The MCP servers that matter most are the ones nobody can scan.
They're behind your VPN, on a workstation, in a private subnet. Gated audits those — the same way it audits the public ones.
Early access. No spam, no launch countdown emails.
MCP servers ship faster than anyone audits them. A server goes from prototype to mounted-in-production in an afternoon — the review that would catch a leaking tool or a malformed error envelope never happens.
The agent on the other end is an untrusted component with broad tool access. It will call what it is offered. Every tool, resource, and prompt a server exposes is reachable surface, and most of it was never read by a human.
That surface also has a running cost. It is loaded at initialize, counted against the context window every session, and measured by no one. Shipping the server is the cheap part. Everything it quietly does afterward is not.
Gated points two engines at a server and merges what they find into one ranked report — with a reproduction for every finding.
231 deterministic checks
Across security, conformance, quality, reliability, and cost. Each maps to one family and one severity, runs at a chosen intensity, and is identical on every run — the baseline you can put in CI.
An adversarial LLM
An agent that actively tries to break the server — not only to get in, but to surface flaws across all five families. It improvises the attacks a fixed checklist can't, then files them the same way.
Five families. 231 checks.
Every check belongs to one family and runs from a declared intensity upward. How the catalog spreads across the two axes:
| Family | passive | probe | explore | adversarial | Total |
|---|---|---|---|---|---|
| Security | 24 | 44 | 21 | 1 | 90 |
| Conformance | 37 | 40 | 9 | coming soon | 86 |
| Quality | 21 | 1 | 1 | coming soon | 23 |
| Reliability | 10 | 3 | 6 | coming soon | 19 |
| Cost | 1 | 11 | 1 | coming soon | 13 |
| All families | 93 | 99 | 38 | 1 | 231 |
You choose how hard it looks.
Four strictly-ordered levels — each a superset of the one above it, so Explore runs Passive and Probe too. What the server says about itself, then whether it does what it says, then what happens when you use the whole surface for real, then what a determined attacker can extract.
Validates everything the server says about itself — serverInfo, declared capabilities, and the full schemas of every tool, resource, and prompt — without ever making a real tool call. The “lint” intensity: safe on production at any time, safe in CI on every PR.
Starts touching the target, but only safely. Loads resources, calls non-destructive tools, and forces validation failures — negative numbers, out-of-range values, malformed inputs — to see how the server defends its boundaries. No destructive tool is ever called.
Goes all in on legitimate use. Calls every tool with LLM-generated arguments, walks pagination chains, bursts calls to probe rate-limit behavior, and opens many concurrent connections. Best on staging, or production with explicit opt-in.
An LLM-driven attack — prompt injection, tool poisoning, and sustained multi-step exploitation chains, equivalent to a senior tester actively trying to break the server. Requires explicit opt-in per scan.
Straight answers. No fine print.
Missing a question? Email hello@gated.cc — we'd rather answer it directly.
Get in before launch.
Join the waitlist for early access — and 300 free scans when we launch, enough to audit a real fleet of servers before you decide.
We email once, when your access is ready.