Skip to main content
Ultra’s anomaly detection uses an LLM-as-judge approach to evaluate every MCP tool call for security risks. It runs asynchronously by default — your MCP requests are never slowed down — and maintains per-session history so the judge can spot suspicious patterns across a conversation.

How It Works

Every MCP tool call is evaluated by a Claude model acting as a security judge. The judge analyzes the tool name, arguments, response, and session history to assign a risk score (0.0–1.0) and a risk level.

What the Judge Detects

The security judge evaluates each tool call for these anomaly categories:
CategoryWhat It Catches
InjectionPrompt injection, SQL injection, command injection, path traversal in parameters
ExfiltrationData sent to unauthorized destinations, sensitive data in tool parameters
Privilege EscalationAccessing admin tools or elevated operations without authorization context
ReconnaissanceSystematic enumeration of resources, servers, or capabilities
Unusual PatternCalls at unusual times, abnormal frequency, unexpected tool combinations
Data VolumeUnusually large responses or bulk data access patterns
Rug PullTool descriptions containing hidden instructions or imperative commands
The judge uses the full session history — not just the current call — to detect patterns. Cross-server operations (reading from one server, writing to another) receive extra scrutiny.

Risk Levels

LevelScore RangeDescription
None0No risk detected — completely normal operation
LowBelow 0.30Normal operations — routine tool calls with no suspicious indicators
Medium0.30 – 0.59Slightly unusual activity — worth logging but rarely actionable
High0.60 – 0.89Suspicious behavior — potential security concern, review recommended
Critical0.90 and aboveHighly dangerous activity — likely malicious, immediate action recommended
The vast majority of tool calls (~99%) will score as low or medium. High and critical scores are rare and indicate genuinely suspicious behavior like prompt injection attempts, unauthorized data access, or privilege escalation.

Configuration Reference

FieldTypeDefaultDescription
anomaly.enabledboolfalseMaster switch for anomaly detection
anomaly.api_keystringAnthropic API key (or set ANTHROPIC_API_KEY env var)
anomaly.modelstringclaude-sonnet-4-20250514Claude model used by the LLM judge. Do not change unless directed by Ultra support
anomaly.rate_limitint60Max evaluations per minute. Do not change unless directed by Ultra support
anomaly.modestringpassivepassive (async) or blocking (sync)
anomaly.block_thresholdstringhighMin risk level to block requests (blocking mode only). Options: low, medium, high, critical
anomaly.alerting.slack_webhook_urlstringSlack incoming webhook URL for alert notifications
anomaly.alerting.min_risk_levelstringhighMinimum risk level that triggers an alert. You will be alerted on anything at or above this level

Blocking Threshold Reference

Threshold SettingWhat Gets BlockedUse Case
criticalOnly scores ≥ 0.90Maximum permissiveness — only block the most dangerous calls
highScores ≥ 0.60Recommended default — blocks suspicious activity while allowing normal operations
mediumScores ≥ 0.30Aggressive — may block some legitimate edge-case tool calls
lowScores > 0Very aggressive — blocks nearly everything flagged. Not recommended for most deployments

Next Steps

Dashboard

View anomaly events in the web dashboard

Audit Log

Security audit events for all MCP operations