frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Launch HN: Traceforce (YC S26) – Company-wide security monitoring for AI apps

10•XiaHua•1h ago
Hey HN, we’re Xia and Varun, the founders of Traceforce (https://www.traceforce.ai/). Traceforce provides visibility and control over AI apps such as ChatGPT, Claude etc directly on all devices (laptops, sandboxes, virtual machines) by discovering not just which apps are being used but also how they are connected to other data sources via MCPs. We also have an open-source dynamic MCP pentesting tool https://github.com/traceforce/mcp-xray to detect vulnerable MCPs.

The purpose of Traceforce is to:

- Give a company’s employees a standardized way to ensure that AI software running on their device is operating safely

- Give the company’s security team visibility of the activities of AI software on the company’s devices, and to detect and prevent unsafe actions and security breaches as early as possible.

How Traceforce works

1. Traceforce is installed on each device as a lightweight binary and browser extension.

2. Within 30 minutes, the device is uploading live data to the company profile, displaying all the AI agents/apps running across all company devices on a dashboard.

3. Company security staff can monitor the activity of all the agents in real time, implement controls, and be alerted to any security risks as soon as they arise.

Here’s the video demo: https://youtu.be/IdK2WKg7kaM

The inspiration for Traceforce came via Xia’s experience as Director of Engineering at a startup called Clumio (which was acquired by Commvault in Oct 2024). Being able to monitor how team members are using AI without slowing them down was a top priority at Clumio. After speaking with 50+ CISOs and CIOs, it became clear that this is a much-needed solution right now across industries. We keep hearing that new AI features are being adopted so quickly and so broadly that visibility and control just can't keep up.

Traceforce is transparent about what we monitor and collect. By default, Traceforce collects only metadata and telemetry about the AI applications, MCPs, and tools running on a device. Security teams can enable options to inspect tool calls for the purpose of detecting, warning on, or blocking predefined high-risk or potentially destructive actions. All content inspection happens locally on the device. User prompts are never stored unless explicitly configured by the organization's security administrators.

We work closely with end-users of the product, and once they understand what is being monitored/shared, they actually have great comfort that they have a powerful layer of protection on their device to prevent security incidents. It enables them to just focus on their work without worrying about what leaks and breaches may be happening under the hood without their awareness.

The Traceforce binary is built using Go and the browser extension is written in Node JS. The hardest part is building a complete connectivity graph between AI applications, MCPs, and tools, then identifying the vulnerabilities and attack paths introduced by those connections. Traditional security tools fall short: EDRs see processes, CASBs see network traffic, but neither has visibility into the application-level activity happening inside AI apps. The way we got it to work was by understanding the configurations and logs of each and every app. It’s a labor intensive process because every app is different and AI features change frequently.

Traceforce is currently deployed across more than 1,000 devices at 10 organizations. On average, we discover over 15 AI applications per device with each application connected to 5-10 MCPs. We've helped customers identify exposed plaintext secrets in MCP configurations, prevent API keys from leaking through AI-generated code, and warn developers before executing potentially destructive commands such as “DROP TABLE”. Our "warn and acknowledge" approach has been especially well received, giving developers the freedom to work while helping them avoid costly mistakes.

We're looking to work with security, IT, and AI platform teams at small to medium enterprises (200+ employees) that are rapidly adopting AI coding assistants, ChatGPT, Claude, and MCPs. If you're struggling to understand what AI tools people use to boost their productivity or need a practical way to reduce AI-related security risk without slowing folks down, we'd love to talk.

You can get started with a free trial at https://www.traceforce.ai or reach out directly to schedule a demo and discuss your environment.

Comments

XiaHua•1h ago
We are also curious to ask what existing tools are folks using to gain visibility into what's running out there?
bitlad•39m ago
I think you are going in the wrong direction. All EDR providers have this capability now. The actual example of the drop table command that you specified does not execute on the "user's endpoint" anymore.

The fact that you have install another EDR along with this is a no-go.

gk1•21m ago
+1

You're facing competition from both the incumbents who can ship these capabilites to their massive userbase, and emerging startups like Runlayer who are running away with the AI-native segment.

What are you offering that people want yet neither of those classes of solutions offer?

XiaHua•11m ago
Runlayer can be a fit once you know what you want to put behind an MCP gateway.

The challenge we hear from customers is that they don't know what AI apps, MCPs, or tools their employees are actually using. And new things just keep popping up everyday. Without that visibility, it's difficult to know where to apply controls.

XiaHua•16m ago
Thanks for the feedback!

I agree that DROP TABLE executes remotely. The key point is that the decision to invoke the tool is made by coding agents like Claude Code. Traceforce captures those tool calls at the application layer before they're executed.

The gap we focus on is application-level visibility inside AI apps—understanding which MCPs, skills, and tools are connected and what they're doing. A big part of our work has been building an MCP registry so we can accurately identify and classify MCPs, something traditional EDR telemetry doesn't provide.

That said, if your existing EDR already gives you that level of visibility and enforcement, I’d be interested in learning about which EDR you’re using and how it handles MCP and tool-level activity.

