Dredd MCP

HTTPregistry active

Summary

A preflight security layer that checks MCP servers before your agent invokes their tools. Dredd queries its threat intelligence backend to flag compromised dependencies, tool surface drift, remote URL changes, and permission escalation. It returns BLOCK, ADVISORY, or ALLOW verdicts in under 200ms, each HMAC-signed. You call check_mcp_server with a server name, optional version, and optional tool name before execution. Useful if you're consuming third-party MCP servers and want a second opinion on whether their dependency tree or runtime behavior has shifted since you last vetted them. Fails open by design so it won't brick your workflow if the backend is unreachable.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Dredd MCP — Pre-Flight Security for the MCP Ecosystem

"Jeevesus saves. Dredd judges."

Dredd MCP is a pre-invocation security check for the Model Context Protocol ecosystem. Before your agent calls a tool on any other MCP server, Dredd renders a verdict: BLOCK, ADVISORY, or ALLOW. Every verdict is HMAC-signed and cites the IOC or behavioral signal that drove the decision.

The MCP ecosystem has had no defender. Three PyPI ML packages were compromised in eight days during late April 2026. Twenty-plus MCP-named GitHub repositories were caught serving SmartLoader malware in the wild. The official MCP Registry was clean of those when we measured — but the typosquat surface is wide open.

Dredd is the layer that catches the next compromise before the malicious tool gets called.

What Dredd Checks

Every preflight call evaluates four signals:

Compromised dependency. The target server's package manifest is parsed and joined against our continuously updated IOC corpus (Socket, Aikido, GitGuardian, ReversingLabs, Phylum, StepSecurity, Wiz). If the server pins lightning==2.6.2 or any other known-compromised version, the call is blocked.
Tool surface drift. The list of tools the server exposes today versus the snapshot the user originally approved. New tools that appeared since the last review trigger an advisory. Mid-session rugpull is the threat model.
Remote URL drift. The server's runtime endpoint compared against the URL it published in the registry. A server quietly calling out to a different host than the one you signed up for is a hijack signature.
Permission escalation. A server requesting write or exec permissions it did not have last week.

The verdict comes back signed in under 200 ms (Cloudflare-edge cached, 5-minute TTL). The hook fails open by default — if our endpoint is ever down, Dredd does not brick your tooling.

Install — Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "dredd": {
      "url": "https://analytics.dugganusa.com/api/v1/dredd/mcp"
    }
  }
}

Restart Claude Desktop. You'll see Dredd available with one tool: check_mcp_server.

Install — Cursor

Add to ~/.cursor/mcp.json:

{
  "mcpServers": {
    "dredd": {
      "url": "https://analytics.dugganusa.com/api/v1/dredd/mcp"
    }
  }
}

Test from terminal

curl -X POST https://analytics.dugganusa.com/api/v1/dredd/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

You should see one tool: check_mcp_server.

The Tool

`check_mcp_server`

Argument	Type	Required	Description
`server`	string	yes	MCP server name (e.g. `io.github.foo/bar`) or substring
`version`	string	no	Optional semver of the server
`tool`	string	no	Optional name of the specific tool being invoked

Returns a JSON verdict:

{
  "success": true,
  "server": "io.github.foo/bar",
  "version": "1.2.3",
  "tool": "list_files",
  "verdict": "ALLOW",
  "severity": "clean",
  "findings_count": 0,
  "findings": [],
  "checked_at": "2026-05-04T20:00:00Z",
  "ttl_seconds": 300,
  "signature": "sha256=..."
}

Verdict values:

Verdict	Severity tier	What to do
`BLOCK`	`critical` or `high`	Refuse the invocation. Do not call the target tool.
`ADVISORY`	`medium` or `advisory`	Surface to the user; let them decide.
`ALLOW`	`clean`	Proceed.

The signature field is an HMAC-SHA256 of the canonical verdict body using a server-side secret. Hooks should verify this to defeat MITM-forged "all clear" responses (verification key distributed out of band on request).

