Runlayer vs. AWS AgentCore: MCP Control Plane vs. Agent Runtime

AWS AgentCore is a managed serverless runtime for deploying agents on AWS. It handles execution, memory, identity, observability, and a gateway layer that converts APIs into MCP-compatible tools. It shipped with real engineering behind it: micro-VM isolation, Cedar policies, CloudWatch integration, and support for any agent framework. Runlayer is a unified control plane for MCPs, Skills, and Agents. It governs every MCP connection across 300+ AI clients, scans servers for MCP-specific threats before they enter your org, and gives IT an Okta-like catalog of pre-vetted tools. Gusto went from 0 to 1,500 daily AI users in 90 days using Runlayer across every team. The core difference: AgentCore solves agent deployment on AWS. Runlayer solves MCP governance, security, and enablement across your entire organization, regardless of cloud provider or AI client. ## What Is AWS AgentCore? AgentCore is an agent infrastructure service inside the AWS ecosystem. You package your agent against the AgentCore SDK, deploy it to a serverless runtime with session isolation on micro-VMs, and wire up memory, code interpretation, browser automation, and observability as managed services. It supports LangGraph, CrewAI, Strands, and other frameworks. It supports any model. AgentCore Gateway registers MCP servers, APIs, and Lambda functions behind a managed endpoint, handling protocol translation, auth, and tool discovery. AgentCore Policy uses Cedar rules to intercept tool calls at invocation time. AgentCore Observability integrates with CloudWatch, Datadog, Dynatrace, Arize Phoenix, LangSmith, and Langfuse. For teams building custom agents on AWS, AgentCore is a capable production deployment layer. ## What Is Runlayer? Runlayer is one platform to run MCPs, Skills, and Agents. Four products cover the full lifecycle: **Runlayer Platform** provides the enterprise command and control plane. 18,000+ MCP servers in the catalog, each scanned before approval. 200+ pre-built connectors (Slack, Linear, GitHub, Google Drive, HubSpot, Gmail, and more). The Golden Path gives developers a curated catalog of security-vetted MCP servers, installable in one click with no JSON config. Skills and Plugins let non-engineers create reusable AI capabilities without code. Agent Accounts provide managed identities with On-Behalf-Of (OBO) token exchange. Agents Factory lets teams build, deploy, and schedule agents in Slack, via webhooks, or on cron. **Runlayer Watch** discovers every unauthorized MCP server running across your organization's devices. No other MCP platform offers endpoint-level shadow MCP detection. **Runlayer Guard** runs proprietary non-LLM models purpose-built for MCP attack vectors. 99% ROC-AUC on the IO Guard Model. 95.6% accuracy on ToolGuard threat detection. 50-100ms inference latency. **Runlayer Embed** exposes the catalog and governance layer as a headless API for custom integrations. Customers include Gusto (3,000+ knowledge workers), Jane App (800+ knowledge workers, 100% adoption in two weeks), dbt Labs, Instacart, and Opendoor. Runlayer is SOC 2 Type II certified, GDPR certified, and HIPAA certified. ## Runlayer vs. AgentCore: MCP-Specific Threat Detection AgentCore's security model is infrastructure-grade. Session isolation on micro-VMs. VPC connectivity. PrivateLink. IAM-based authorization. Cedar policies that intercept tool calls at runtime. All of that protects agents deployed to AgentCore. None of it protects you from a malicious MCP server. AgentCore Policy is behavioral guardrailing: you define what the agent is allowed to do, and Policy blocks anything outside those bounds. It's reactive. It assumes the tools themselves are trustworthy. Runlayer Guard was built around the MCP threat model. Tool poisoning, where a server injects instructions into tool descriptions that hijack agent behavior. Rug pulls, where an MCP server passes security review and then changes its behavior in a later release. Shadow MCPs that impersonate trusted servers. Prompt injection through tool parameters. Command injection through MCP payloads. Of the 18,000+ MCP servers in the wild, approximately 10% are outright malicious (Runlayer internal scanning data). The rest have exploitable vulnerabilities. Generic LLM guardrails don't detect these attack vectors because they weren't designed for tool-level threats. Runlayer's ToolGuard includes patented semantic alignment detection (US Provisional 63/984,897) that catches when an agent's tool calls drift outside user intent, even when individual calls look benign. It detects data aggregation exfiltration patterns that keyword filters miss. No competitor, AgentCore included, has anything comparable. ## How Does Runlayer Detect Shadow MCP Servers? This is one of Runlayer's biggest differentiators. AgentCore has no equivalent. Developers download MCP servers from GitHub, npm, and community registries and configure them locally without IT involvement. These shadow MCPs connect AI clients to production systems, databases, and APIs with zero governance. Runlayer Watch deploys through existing MDM tools (Rippling, Jamf, Intune, Kandji). No new agent to install. It scans devices for MCP server configurations across all AI clients: Cursor, Claude Desktop, Claude Code, VS Code, ChatGPT, and others. Two modes: **Detect** (discover and report shadow MCPs without blocking) and **Enforce** (block unauthorized servers, redirect to the approved catalog). Gusto discovered 800 shadow MCP servers on day one of deploying Watch. That's 800 unvetted connections