Back to feed
News Story
Hacker News (AI filter)
1 sources

Traceforce (YC S26) Launches Company-Wide Security Monitoring for AI Apps

Traceforce, a YC S26 startup, launches a platform that provides visibility and control over AI applications like ChatGPT and Claude across all company devices. It monitors AI app usage and MCP connections, and includes an open-source pentesting tool for MCP vulnerabilities. The founders aim to help security teams detect and prevent unsafe AI actions in real time.

SynthePulse Insight · AI deep reading

Traceforce: A New Enterprise-Grade Security Monitoring Solution for AI Applications

Version 1 · 1 source

As AI tools rapidly proliferate in enterprises, security monitoring has become an urgent need. Traceforce, a YC S26 startup, has launched a lightweight security monitoring platform designed to provide visibility and control over AI applications.

  • Traceforce was founded by Xia and Varun, and is a member of YC S26, focusing on AI application security monitoring.
  • The platform discovers AI applications on devices and their data sources connected via MCP, providing real-time monitoring.
  • It has been deployed on over 1,000 devices across 10 organizations, averaging 15 AI applications per device, each connecting to 5-10 MCPs.
  • The open-source tool mcp-xray performs dynamic penetration testing on MCPs to help identify vulnerabilities.
  • It adopts a 'warn and confirm' approach to balance security with development efficiency.
Open section navigationProduct Overview and Core Features

Product Overview and Core Features

Traceforce is an enterprise-grade security monitoring platform designed to provide visibility and control over AI applications (such as ChatGPT, Claude, etc.). It installs via a lightweight binary and browser extension on devices, and within 30 minutes begins uploading real-time data to the company dashboard, displaying all AI agent and application activity.

The platform's core features include: discovering AI applications running on devices and their data sources connected via MCP (Model Context Protocol); monitoring AI software behavior; detecting and preventing unsafe operations and security vulnerabilities. Security teams can monitor all agent activity in real time, enforce controls, and receive immediate alerts when risks arise.

Technical Implementation and Data Privacy

Traceforce by default only collects metadata and telemetry data from AI applications, MCPs, and tools. Security teams can enable an option to inspect tool calls to detect, warn, or block predefined high-risk or potentially destructive operations. All content inspection occurs locally on the device, and user prompts are never stored unless explicitly configured by the organization's security administrator.

This design aims to balance security monitoring with user privacy. The founders emphasize that once end users understand what is being monitored and shared, they actually feel more at ease because there is a strong protective layer on the device to prevent security incidents.

Real-World Deployment and Results

Traceforce is currently deployed on over 1,000 devices across 10 organizations. On average, more than 15 AI applications are discovered per device, each connecting to 5-10 MCPs. The platform has helped customers identify plaintext secrets exposed in MCP configurations, prevent API key leaks through AI-generated code, and warn developers before executing potentially destructive commands (e.g., 'DROP TABLE').

Founder Xia mentioned that their 'warn and confirm' approach has been particularly well-received, giving developers freedom while helping them avoid costly mistakes. This indicates the platform strikes a balance between security and efficiency.

Market Positioning and Target Customers

Traceforce's target customers are small to medium-sized enterprises (200+ employees) that are rapidly adopting AI coding assistants, ChatGPT, Claude, and MCP. Founder Xia's experience as an engineering director at Clumio (acquired by Commvault in October 2024) and conversations with over 50 CISOs and CIOs indicate a strong market demand for such a solution.

They are looking for security, IT, and AI platform teams that are struggling to understand which AI tools employees are using to boost productivity, or need a practical way to reduce AI-related security risks without slowing down work.

Open-Source Tool and Community Engagement

Traceforce has also open-sourced a dynamic MCP penetration testing tool called mcp-xray (https://github.com/traceforce/mcp-xray) for detecting vulnerable MCPs. This demonstrates their commitment to community contribution and helps build trust.

In the Hacker News launch post, founder Xia also asked the community about the tools they currently use, showing a willingness to engage with users and understand existing solutions.

Credibility boundary

This article is based on Traceforce's product launch post on Hacker News, with information directly provided by the founders, making it a first-hand source. However, as a startup, its claimed deployment data and results have not been independently verified.

Insight takeaway

Traceforce offers a lightweight, privacy-focused solution for AI application security monitoring, helping enterprises balance security and efficiency through real-time visibility and a 'warn and confirm' mechanism. Its open-source tool and community engagement further enhance credibility.

Primary report

Hacker News (AI filter)

Primary source