California authorizes its DMV to join a national ID database

https://papersplease.org/wp/2026/07/16/gov-newsom-signs-law-to-upload-california-data-to-national...
1•logickkk1•18s ago•0 comments

JD Vance: Jeffrey Epstein had clear connection to Mossad

https://www.ynetnews.com/article/sjyjztremg
2•root-parent•3m ago•0 comments

Airbus migrating 70 critical apps from AWS to France's Scaleway

https://www.theregister.com/paas-and-iaas/2026/07/16/airbus-migrating-70-critical-apps-from-aws-t...
3•rwmj•3m ago•0 comments

AI disruption in private credit: exposure to software firms in BDCs (BIS)

https://www.bis.org/publ/bisbull128.htm
1•aanet•3m ago•1 comments

NASA Dragonfly - a rotorcraft to explore Saturn's moon Titan

https://science.nasa.gov/mission/dragonfly/
1•thinkingemote•4m ago•0 comments

Connect more of your apps to Search

https://blog.google/products-and-platforms/products/search/connected-apps/
1•thm•4m ago•0 comments

Linus Torvalds rebukes anti-AI stances in the Linux kernel code review process

https://www.tomshardware.com/software/linux/linus-torvalds-rebukes-anti-ai-stances-in-the-linux-k...
3•vanburen•5m ago•0 comments

Nintendo Switch Joy-Con Removable Battery Replacement Procedure

https://www.nintendo.com/en-gb/Support/Troubleshooting/Battery-replacement/Joy-Con-L-HAC-015-01-B...
1•haunter•7m ago•0 comments

Please Stop Making Me Opt Out of AI

https://www.wired.com/story/please-stop-making-me-opt-out-of-ai/
2•Brajeshwar•7m ago•0 comments

MergeStat: Query your Git repo with SQL

https://www.mergestat.com/
1•nvahalik•7m ago•0 comments

Young Drivers Are Going 'Psycho' on the Road–and Filming It

https://www.wsj.com/tech/personal-tech/dash-cams-drivers-tiktok-3101b404
1•bookofjoe•8m ago•1 comments

CLR: Checker of Lifetimes and other Refinement types for Zig

https://github.com/ityonemo/clr/
2•lioeters•9m ago•0 comments

SPCX is now Wall Street's most shorted new stock

https://invezz.com/news/2026/07/16/the-worlds-most-valuable-ipo-spcx-is-now-wall-streets-most-sho...
5•lbrito•9m ago•0 comments

Minefield Quiz: Countries of the World with No Borders

https://brilliantmaps.com/world-minefield-game/
1•Kaibeezy•10m ago•0 comments

Pricklypear: Vibeslop Interpreted Lisp with Postgres AST, Written in OCaml

https://pricklypear.rocks/welcome
1•sroerick•15m ago•1 comments

React Native in 2026

https://ben3d.ca/blog/react-native-in-2026
2•bhouston•15m ago•0 comments

Show HN: easy-tz – A fast, 10KB, dependency-free getTimeZonesAt(timestamp)

https://github.com/leeoniya/easy-tz
2•leeoniya•17m ago•0 comments

OneCommander: Modern File Manager for Windows 11 and 10

https://onecommander.com/
3•thunderbong•18m ago•0 comments

Switzerland turned its train tracks into solar power plants

https://www.goodgoodgood.co/articles/switzerland-train-tracks-solar-panels
4•MaysonL•18m ago•1 comments

Show HN: A Claude Code skill that finds dev tools – or stays silent

https://github.com/jaimeramiro-dev/gold-digger
1•jaimeramiro•19m ago•0 comments

Kbd-1.0-Codex-Micro

https://twitter.com/OpenAIDevs/status/2077425991790870644
1•sanj•19m ago•0 comments

Can AI reliably generate dashboards from Excel or CSV files?

https://dashboardbuilder.net/ai-generated-dashboard
1•Garywilson76•21m ago•0 comments

Choosing GPT-5.6 Sol, Terra, or Luna in Codex

https://twitter.com/pvncher/status/2077708372363624894
1•pretext•21m ago•0 comments

Show HN: Pagora AI, WordPress AI page builder that outputs plain HTML/CSS/JS

https://wordpress.org/plugins/pagora-ai/
1•azertyvode•21m ago•0 comments

Show HN: MechArchive – an open, sourced catalog of the robots

https://mecharchive.com/
1•filippogroppi•22m ago•0 comments

The Moment Steven Bartlett Realizes His Podcast Is Compromised [video]

https://www.youtube.com/watch?v=NA8Zf7NSHF0
2•Bender•23m ago•1 comments

Capture Clauses as Effects

https://blog.yoshuawuyts.com/capture-clauses-as-effects/
1•ambigious7777•23m ago•0 comments

Why standard time is better for your health than daylight saving time

https://www.washingtonpost.com/wellness/2026/07/16/why-standard-time-is-better-your-health-than-d...
2•jonah•23m ago•1 comments

AI chatbots are at risk of spreading government restrictions on online speech

https://www.msn.com/en-us/news/world/ai-chatbots-are-at-risk-of-spreading-government-restrictions...
2•galaxyLogic•24m ago•0 comments

Two things every MCP author should add

https://twitter.com/owjuhl/status/2077747945659646233
2•owjuhl•24m ago•0 comments