Runlayer is stepping into one of the fastest-forming parts of enterprise AI: securing the connections that let AI agents act across business systems. The Model Context Protocol security startup launched out of stealth on Monday with $11 million in seed funding from Khosla Ventures’ Keith Rabois and Felicis.
The company was created by Andrew Berman, a third-time founder whose previous companies include baby-monitor maker Nanit and Vowel, an AI video conferencing tool that sold to Zapier in 2024. In the four months since Runlayer launched its product in stealth, the company says it has signed dozens of customers, including eight unicorns or public companies such as Gusto, dbt Labs, Instacart, and Opendoor.
Why MCP security is suddenly a priority
Model Context Protocol has quickly become a central piece of the AI agent stack. Parra's team at Anthropic launched the protocol in November 2024 as an open source project, and it has since become the de facto standard for connecting AI agents to the data and systems they need to operate independently.
That access is powerful. MCP can allow agents to access data, move it, alter it, and execute business processes without human oversight. In practical terms, the protocol helps turn an AI system from a conversational interface into software that can interact with real enterprise tools.
The protocol is now supported by every major model maker including OpenAI, Microsoft, AWS, and Google. It is also supported by thousands of tech and enterprise companies, including Atlassian, Asana, Stripe, Block, and others ranging from banks to consumer goods manufacturers.
That broad adoption creates a clear security problem. The more useful an AI agent becomes, the more sensitive the systems it may need to touch. If the access layer is weak, the same pathway that enables useful automation can also expose private data or allow unwanted actions.
The risks Runlayer wants to contain
The core issue, according to the source article, is that MCP does not include much security out of the box. Many MCP implementations have already been found to be vulnerable in different ways.
Two examples stand out. In May, researchers at Invariant Labs discovered a prompt injection vulnerability in MCP servers that allowed them to grab data from private GitHub repositories that should not have been accessible to the public. Asana discovered and fixed a vulnerability in its MCP server in June that could have exposed customer data.
Since then, more types of attacks have been found to work on common MCP server setups. For enterprises, that changes the calculation around AI agents. Giving agents access to internal applications is not only a productivity decision; it also becomes an access-control, monitoring, and audit problem.
That is why a crowded market for MCP security tools has emerged. Products now come from big-name companies such as Cloudflare, Docker, and Wiz, along with startups focused on narrower parts of the problem.
How Runlayer plans to differentiate
The most common kind of MCP security product today is a gateway. In simple terms, that gateway acts as a control layer for identifying agents and managing what they are allowed to access.
Runlayer is positioning itself as broader than a gateway alone. The company says its product combines several pieces into one security tool:
- Gateway controls for identifying agents and controlling access to applications.
- Threat detection that analyzes every MCP request.
- Observability that watches agentic activity across MCP servers approved by IT.
- Enterprise development so IT teams can build custom AI automations for enterprise users.
- Detailed permissions that work with existing identity providers like Okta and Entra.
Runlayer also gives business users an Okta-like catalog of pre-vetted MCP servers approved by IT. In that setup, agents do not simply get broad access to everything. Their app permissions are matched to the permissions of the human users they represent.
That means access can vary by role. Some people may have read-only access to financial systems, others may have write access, and others may have no access at all. Runlayer's pitch is that AI agents should inherit the same permission boundaries that already exist for employees.
The team and early backing
Berman argues that Runlayer's edge comes partly from product breadth and partly from experience. After selling Vowel to Zapier, he became the director of Zapier's AI and said he built one of the first MCP servers while working closely at the time with OpenAI and Anthropic.
Runlayer also brought in David Soria Parra, the lead creator of MCP, as an angel and advisor, Berman told TechCrunch. Parra did not respond to TechCrunch's request for comment.
The startup's co-founders from Zapier are Tal Peretz and Vitor Balocco. Berman said he and his co-founders left their jobs in August, signed up David Soria Parra, and signed up eight unicorns in four months.
Other advisors and investors in the company, according to Berman, include head of security at Cursor Travis McPeak and founder of Neon Nikita Shamgunov.
What this says about enterprise AI agents
Runlayer's launch points to a larger shift in enterprise AI. The first wave of attention focused on models and what they could generate. The next practical challenge is what those systems can safely do once connected to business tools.
MCP makes those connections easier and more standardized. But standardization also raises the stakes because one protocol can become a common path into many systems. That is useful for adoption, yet it also makes security layers more important.
For companies experimenting with AI agents, the message is straightforward: access is the product and the risk. Runlayer is betting that enterprises will want MCP security that covers permissions, monitoring, threat detection, and approved server catalogs in one place, especially as agents begin to work across more internal systems.