Runlayer named to Rising in Cyber 2026 List by Morgan Stanley →
Back to blog
Andy Berman
Runlayer and Anthropic MCP Tunnels: connecting Claude to systems behind your firewall

Runlayer and Anthropic MCP Tunnels: connecting Claude to systems behind your firewall

Today, Anthropic shipped MCP Tunnels. Runlayer and Anthropic collaborated on this product, and the Runlayer platform supports MCP Tunnels today.

If you use Claude Code, Claude Cowork, or Claude Design, then you’ve already hit a security wall. Claude lives and executes within Anthropic servers. Meanwhile, your Jira, telemetry, internal APIs, and databases exist within your private network. This topology mismatch is an issue: connecting to Claude means exposing your internal systems to the public Internet.

Until recently, the only solution was poking exceptions in your firewall restrictions for Claude or compromising on Claude’s access. Anthropic has shipped a fix: MCP tunnels. Runlayer serves as the customer-side layer to deploy these tunnels to production.

The constraint

Every Claude rollout hits the same wall: the model is outside your network. The tooling that makes it useful is inside, and the default path to connect them is opening inbound ports for MCP servers. That's a non-starter in financial services, healthcare, and anywhere with a real compliance posture. Teams either give Claude a stripped-down slice of context and throw away most of the value, or they break their security posture and hope nobody notices.

How MCP Tunnels flip the direction

Anthropic's design inverts the connection, using a reverse tunnel so traffic is always outbound-initiated. Your network reaches out to Anthropic instead of Anthropic reaching in.

Here's how it works:

  1. You deploy a tunnel endpoint inside your network using Docker Compose or a Helm chart, pointed at Runlayer and your MCP servers. This serves as the inbound access point.
  2. On Anthropic's side, an internal service called Toolbox acts as the MCP client. Toolbox brokers MCP calls across every Anthropic surface: Claude Code, Claude Enterprise, and agentic products.
  3. The tunnel uses end-to-end mTLS, with Anthropic layering its own encryption on top of that, independent of the underlying channel. The keys stay with you. A transport-layer exposes no customer data with no cross-customer commingling.
  4. OAuth handles MCP-level auth on top of the secured channel.

The architecture was designed for companies where the answer to "can we open an inbound port" is always no.

What Runlayer handles on the customer side

The tunnel handles the connection. But it doesn't dictate what MCP servers are available, what groups reach which tools, or what policies apply. That's Runlayer's job.

One endpoint, many MCP servers. Runlayer's gateway aggregates your MCP servers behind a single endpoint, with access scoped by group. Engineering gets one toolset, marketing gets another, but everyone gets a shared baseline. The same identity policies you already enforce apply here. Runlayer integrates with Okta and Entra out-of-the-box.

One-click install, every Claude surface. Before the tunnel, every Anthropic client (Claude Code, Claude.ai, Claude Desktop) was its own configuration silo. With Runlayer behind the tunnel, every surface picks up your MCP servers automatically. That means no per-client setup, no drift between them.

Real-time scanning. Runlayer scans your MCP traffic for prompt injection, tool poisoning, and data exfiltration attempts, powered by internal models trained on emerging exploits.

SIEM-ready events. Runlayer provides audit events that are OTel exportable, so you can integrate Claude tool telemetry with your existing observability stack.

As Claude work moves to async, cloud-side execution, the access pattern shifts from developers to cloud processes reaching MCP servers. Per-laptop installations don't scale to that. Runlayer does.

We worked with Anthropic on this

We worked with Anthropic through the MCP Tunnels development process. We've seen firsthand where enterprise teams hit friction: identity policy gaps, per-client config drift, and poor observability of Claude’s tool calls. We've shaped Runlayer's integration around those specific failure points, and we run this architecture internally ourselves.

What changes for enterprise rollouts

MCP Tunnels removes the two blockers that made MCP impractical for regulated environments: inbound network exposure and per-developer credential sprawl. With Runlayer behind MCP Tunnels, you get:

  • Claude with real access to internal systems, without opening your network
  • Centralized auth and policy through your existing IdP
  • Consistent tool access across every Anthropic surface
  • A deployment shape that scales from one team's pilot to org-wide production

Book a demo. We'll show you exactly how it fits your environment.

May 20, 2026
 • 
Andy Berman
Read more
Don’t build your own MCP gateway

Don’t build your own MCP gateway

Senior engineers look at an MCP gateway and see a reverse proxy with auth and logs. That instinct is wrong. MCP attack vectors shift constantly, performance breaks at scale in specific ways, and threat detection requires MCP-specific signals that generic tools miss.
May 18, 2026
 • 
Alex Frazer
Fine-Grained Permissions and Identity Management for AI Agents

Fine-Grained Permissions and Identity Management for AI Agents

MCP adoption has exploded inside enterprises, with shadow servers and over-provisioned agents creating an attack surface most security teams haven't caught up to. Traditional IAM, OAuth, and RBAC weren't built for non-deterministic agents that delegate to other agents.
May 18, 2026
 • 
Tal Peretz
Runlayer named to Rising in Cyber 2026

