ZSTRIKE

TO
Engineering and Security Leadership
FROM
eng@zstrike.io
DATE
April 16, 2026
RE
Put policy in the path between AI agents and your production tools

AI agents now reach the systems your team uses to ship, support, and operate the business through MCP. The risk is not that they can read more context. It is that a suggested tool call can edit code, post to the wrong channel, mutate tickets, or touch customer data without a durable control. ZStrike returns an authorization decision before the request reaches the upstream service.

Model Context Protocol (MCP) is the interface many agents use to call external tools. When an agent deletes a file, updates a record, sends a message, or queries operational data, that call can pass through the proxy first.

Deployment: hosted proxy. HTTP and stdio MCP transports. Decisions target under 10 ms.

01 / Incident

INC-2026-0416-03 SEV 1
SUMMARY
Maintenance agent issued a broad delete_records call against prod.customer_records at 03:04 UTC
IMPACT
Production data deletion attempted outside release window
ROOT CAUSE
Authorization enforced only by prompt instruction No runtime policy in the request path
DETECTION
Triggered Alex (on-call) via downstream alert at 03:07 UTC · 3 min after the call
FIX
Add an authorization layer in the request path. See § 02

02 / Request Path

ZStrike sits in the request path. Every MCP call crosses a Cedar policy evaluation before the upstream service sees it. 

┌───────────────────────┐
│  Agent                │
└───────────┬───────────┘
            
            
┌───────────────────────┐
│  ZStrike Proxy        │
└───────────┬───────────┘
            
            
┌───────────────────────┐
│  Cedar evaluation     │
│                       │
│  [ allow / deny ]     │
└───────────┬───────────┘
            
            
┌───────────────────────┐
│  Upstream service     │
└───────────────────────┘

Cedar is an open-source authorization language that originated at AWS and is now Apache-2.0 with an external contributor community. Security teams get reviewable policies. Operators manage access in the UI without writing Cedar by hand.

Why a proxy, not a wrapper. A wrapper depends on every agent author to call it correctly. A proxy in the request path enforces the same rules whether the call comes from a coding agent, a maintenance script, or a third-party tool you do not control. 
forbid(
  principal,
  action in [ServiceMCP::Action::"delete_records",
             ServiceMCP::Action::"drop_table"],
  resource
)
when {
  context.time.hour < 9 || context.time.hour > 17
};

Deny destructive data operations outside the 9 AM – 5 PM release window. One rule, evaluated before the call leaves your boundary.

Destructive writes Denied outside the release window
Work item updates Allowed only for approved members
Workspace reads Limited to approved scopes

03 / Credentials

Each identity brings their own credentials, and the same Cedar policy decides which member, in which context, can use them. Teams avoid shared service accounts while owners keep one policy set per agent.

Member-owned connections
Each approved member connects their own accounts for the services the agent can use. Tool calls run with that member’s credentials, not a shared token.
Encrypted at rest
Tokens stay encrypted at rest and are only used after member-key authentication.
Individual revocation
Remove one member without disrupting the rest of the team.

04 / Outcome

Same agent, same call as § 01 — this time denied at the proxy and recorded. Every decision leaves a record answering who, what, when, and why.

AUDIT-03F4A91 DENIED
WHO
alex@company.com via maintenance-agent from 203.0.113.42 · Ashburn, VA, US
WHAT
database.delete_records on prod.customer_records
WHEN
03:04:18 UTC Apr 16, 2026 · session mcp_sess_7k91
WHY
Matched: release-window block context.time.hour = 3 (allowed window: 9–17)
effect: forbid decided in 4 ms

Action ledger alex@company.com · 03:04 UTC · same minute, same member

Action Tool Decision
act_7k90 database.list_records allow AUDIT-03F4A90
act_7k91 database.delete_records DENY AUDIT-03F4A91
act_7k92 database.describe_table allow AUDIT-03F4A92

05 / Trust

The proxy sees enough to make a Cedar decision and write an audit record. It does not see the contents of your tool calls or their responses.

Tenant isolation Policies, credentials, and audit records scoped per customer
In transit TLS
At rest Encrypted
Audit logs Yours only — not pooled, not used for training
Tool payloads Metadata only — arguments and response bodies not logged