By ByteBot
Runlayer emerged from stealth on November 17, 2025, with an $11 million seed round led by Keith Rabois at Khosla Ventures and Felicis—and an endorsement that validates its entire premise. David Soria Parra, who co-created the Model Context Protocol at Anthropic just 12 months ago, joined as advisor and angel investor. The irony isn’t accidental. MCP went from open-source protocol to enterprise AI standard in one year, moving so fast that security became an afterthought. Eight unicorns, including Gusto, dbt Labs, Instacart, and Opendoor, signed up during Runlayer’s four-month stealth operation. When your protocol’s creator joins the company securing it, and enterprises can’t wait to pay for the fix, the security gap isn’t theoretical—it’s urgent.
The 12-Month Security Gap
Anthropic launched MCP in November 2024 as an open standard for connecting AI agents to data sources and business tools. Within 12 months, the ecosystem exploded: 300+ MCP clients, 18,000+ servers, and enterprise adoption at scale. Speed came at a cost.
Security researchers documented the damage throughout 2025. Pillar Security identified tool poisoning attacks, where malicious instructions embedded in MCP tool descriptions remain invisible to users but get interpreted by AI models. Red Hat flagged confused deputy vulnerabilities, token passthrough risks, and broad permission scopes that grant full access when read-only would suffice. Microsoft’s security blog bluntly titled their analysis “Plug, Play, and Prey.”
None of this is Anthropic’s fault. The MCP spec includes security guidance—”there SHOULD always be a human in the loop”—but guidance isn’t enforcement. Building a protocol for rapid innovation means prioritizing flexibility over lockdown.
When the Protocol Creator Validates the Problem
David Soria Parra joining Runlayer as advisor isn’t a condemnation of MCP. It’s validation that the security gap is real, protocol-level fixes would take too long, and enterprises need solutions now. Parra co-created MCP with Justin Spahr-Summers after joining Anthropic in April 2024. Before that, he led PHP releases 5.4 and 5.5, contributed core features to Git and Mercurial, and managed a 45-person organization at Facebook focused on static analysis.
When someone with that background says the ecosystem needs a security layer, it’s not fear-mongering. It’s an engineer acknowledging that innovation speed and security maturity operate on different timelines. Anthropic will likely add security features to MCP eventually. But enterprises deploying AI agents today can’t wait 6-12 months for protocol updates.
Eight Unicorns Couldn’t Wait
Runlayer signed eight unicorns during four months of stealth operation. Four are confirmed: Gusto, dbt Labs, Instacart, and Opendoor. That velocity signals MCP isn’t experimental anymore. It’s production-critical infrastructure at companies processing billions in transactions.
Andrew Berman, Runlayer’s CEO, saw this firsthand. He previously founded Vowel, an AI video conferencing tool acquired by Zapier in 2024. As Zapier’s Director of AI, Berman built one of the first MCP servers and worked directly with OpenAI and Anthropic. He identified the security blind spots while implementing MCP at scale. In August 2025, he left Zapier with co-founders Tal Peretz and Vitor Balacco—both former Zapier colleagues with deep AI and security expertise—to build Runlayer.
Enterprises signed up before the public launch because they needed MCP security infrastructure yesterday. These aren’t companies cautiously piloting a new tool—they’re companies willing to bet on a stealth startup to get it.
What Runlayer Actually Does
Runlayer is a command and control plane for MCP servers. It connects 300+ MCP clients (Cursor, VS Code, Claude Code, GitHub Copilot, ChatGPT) to 18,000+ MCP servers with unified access controls. The platform includes custom threat detection for MCP-specific attacks like tool poisoning and command injection, complete observability into MCP usage, fine-grained role-based permissions with SSO integration, and a private registry for hosting approved MCP servers.
It’s SOC 2 Type II certified and can deploy in the cloud or self-hosted in a private VPC. The pitch isn’t just security—it’s managing “MCP sprawl” as organizations accumulate dozens of integrations.
Innovation vs. Security: The Uncomfortable Trade-Off
Should security have been built into MCP from day one? The question misses the point. Anthropic chose speed and flexibility, enabling an ecosystem to explode in 12 months. Adding comprehensive security upfront would have slowed adoption, limited experimentation, and potentially killed the protocol before it gained traction.
This isn’t unique to MCP. Docker shipped without robust container security standards. npm had package vulnerabilities for years before tools like Snyk emerged. Fast-moving ecosystems prioritize innovation, then patch security gaps as adoption forces the issue.
The difference here is the timeline. MCP went from 0 to enterprise-critical in 12 months, not years. AI is accelerating the innovation-to-production cycle faster than security processes can adapt. Runlayer’s launch—and the eight unicorns already onboard—proves that “security as a layer” is now the model for AI infrastructure.
What This Means for Developers
If you’re building MCP integrations, the landscape just shifted. Security isn’t optional anymore, and enterprises won’t deploy unvetted MCP servers. Production deployment demands threat detection, observability, audit trails, and permission controls that most teams lack the bandwidth to build in-house.
Runlayer is the first major solution, but it won’t be the last. The MCP security market just opened, and more vendors will follow. If you’re deploying AI agents with MCP, ignoring security isn’t a risk—it’s a liability.
