Decoy Guard

Decoy Guard is the managed side of Decoy. Everything the open-source scanner and tripwires produce flows into Guard: trigger events, agent fingerprints, scan history, and a continuously updated MCP threat intel feed. You interact with Guard two ways — through the web dashboard and through the hosted MCP server, which lets your AI agent query its own security posture.

Free tier — five read-only tools

Point your agent at https://app.decoy.run/guard/{token} (see MCP Server setup) and these tools appear:

• decoy_status — current deployment status, active tripwires, trigger count
• decoy_triggers — recent tripwire trigger events
• decoy_agents — connected agents with fingerprint and last-seen
• decoy_scan_summary — latest scan findings by severity
• decoy_scan_run — run a scan on tool schemas you provide

Pro and Business tools

Pro unlocks active threat intelligence and assessment tools:

• decoy_risk — risk score and recommendations for your workspace
• decoy_feed — MCP threat feed (advisories, attack patterns)
• decoy_test_trigger — fire a test trigger to verify alerting
• decoy_redteam — run AI-powered adversarial testing against your servers

Business adds audit export, custom detection rules, and SAML SSO access to the dashboard itself.

Data flow

Every scan, trigger, and red-team run across every Decoy install feeds the same anonymized corpus. The more Decoy is used, the sharper Guard's threat feed gets — without any of your workspace data leaving your tenant.