Traceforce Launches AI App Security Monitoring

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Traceforce launches out of YC S26 offering enterprise security monitoring for AI apps including ChatGPT and Claude, deployed as a lightweight binary and browser extension on laptops, sandboxes, and virtual machines.
- The platform maps not just which AI apps are running but how they connect to data sources via MCPs, and ships an open-source dynamic MCP pentesting tool at github.com/traceforce/mcp-xray to detect vulnerable MCPs.
- Traceforce is currently deployed across more than 1,000 devices at 10 organizations, where it discovers an average of 15+ AI applications per device, each connected to 5-10 MCPs.
- Customer deployments have surfaced exposed plaintext secrets in MCP configurations, blocked API keys from leaking through AI-generated code, and warned developers before executing destructive commands such as "DROP TABLE."
- By default, Traceforce collects only metadata and telemetry — user prompts are never stored unless an organization's security administrators explicitly configure it, and all content inspection runs locally on the device.
- Founders Xia and Varun built the company after Xia's tenure as Director of Engineering at Clumio (acquired by Commvault in October 2024) and conversations with 50+ CISOs and CIOs about the visibility gap as AI tools spread faster than security controls.
Why it matters: Security teams at the 10 customer organizations gain visibility into an attack surface traditional endpoint tools miss — AI agent traffic and MCP connections — with Traceforce already live on 1,000+ devices and having caught concrete incidents including plaintext secrets in MCP configs and API key leaks through AI-generated code.