The Public Watchtower

Real-time aggregate dashboard of every active finding across the registry — free, no auth, no email gate:

https://analytics.dugganusa.com/api/v1/dredd/watchtower.json

Returns counts by severity, recent findings, current verdict (CLEAN / WATCH / HIGH / CRITICAL).

Updated continuously as the daily fetcher + correlator pipeline runs against the registered MCP corpus.

How Dredd Works

       ┌─────────────────────────────────────────────────┐
       │  Your Agent (Claude Desktop / Cursor / custom)   │
       │     calls check_mcp_server(server, version, tool)│
       └─────────────────┬───────────────────────────────┘
                         │ JSON-RPC over HTTPS
                         ▼
        ┌────────────────────────────────────────────────┐
        │  Dredd MCP — analytics.dugganusa.com/api/v1/dredd/mcp │
        │  - look up findings for (server, version, tool)│
        │  - aggregate severity, render verdict          │
        │  - HMAC-sign canonical verdict                 │
        └────────────────┬───────────────────────────────┘
                         │
                         ▼
        ┌────────────────────────────────────────────────┐
        │  mcp_findings index — populated by             │
        │  daily fetcher + correlator joining            │
        │  mcp_dependencies × IOC corpus                 │
        │  (Socket, Aikido, GitGuardian, ReversingLabs)  │
        └────────────────────────────────────────────────┘

The correlation cadence today is 12 hours (08:30 UTC and 20:30 UTC). When a real compromise lands in the registered-MCP corpus, cadence tightens.

Trust Posture

HMAC-signed responses. Hook implementations should verify the signature field on every verdict.
Fail-open by default. If our endpoint is down, Dredd does not brick your tooling — it returns "advisory: backend unavailable" and lets the user decide. Document override (DREDD_BYPASS=<reason>) for critical workflows.
Read-only. Dredd never modifies your environment. Verdict only.
No tool argument leakage. Hooks should send (server, version, tool) only — never the contents of tool arguments. Those stay on your machine.
95% epistemic ceiling. We cap our claims at 95% per DugganUSA's epistemic humility rule. Coverage gap: about 60-70% of MCP servers in the registry today don't expose a public source repository, which means Dredd cannot inspect their dependency tree. The advisory tier exists for those.

The Family

Dredd is the 13th member of the DugganUSA defender family — and the first MCP-native member:

dugganusa-scanner-core — Core IOC scanning engine
dugganusa-vscode — VS Code extension
dugganusa-splunk — Splunk Technology Add-on
dugganusa-slack — Slack bot
dugganusa-raycast — Raycast extension
dugganusa-sentinel — Microsoft Sentinel TAXII connector
dugganusa-obsidian — Obsidian plugin
dugganusa-nvim — Neovim plugin
dugganusa-elastic — Elastic / OpenSearch integration
dugganusa-edge-shield — Cloudflare Worker
dugganusa-cli — CLI scanner
dugganusa-chrome — Chrome extension
dugganusa-action — GitHub Action

Companion MCP server: Jeevesus — natural-language threat intelligence search across 17.9M documents. Jeevesus saves. Dredd judges.

License

MIT — see LICENSE.

Support

Watchtower dashboard: analytics.dugganusa.com/api/v1/dredd/watchtower.json
Issues: github.com/pduggusa/dredd-mcp/issues
DugganUSA blog: www.dugganusa.com

Built in Minneapolis. Defender-grade. Read-only. Receipts do the work.

DugganUSA Defender Family

Same threat corpus, surfaced wherever you live. Open source, MIT licensed, receipts on every repo.

Plugin	Surface
dugganusa-scanner-core	Core IOC scanning engine
dugganusa-vscode	VS Code extension
dugganusa-splunk	Splunk Technology Add-on
dugganusa-slack	Slack bot
dugganusa-raycast	Raycast extension
dugganusa-sentinel	Microsoft Sentinel TAXII connector
dugganusa-obsidian	Obsidian plugin
dugganusa-nvim	Neovim plugin
dugganusa-elastic	Elastic / OpenSearch integration
dugganusa-edge-shield	Cloudflare Worker
dugganusa-cli	CLI scanner
dugganusa-chrome	Chrome extension
dugganusa-action	GitHub Action
dredd-mcp (this repo)	Pre-flight MCP security (this repo)

Backed by the live DugganUSA threat intel platform: analytics.dugganusa.com.

