Now in design partner deployments

Every AI conversation leaving your network. Discovered. Governed. Secured.

The only network-layer AI traffic security appliance. No client changes. No blind spots.

Get a Demo See How It Works →
gatewayctl watch
$ gatewayctl watch --live
100% Rust
Continuous Unsafe Code Scanning
HSM Key Custody
On-Premises
SOC 2 In Progress

The Hidden Risk

Your employees are using AI you can't see

App-layer proxies only see configured clients. mGateway sees everything.

340

shadow AI applications found in first 48 hours

$670K

average breach cost from shadow AI

IBM 2025

7+

AI services your security team doesn't know about

Capabilities

Three pillars of AI traffic security

Discover

See every AI service on your network. No client changes required.

  • Shadow AI Detection
  • AI Bill of Materials
  • Traffic Visibility by User/Team
  • Model Inventory

Govern

Enforce policy per user, team, model, and tool. Graduate safely.

  • LISTEN / DETECT / ENFORCE
  • RBAC + Per-User Identity
  • Tamper-Evident Audit Trail
  • Content Guardrails

Optimize

Track costs, alert on anomalies, and suggest cheaper models.

  • Cost Attribution by Team
  • Budget Caps & Alerts
  • Cheaper Model Suggestions
  • Token Surge Detection

Architecture

Deployed in 48 hours. Zero client changes.

01

DNS Redirects Traffic

Corporate DNS resolves AI provider domains to the gateway. No client proxy config needed.

Zero client changes
02

TLS MITM Intercepts

Per-host certificates minted on-demand, signed by your enterprise CA. Transparent to applications.

Enterprise CA, HSM-backed
03

Identity Resolved

Every request mapped to a real user via Kerberos, mTLS client certs, or SSO headers.

Know WHO, not just WHICH key
04

Policy Evaluated in <10ms

First-match rule engine checks provider, model, tool, and MCP permissions. LISTEN, DETECT, or ENFORCE.

<10ms P95 added latency
05

Every Decision Audited

Tamper-evident HMAC-signed audit events with full decision trail. Per-tenant isolation.

Compliance-ready from day one

Comparison

Why mGateway

mGateway Portkey Zscaler Kong
Network-layer interception
Shadow AI detection
LISTEN / DETECT / ENFORCE
Enterprise identity (Kerberos/mTLS)
On-premises deployment
Streaming tool/MCP inspection
<10ms added latency
In the first 48 hours, mGateway discovered 340 applications across 7 AI services we didn't know about. Three of those services weren't on our approved vendor list.

VP of Security Engineering

Global Commodities Trading Firm

Pricing

Simple, transparent pricing

Design partners: 90-day free LISTEN mode deployment

Starter

Up to 100 users

$30 /user/mo
  • Traffic visibility by user & team
  • Policy engine (LISTEN/DETECT/ENFORCE)
  • Tamper-evident audit trail
  • Admin UI + gatewayctl CLI
  • Email support
Start Free Trial
Most Popular

Professional

Up to 500 users

$20 /user/mo
  • Everything in Starter, plus:
  • Cost tracking & attribution
  • Budget caps & surge alerts
  • Shadow AI detection & reporting
  • Cheaper model suggestions
  • Priority support
Start Free Trial

Enterprise

500+ users

Custom
  • Everything in Professional, plus:
  • MCP transaction security
  • Content guardrails (PII, injection)
  • Natural language audit queries
  • Custom identity providers
  • Dedicated onboarding + SLA
Contact Sales

Ready to see what's on your network?

Deploy mGateway in LISTEN mode — zero risk, full visibility. See your shadow AI in 48 hours.

Get a Demo Read the Docs →