Product
MCP Audit Gateway
Evidence and control for every AI agent tool call. In your environment, not ours.
The gateway sits between your AI agents and the MCP servers they call. Every tool call is identity-verified against your IdP, evaluated against policy, redacted of regulated data, and recorded as a structured audit event. The gateway runs inside your environment. I never see your data or your queries.
What it does
Full audit trail
Every tool call is logged with agent identity, masked arguments, decision, latency, and upstream response status. Stream the events to Azure Log Analytics, an OTLP collector, or stdout. Masked-response capture is toggleable.
Policy enforcement
Per-identity allow-lists, per-tool deny-pattern regex, sliding-window rate limits, and time-windowed access. Policies hot-reload from a mounted config file. Decisions are evaluated before the request reaches the upstream MCP server.
Sensitive data redaction
Built-in detectors for PAN (Luhn-validated), email, UK NIN, US SSN, IPv4, IPv6, phone, and JWT. Add custom regex patterns via config. Detectors run on requests and (optionally) responses. PCI DSS, GDPR, and HIPAA-aligned out of the box.
Rate limiting
Per-identity sliding-window limits, configurable per tool. Useful both for runaway agents and for compromised credentials. Decisions are logged so you can see who was throttled and when.
Deployment
Azure Marketplace edition
Deploys as an Azure Managed Application into your own subscription. Audit events write to Log Analytics in your tenant. Billed through Azure, eligible for MACC spend commitments. One-click deployment from the Marketplace listing.
Right fit when your buying process runs through Azure and you want a single Marketplace invoice.
Self-hosted Docker edition
Same product, no Azure dependencies. Runs on AWS, GCP, on-prem, any Kubernetes cluster. Audit events go to your chosen OTLP collector or stdout. Annual licence direct from Weldon Web.
Right fit when your estate is multi-cloud, on-prem, or otherwise not Azure-first.
Compliance frame
The gateway produces evidence that supports the following regulatory frames. It does not certify your organisation; you use the evidence in your own compliance posture.
How it works
The gateway is a reverse proxy in front of one or more MCP servers. Every request flows through five stages, in this order:
- 1.Identity. The caller's JWT is validated against your IdP and the agent identity is extracted from configured claims.
- 2.Policy. Per-identity allow-lists, deny-patterns, rate limits, and time windows are evaluated. Non-matching requests are rejected before any upstream call is made.
- 3.Redaction. Built-in and custom detectors mask regulated values in the request payload. The same pass runs on the response if response capture is enabled.
- 4.Proxy. Approved requests are forwarded to the target MCP server via YARP, with full HTTP/2 and SSE streaming support.
- 5.Audit. A structured event (identity, tool, masked args, decision, latency, upstream status) is written to the configured sink: Log Analytics, OTLP, or stdout.
┌────────────────────────┐
│ Audit sink │
│ Log Analytics / OTLP │
│ / stdout │
└───────────▲────────────┘
│ structured events
│
┌──────────┐ ┌─┴───────────────────┐ ┌──────────────┐
│ AI agent │──▶│ Audit Gateway │──▶│ MCP server │
│ Claude │ │ │ │ (your tool) │
│ ChatGPT │ │ identity │ └──────────────┘
│ custom │ │ policy engine │
└──────────┘ │ redaction │
│ YARP proxy │
└─────────────────────┘What the data looks like
Every tool call produces a structured audit event. Your team builds dashboards against those events in whatever observability stack you already run. The example below is Grafana, drawing on the gateway's emitted metrics: total invocations, deny rate, deny reasons by identity and pattern, p50 and p95 tool-call latency, top denied tools.

Example dashboard, synthetic test workload. The agent identities shown (finance-bot@contoso.com, intern@contoso.com, reporting@contoso.com, support@contoso.com) are illustrative, not real customers. The gateway emits structured events; you build the dashboard in your stack of choice, including Log Analytics, Datadog, Splunk, Grafana, Loki, or any OTLP-compatible backend.
Pricing
Sold direct, annual subscription, priced per entity rather than per call. Standard deployments start at £24,000 per year. Larger and multi-entity deployments are quoted on request. Early reference customers receive a meaningful year-one discount in exchange for case-study rights.
Request a quoteTalk to the engineer who built it
I built the gateway and I will be the one answering this form. Tell me the rough shape of your deployment (cloud, scale, regulatory frame) and I will come back with a concrete next step.
Want the security details first? See the security page.
