Shadow MCP exposure diagnostic · browser-only scoring · no login · routes to ACT Tier 1 or ACT Tier 2 depending on severity
HomeTools › Shadow MCP Exposure Check
Shadow MCP governance check

Shadow MCP Exposure Check

Find out in under 4 minutes whether unapproved MCP servers are already operating inside your enterprise perimeter.

3–4 minutes 12 scored questions No login

This is a governance visibility screen for unmanaged, local, containerized, or otherwise unapproved MCP deployments. It is not a network scanner, gateway, or telemetry product.

  • Screens discovery coverage, registry discipline, local or containerized MCP spread, auth quality, reachable systems, logging, credential handling, disable readiness, and approval workflow maturity.
  • Separates controlled MCP footprint from material shadow exposure before hidden deployments turn into a larger governance or incident problem.
  • Routes to ACT Tier 1 when the immediate need is visibility, inventory, and gap analysis, and escalates to ACT Tier 2 when formal governance, evidence, and response controls are missing.
Start assessment See ACT pricing
Enterprise scene showing hidden and approved MCP servers across controlled and uncontrolled environments with allowlist, logging, disable controls, and oversight visibility.
Shadow MCP visibility across allowlists, local or containerized deployments, auth control, logging, and disable readiness.
Shadow MCP

This screen classifies shadow MCP exposure quickly. It does not scan your network, enumerate servers, or export an inventory.

Interactive screen

Assessment

Use this to classify whether MCP usage is tightly controlled, drifting into shadow deployment, materially exposed, or already in an uncontrolled state.

Question 1 of 12 0% complete
Question 1 of 12

What this result should change

The purpose of this screen is to classify shadow MCP exposure quickly, highlight the biggest gaps, and route the organization to the correct paid next step without giving away the implementation layer.

What this tool classifies as shadow MCP

Shadow MCP means unmanaged, local, containerized, unapproved, or weakly governed MCP usage that sits outside a defendable registry, ownership model, logging baseline, or disable path.

What a green result does not mean

A green result does not prove shadow usage is impossible. It means the current footprint appears more governable than the other states and still needs discipline to stay that way.

Why the paid bridge changes by severity

Green and amber results usually need baseline visibility, inventory, and gap analysis first, which sit in ACT Tier 1. Severe red states need formal governance, evidence, and response controls, which sit in ACT Tier 2.

Where to go next

Use the paid bridge when the screening result shows structural visibility gaps, control drift, or containment weakness that require more than another free quiz.

ACT Tier 1 Workbook

Structure the visibility baseline, inventory, gap analysis, and dashboard layer for shadow MCP cleanup.

ACT Tier 2 Professional

Move to the formal governance, evidence, incident, and implementation layer when shadow MCP is materially exposed or uncontrolled.

MCP Server Approval Gate

Use the approval-focused screen when the issue is vetting a proposed server rather than discovering unmanaged MCP usage.
This page is informational only. It does not provide legal advice, compliance certification, or an audit conclusion.

Shadow MCP Exposure Check FAQ

What does this tool classify as shadow MCP?
It classifies unmanaged, local, containerized, unapproved, or weakly governed MCP usage that sits outside a defendable enterprise registry, ownership model, logging baseline, or disable path.
Does a green result mean shadow usage is impossible?
No. It means the current MCP footprint appears more governable than the other states. Drift can still emerge if visibility, registry discipline, or approval controls weaken.
Why are local and containerized deployments weighted so heavily?
Because they can spread faster than central governance, especially when teams run MCP locally, in containers, or through personal setups that bypass registry and ownership controls.
Why is this tool routed to ACT Tier 1 for some results and ACT Tier 2 for others?
Earlier-maturity results usually need baseline visibility, inventory, and gap analysis first, which sit in ACT Tier 1. Severe red states need formal governance, evidence, and response controls, which sit in ACT Tier 2 Professional.
Does this tool store anything I enter?
No. The assessment runs entirely in the browser. Answers are not stored, synced, or submitted to a server.