Runlayer named to Rising in Cyber 2026

Runlayer was named to Notable Capital & Morgan Stanley's 2026 Rising in Cyber list, voted on by 150 sitting CISOs. Andy Berman on why the recognition matters, and what it signals about how AI-native companies are getting built.
May 12, 2026
 • 
Andy Berman
Why production AI systems need MCP gateways

Why production AI systems need MCP gateways

An MCP gateway acts as the centralized proxy layer for agent-to-tool communications, handling tool discovery, authentication, input/output filtering, and observability across an organization's agentic systems.
May 11, 2026
 • 
Tal Peretz
The MCP STDIO RCE class, and why Runlayer doesn't run what the LLM asks it to

The MCP STDIO RCE class, and why Runlayer doesn't run what the LLM asks it to

OX Security found a design-level flaw in Anthropic's Model Context Protocol. MCP's STDIO transport turns a config file into a command executor. Here's how Runlayer's control plane breaks each of the four attack vectors.
Apr 22, 2026
 • 
Alex Frazer
Runlayer and AARM Partner to Secure Enterprise Agents

Runlayer and AARM Partner to Secure Enterprise Agents

Runlayer achieves AARM Extended Conformance (R1–R9), partnering with the Vanta-backed open specification to define how enterprises secure AI agents at runtime.
Apr 15, 2026
 • 
Tal Peretz
What Project Glasswing means for enterprise security

What Project Glasswing means for enterprise security

What Project Glasswing and Claude Mythos mean for enterprise security teams, and why your patch workflows, dependency management, and MCP governance need to evolve now.
Apr 11, 2026
 • 
Tal Peretz
The Danger of Fake MCP Servers

The Danger of Fake MCP Servers

Fake MCP servers pose a growing security risk, enabling data leaks, tool poisoning, and compromised AI behavior. Learn how these attacks work and how organizations can prevent them with proper controls and monitoring.
Apr 7, 2026
 • 
Tal Peretz
Runlayer + 1Password: Secure Credential Access for AI Agents

Runlayer + 1Password: Secure Credential Access for AI Agents

Runlayer and 1Password partner to bring secure, auditable credential access to autonomous AI agents. The integration lets enterprises inject secrets from 1Password vaults into agent sessions managed by Runlayer, replacing plaintext .env files with centralized governance, real-time retrieval, and full audit logging across human and non-human identities.
Mar 17, 2026
 • 
Tal Peretz
Honestly, MCP doesn’t “suck”

Honestly, MCP doesn’t “suck”

Garry Tan recently argued that MCP “sucks,” citing context-window bloat and weak authentication. This article breaks down why those criticisms miss the mark—and why MCP remains the better foundation for agents operating at enterprise scale.
Mar 12, 2026
 • 
Vitor Balocco
FGA is not enough for your agent authorization

FGA is not enough for your agent authorization

PBAC beats FGA for agent authorization — context-aware, auditable, asymmetric access control without graph complexity.
Mar 9, 2026
 • 
Alvaro Inckot
Scale MCP with Dynamic Tool use

Scale MCP with Dynamic Tool use

Dynamic tool use cuts token waste from MCP by replacing bulk tool loading with lightweight search, saving cost without custom implementation.
Feb 20, 2026
 • 
Vitor Balocco
OpenAI Agent Builder’s MCP Problem

OpenAI Agent Builder’s MCP Problem

OpenAI AgentKit/Agent Builder launched in Oct 2025 but, despite early hype, its limited integrations and weak security (e.g., unverified MCP servers, no namespace isolation, insufficient guardrails) create a large enterprise attack surface—prompting calls for controls like a trusted MCP catalog, tool gateway auditing, RBAC/least privilege, and stronger governance (e.g., via Runlayer).
Feb 19, 2026
 • 
Tal Peretz
Pwning OpenClaw in 50 Messages: Social Engineering Claude Opus Into Handing Over the Keys

Pwning OpenClaw in 50 Messages: Social Engineering Claude Opus Into Handing Over the Keys

A Claude Opus–powered OpenClaw agent with Slack and shell access was social-engineered in ~50 messages to rebind its UI, install ngrok, expose the dashboard publicly, reveal its gateway token, and approve the attacker’s device.
Feb 16, 2026
 • 
Alex Frazer
Unpacking the OWASP Top 10 for MCP

Unpacking the OWASP Top 10 for MCP

An overview of the OWASP MCP Top 10, highlighting the biggest security risks in MCP-enabled AI systems and the key safeguards teams can use to prevent them.
Feb 10, 2026
 • 
Alex Frazer
MCP Apps highlight the power of protocol governance

MCP Apps highlight the power of protocol governance

MCP Apps let tools render interactive UIs directly in chat via the same MCP protocol—not a new execution path. With Runlayer intercepting tool calls, resource fetches, and auth headers, existing MCP security controls apply from day one.
Jan 30, 2026
 • 
Tal Peretz
Announcing Box and Runlayer's partnership on Enterprise MCP

Announcing Box and Runlayer's partnership on Enterprise MCP

Connect AI agents to Box content with enterprise security. The official Box MCP server is live in the Runlayer marketplace, with identity enforcement, audit logging, and threat detection built in. Box customers can find Runlayer in the Box Integrations Center. Setup takes minutes.
Jan 27, 2026
 • 
Aidan Sochowski
MCP vs CLI Tools: Which is best for production applications?