Jeevesus saves. Dredd judges.

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Dredd MCP — Pre-Flight Security for the MCP Ecosystem

"Jeevesus saves. Dredd judges."

Dredd is the layer that catches the next compromise before the malicious tool gets called.

What Dredd Checks

Every preflight call evaluates four signals:

Compromised dependency. The target server's package manifest is parsed and joined against our continuously updated IOC corpus (Socket, Aikido, GitGuardian, ReversingLabs, Phylum, StepSecurity, Wiz). If the server pins lightning==2.6.2 or any other known-compromised version, the call is blocked.
Tool surface drift. The list of tools the server exposes today versus the snapshot the user originally approved. New tools that appeared since the last review trigger an advisory. Mid-session rugpull is the threat model.
Remote URL drift. The server's runtime endpoint compared against the URL it published in the registry. A server quietly calling out to a different host than the one you signed up for is a hijack signature.
Permission escalation. A server requesting write or exec permissions it did not have last week.

The verdict comes back signed in under 200 ms (Cloudflare-edge cached, 5-minute TTL). The hook fails open by default — if our endpoint is ever down, Dredd does not brick your tooling.

Install — Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "dredd": {
      "url": "https://analytics.dugganusa.com/api/v1/dredd/mcp"
    }
  }
}

Restart Claude Desktop. You'll see Dredd available with one tool: check_mcp_server.

Install — Cursor

Add to ~/.cursor/mcp.json:

{
  "mcpServers": {
    "dredd": {
      "url": "https://analytics.dugganusa.com/api/v1/dredd/mcp"
    }
  }
}

Test from terminal

curl -X POST https://analytics.dugganusa.com/api/v1/dredd/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

You should see one tool: check_mcp_server.

The Tool

`check_mcp_server`

Argument	Type	Required	Description
`server`	string	yes	MCP server name (e.g. `io.github.foo/bar`) or substring
`version`	string	no	Optional semver of the server
`tool`	string	no	Optional name of the specific tool being invoked

Returns a JSON verdict:

{
  "success": true,
  "server": "io.github.foo/bar",
  "version": "1.2.3",
  "tool": "list_files",
  "verdict": "ALLOW",
  "severity": "clean",
  "findings_count": 0,
  "findings": [],
  "checked_at": "2026-05-04T20:00:00Z",
  "ttl_seconds": 300,
  "signature": "sha256=..."
}

Verdict values:

Verdict	Severity tier	What to do
`BLOCK`	`critical` or `high`	Refuse the invocation. Do not call the target tool.
`ADVISORY`	`medium` or `advisory`	Surface to the user; let them decide.
`ALLOW`	`clean`	Proceed.

The Public Watchtower

Real-time aggregate dashboard of every active finding across the registry — free, no auth, no email gate:

https://analytics.dugganusa.com/api/v1/dredd/watchtower.json

Returns counts by severity, recent findings, current verdict (CLEAN / WATCH / HIGH / CRITICAL).

Updated continuously as the daily fetcher + correlator pipeline runs against the registered MCP corpus.

How Dredd Works

       ┌─────────────────────────────────────────────────┐
       │  Your Agent (Claude Desktop / Cursor / custom)   │
       │     calls check_mcp_server(server, version, tool)│
       └─────────────────┬───────────────────────────────┘
                         │ JSON-RPC over HTTPS
                         ▼
        ┌────────────────────────────────────────────────┐
        │  Dredd MCP — analytics.dugganusa.com/api/v1/dredd/mcp │
        │  - look up findings for (server, version, tool)│
        │  - aggregate severity, render verdict          │
        │  - HMAC-sign canonical verdict                 │
        └────────────────┬───────────────────────────────┘
                         │
                         ▼
        ┌────────────────────────────────────────────────┐
        │  mcp_findings index — populated by             │
        │  daily fetcher + correlator joining            │
        │  mcp_dependencies × IOC corpus                 │
        │  (Socket, Aikido, GitGuardian, ReversingLabs)  │
        └────────────────────────────────────────────────┘

The correlation cadence today is 12 hours (08:30 UTC and 20:30 UTC). When a real compromise lands in the registered-MCP corpus, cadence tightens.

