We run it
Every server is started in a single-use microVM and driven like a real client would drive it.
company
We are building the trust layer for MCP.
MCP is becoming how AI reaches the real world: files, databases, payment systems, internal tools. We think the layer that decides which of those tools are safe to trust should be built on evidence, not self-reported lists. So we built it.
why we exist
A directory tells you a server exists. We tell you what it does.
Every other MCP directory is a list of entries nobody ran. We execute each server in a disposable microVM, test it against client behavior calibrated from real Claude Code and Cursor traffic, and scan its source.
Two questions
Does it work, and is it safe. Two independent verdicts, never blended into one number.
A record, not a list
Every verdict is backed by the run that produced it, public, dated, and open to challenge.
what we believe
The principles the product is built on.
Execution over self-report
A claim is only as good as the run behind it. We do not list what we have not run.
Two axes, never mixed
Does it work and is it safe are different questions, and we keep them separate.
Evidence and challenge
Every verdict is public, dated, and disputable. Maintainers can contest the record.
Nothing outlives a run
Every scan is a throwaway machine, created for one server and destroyed after the verdict.
where it is going
From a registry to the ecosystem trust layer.
The record
A public registry, a CI gate that blocks releases that break real clients, and the start of a security review.
Coverage
More clients emulated, broader coverage, and governance for teams that vet the third-party servers their agents use.
One layer
A single trust layer the whole MCP ecosystem can rely on, with the evidence security and audit require.
get in touch
Building with MCP, or curious where this goes?
We read everything. Maintainers, teams adopting agents, and anyone who cares about making AI tools trustworthy: reach us at hello@usethrone.dev.
Say hello