MCP vs CLI Tools: Which is best for production applications?

CLI tools feel familiar to AI agents, but they break down in production due to brittle syntax, poor state management, and dangerous security assumptions. This post explains why CLI-based agent workflows fail and how a single-tool MCP using a known programming language offers a more reliable and secure alternative.
Jan 25, 2026
 • 
Vitor Balocco
Runlayer Product Update: 1.25.0

Runlayer Product Update: 1.25.0

This update is about momentum: moving faster in the CLI, getting clearer visibility into what’s running, and debugging with less friction. Expect smoother workflows, better control, and fewer surprises as you build and ship.
Jan 23, 2026
 • 
Engineering
MCP Prompt Injection Attacks: How to Protect Your AI Agents

MCP Prompt Injection Attacks: How to Protect Your AI Agents

Two near-invisible prompt injection attacks showed how attackers can bypass default enterprise guardrails and trigger silent, ongoing data exfiltration by exploiting user and model trust. Runlayer blocks these attacks by treating every input as untrusted until it passes continuously updated security models trained on the latest real-world exploits.
Jan 19, 2026
 • 
Jake Moghtader
Cursor Hooks + MCP Security: Official Runlayer Partnership Announcement

Cursor Hooks + MCP Security: Official Runlayer Partnership Announcement

Runlayer is an official Cursor Hooks launch partner. With Cursor Hooks, securely allow or deny MCP tool calls with Runlayer's enterprise MCP platform.
Dec 18, 2025
 • 
Marcin Jan Puhacz
The main takeaways from GitHub’s MCP Vulnerability

The main takeaways from GitHub’s MCP Vulnerability

GitHub’s MCP vulnerability revealed how AI agents can be weaponized through poisoned context in public repositories. This post analyzes the exploit, explains why permissions alone aren’t enough, and shares practical guardrails for preventing and mitigating agent-driven data exfiltration.
Dec 16, 2025
 • 
Vitor Balocco
Runlayer Joins Anthropic, OpenAI, & Google as AAIF Founding Member

Runlayer Joins Anthropic, OpenAI, & Google as AAIF Founding Member

The Linux Foundation has launched the Agentic Artificial Intelligence Foundation (AAIF), with Runlayer joining sponsors Anthropic, OpenAI, Google, AWS, Microsoft. AAIF now oversees the Model Context Protocol (MCP), reinforcing MCP as a rising standard for AI agent integration. Runlayer supports AAIF’s open, secure, and scalable AI development mission.
Dec 9, 2025
 • 
Andy Berman
Runlayer Raises $11M to Scale Enterprise MCP Infrastructure

Runlayer Raises $11M to Scale Enterprise MCP Infrastructure

Nov 17, 2025
 • 
Andy Berman
MCP Security Risks: Your AI Agent is Probably Leaking Data Right Now

MCP Security Risks: Your AI Agent is Probably Leaking Data Right Now

MCP adoption is accelerating across major platforms, but security risks—like malicious servers, prompt injection, and tool-level exploits—are growing just as fast. This post breaks down real attack scenarios that show how easily data can leak when MCP implementations are trusted by default. It also outlines practical defenses for users and builders, plus why companies need audited MCP catalogs, gateway proxies, and sandboxing to stay secure at scale.
Nov 12, 2025
 • 
Vitor Balocco
Why MCP builders are transitioning from DCR to OAuth CIMD

Why MCP builders are transitioning from DCR to OAuth CIMD

Over the last year, MCP has surged in adoption. To little surprise, this has introduced some scaling issues. One of these is client registration; previously, systems were rigged together by humans. Today, AI agents discover and interface with MCP servers freely, requiring a new paradigm for client communications.
Nov 7, 2025
 • 
Vitor Balocco
What is Dynamic Client Registration?

What is Dynamic Client Registration?

Tired of manually registering every AI agent with every OAuth server? Dynamic Client Registration (DCR) lets your agents authenticate with MCP servers at runtime, no human clicks required. Learn how DCR works, when to use it over traditional OAuth, and why it's becoming essential for scalable agentic systems.
Nov 6, 2025
 • 
Vitor Balocco
The fastest path to AI Transformation

Runlayer makes it easy to scale MCP, skills, and agents across your organization. Local or remote, every AI tool is secure, discoverable, and simple to manage.

Get an AI summary of this page
OpenAI logo featuring an abstract geometric knot design.Abstract symmetrical starburst shape with multiple elongated rounded spikes radiating from the center in dark gray.Abstract geometric logo consisting of symmetrical angular lines forming a star-like shape.
Solutions
Company
Resources
Connect
© Copyright 2026 Anysource Inc.
SOC 2 Certified
HIPAA Certified
GDPR Certified
Terms of Service
Privacy Policy