the evaluation occurred
  • Context — The tool/action being evaluated, the MCP server it targeted, the MCP client that made the request, and the outcome (ALLOW, BLOCK, ALERT, REDACT)
  • User Identity — Name, email, and user ID of the person whose request triggered the evaluation
  • Raw details — Full JSON including the guardrail’s enforcement mode, guardrail ID, which guardrail was evaluated (e.g., parameter-validation, credential-protection), type (builtin or custom), any matches, request context, and trigger details

Severity Mapping

OutcomeSeverityDescription
AllowINFOGuardrail evaluated and found no issues
MonitorINFOGuardrail matched but is in monitor mode
AlertWARNINGGuardrail matched and generated a notification
BlockERRORGuardrail matched and prevented the request
Each tool call generates one guardrail event per active guardrail, so you will typically see multiple GUARDRAIL events at the same timestamp corresponding to a single TOOL CALL event.

Next Steps

Anomaly Detection

LLM-powered security analysis for MCP tool calls

Audit Log

View guardrail enforcement events alongside all MCP activity

RBAC

Control who can configure and view guardrails

Dashboard

Monitor guardrail activity in the web dashboard