Why AI Agent Security Needs Layers
No single tool catches everything. A SAST scanner misses secrets. A secret scanner misses vulnerable dependencies. A dependency scanner misses prompt injection in your MCP config. That's why we built a 7-layer defense workflow โ each layer catches what the others miss.
Here's the workflow we use every day. Total setup time: 5 minutes.
Layer 1: MCP Config Audit
Before writing any code, audit your MCP server configurations:
"Scan my MCP configuration for security issues"
This checks every MCP server in your ~/.claude/settings.json for prompt injection patterns, SSRF-capable parameters, and credential exposure. Run this every time you install a new MCP server.
Layer 2: Dependency Scan
Before starting a coding session, scan your project dependencies:
"Scan this project's dependencies for vulnerabilities"
Zfuzz checks 10 lockfile formats against the OSV.dev vulnerability database. It finds known CVEs in your dependency tree โ including transitive dependencies that npm audit sometimes misses.
Layer 3: Secret Detection
Before every commit, scan for hardcoded secrets:
"Scan this project for hardcoded secrets and API keys"
430+ patterns covering AWS, GCP, Azure, Stripe, OpenAI, Anthropic, GitHub, and dozens more. Shannon entropy analysis catches custom token formats that regex patterns miss.
Layer 4: SAST Analysis
During code review, run static analysis:
"Scan this code for security vulnerabilities"
441 SAST rules with taint analysis track data flow from untrusted sources (user input, HTTP parameters) to dangerous sinks (SQL queries, shell commands, file operations). Taint analysis is available for JavaScript/TypeScript and Python.
Layer 5: Threat Modeling
For every major feature, run a threat model:
"Threat model this feature using STRIDE"
STRIDE analysis identifies Spoofing, Tampering, Repudiation, Information Disclosure, DoS, and Elevation of Privilege risks. MITRE ATT&CK technique IDs map each threat to real-world attack knowledge.
Layer 6: Runtime Guard
Agent Guard provides runtime protection while the AI agent operates. It hooks into tool execution and blocks dangerous operations:
# In ~/.claude/settings.json
{
"hooks": {
"PreToolUse": [{
"command": "zfuzz guard check --event PreToolUse"
}]
}
}
Seven built-in rules protect against shell injection, SSRF, path traversal, secret leakage, dangerous commands (rm -rf, DROP TABLE), rate limiting abuse, and file access outside project boundaries.
Layer 7: CI/CD Security Gate
The final layer blocks insecure code from reaching production:
# .github/workflows/security.yml
- name: Zfuzz Security Scan
uses: zfuzz-dev/scan-action@v1
with:
fail_on: critical
upload_sarif: true
The GitHub Action runs SAST + SCA + secrets scanning, uploads findings as SARIF to GitHub Code Scanning, and posts a PR comment with the security summary. PRs with critical findings are blocked.
The Complete Stack
| Layer | When | What | Catches |
|---|---|---|---|
| 1. MCP Audit | On MCP install | scan_mcp_config | Tool poisoning, prompt injection |
| 2. Dependencies | Session start | scan_dependencies | Known CVEs in packages |
| 3. Secrets | Pre-commit | scan_secrets | Hardcoded credentials |
| 4. SAST | Code review | scan_code | Injection, XSS, auth bugs |
| 5. Threat Model | Feature design | threat_model | Architectural risks |
| 6. Runtime Guard | Always-on | Agent Guard hooks | Live exploitation attempts |
| 7. CI Gate | PR merge | GitHub Action | Everything, as a gate |
Get Started
Layers 1-5 install in one command. Layers 6-7 take 3 more minutes.
claude mcp add zfuzz -- npx @zfuzz/mcp