Trust Posture

HMAC-signed responses. Hook implementations should verify the signature field on every verdict.
Fail-open by default. If our endpoint is down, Dredd does not brick your tooling — it returns "advisory: backend unavailable" and lets the user decide. Document override (DREDD_BYPASS=<reason>) for critical workflows.
Read-only. Dredd never modifies your environment. Verdict only.
No tool argument leakage. Hooks should send (server, version, tool) only — never the contents of tool arguments. Those stay on your machine.
95% epistemic ceiling. We cap our claims at 95% per DugganUSA's epistemic humility rule. Coverage gap: about 60-70% of MCP servers in the registry today don't expose a public source repository, which means Dredd cannot inspect their dependency tree. The advisory tier exists for those.

The Family

Dredd is the 13th member of the DugganUSA defender family — and the first MCP-native member:

dugganusa-scanner-core — Core IOC scanning engine
dugganusa-vscode — VS Code extension
dugganusa-splunk — Splunk Technology Add-on
dugganusa-slack — Slack bot
dugganusa-raycast — Raycast extension
dugganusa-sentinel — Microsoft Sentinel TAXII connector
dugganusa-obsidian — Obsidian plugin
dugganusa-nvim — Neovim plugin
dugganusa-elastic — Elastic / OpenSearch integration
dugganusa-edge-shield — Cloudflare Worker
dugganusa-cli — CLI scanner
dugganusa-chrome — Chrome extension
dugganusa-action — GitHub Action

Companion MCP server: Jeevesus — natural-language threat intelligence search across 17.9M documents. Jeevesus saves. Dredd judges.

License

MIT — see LICENSE.

Support

Watchtower dashboard: analytics.dugganusa.com/api/v1/dredd/watchtower.json
Issues: github.com/pduggusa/dredd-mcp/issues
DugganUSA blog: www.dugganusa.com

Built in Minneapolis. Defender-grade. Read-only. Receipts do the work.

DugganUSA Defender Family

Same threat corpus, surfaced wherever you live. Open source, MIT licensed, receipts on every repo.

Plugin	Surface
dugganusa-scanner-core	Core IOC scanning engine
dugganusa-vscode	VS Code extension
dugganusa-splunk	Splunk Technology Add-on
dugganusa-slack	Slack bot
dugganusa-raycast	Raycast extension
dugganusa-sentinel	Microsoft Sentinel TAXII connector
dugganusa-obsidian	Obsidian plugin
dugganusa-nvim	Neovim plugin
dugganusa-elastic	Elastic / OpenSearch integration
dugganusa-edge-shield	Cloudflare Worker
dugganusa-cli	CLI scanner
dugganusa-chrome	Chrome extension
dugganusa-action	GitHub Action
dredd-mcp (this repo)	Pre-flight MCP security (this repo)

Backed by the live DugganUSA threat intel platform: analytics.dugganusa.com.

Jeevesus saves. Dredd judges.

Dredd MCP

Dredd MCP — Pre-Flight Security for the MCP Ecosystem

What Dredd Checks

Install — Claude Desktop

Install — Cursor

Test from terminal

The Tool

`check_mcp_server`

The Public Watchtower

How Dredd Works

Trust Posture

The Family

License

Support

DugganUSA Defender Family

Dredd MCP

Dredd MCP — Pre-Flight Security for the MCP Ecosystem

What Dredd Checks

Install — Claude Desktop

Install — Cursor

Test from terminal

The Tool

`check_mcp_server`

The Public Watchtower

How Dredd Works

Trust Posture

The Family

License

Support

DugganUSA Defender Family

Related Security & Pentesting MCP Servers

Related Security & Pentesting MCP Servers