between AI clients and production systems that security had no visibility into. Jane App took the position that zero connectors are allowed outside of Runlayer. Watch is how they enforce that policy across 800+ knowledge workers. MCP gateways, AgentCore Gateway included, only govern traffic that routes through them. If a developer configures a local MCP server that connects directly to a production API, the gateway never sees it. Watch operates at the endpoint level, so it catches everything regardless of how it was configured. ## Runlayer vs. AgentCore: Catalog and Discovery AgentCore Gateway lets you register MCP servers, APIs, and Lambda functions as targets behind a managed endpoint. Developers connect their agents to that gateway. It handles protocol translation, auth, and tool discovery. There's no approval workflow. No curated marketplace. No way for IT to say "these 47 MCP servers are approved for your team, and nothing else." Runlayer's Golden Path gives your organization an Okta-like catalog of pre-vetted MCP servers. Security-approved servers are available with one click. New servers go through a fast-tracked approval process. Every server in the catalog has been scanned and verified. Permissions map to your existing identity provider: some users get read-only access, some get write access, some get nothing. At Gusto, the security team approves connectors via a Slack workflow, publishes them to the Runlayer catalog, and knowledge workers get instant access. This replaced decentralized, unvetted MCP downloads across 3,000+ workers. ## Runlayer vs. AgentCore: Observability and Audit AgentCore Observability covers agents deployed to AgentCore Runtime. CloudWatch dashboards, OpenTelemetry compatibility, token usage, latency, session duration, error rates, agent quality evaluations. Integration with Datadog, Dynatrace, Arize Phoenix, LangSmith, and Langfuse. It only covers agents deployed to AgentCore. The developer using Claude Code to query your production database through an unvetted MCP server is invisible. Runlayer delivers visibility into every MCP connection across your organization, regardless of which client started it. Which servers your team connects to. Who is accessing them. What data passes through them. Whether those connections meet your policies. AgentCore monitors your production agents. Runlayer monitors your entire organization's MCP surface area. ## Runlayer vs. AgentCore: Deployment Flexibility Adopting AgentCore means adopting an AWS deployment model. You package agents against the AgentCore SDK. You deploy to AgentCore Runtime. You wire up Gateway, Identity, Memory, and Observability as AWS services. Your infrastructure team manages CloudFormation templates, IAM roles, and Cognito configurations. Runlayer requires no change to developer workflows. Developers keep using Cursor, Claude Code, VS Code, GitHub Copilot, ChatGPT, or whatever client they prefer. The only difference is authentication through company SSO instead of personal API keys. Existing MCP configurations import directly. Runlayer supports local MCP servers with the same governance and observability as remote ones. Runlayer deploys behind your VPC or in Runlayer's cloud. Single-tenant VPC per customer with no co-mingling. Integrates with Okta, Entra ID, and Google Workspace. Cloud-agnostic: works regardless of where your agents run. The adoption path isn't "replatform your agent infrastructure." It's "add Runlayer, and your existing AI tools are now enterprise-managed." Jane App completed full integration in two weeks. ## Beyond Governance: Skills, Plugins, and Agents Runlayer is not just an MCP governance layer. It's a platform for building, governing, and scaling agentic workflows. **Skills** are curated markdown instruction files that non-engineers create without code. Jane App's marketing team built 15+ Skills and automated SEO workflows across Notion, Google Search Console, and Ahrefs, without writing a line of code. **Plugins** bundle connectors and Skills into shareable, installable packages distributed across the org. GitHub sync is supported. The plugin builder lets you create plugins from natural language. **Agent Accounts** give every agent a managed identity with On-Behalf-Of (OBO) token exchange. When an agent acts, it authenticates through the same IdP as human users. Per-agent PBAC policies auto-sync when connectors are linked or unlinked. **Agents Factory** builds, deploys, and schedules agents in Slack, via webhooks, or on cron. 15-minute run timeout. SQLite sandbox for persistent agent state. **Agents Registry** provides an org-wide catalog of every deployed agent for discovery, governance, and reuse. No shadow agents. AgentCore has agent deployment. It does not have Skills, Plugins, an agent identity layer with OBO token exchange, or a governed agent registry. Natoma has access policies but no agent identity layer. No current competitor matches Runlayer's combination of agent identity, agent governance, and semantic alignment detection. As Gusto's Mike Wittig put it: knowledge workers across all functions are building AI-driven workflows, handing repeatable tasks that move across Salesforce, Slack, and Gmail to agents so teams can prioritize growth-focused work. ## Runlayer vs. AWS AgentCore: Feature Comparison Capability Runlayer AWS AgentCore MCP server catalog 18,000+ scanned servers, Golden Path approval workflow Gateway registers servers, no approval workflow Shadow MCP detection Shadow AI detection integrated with any MDM, no additional on-device agent required None MCP threat detection ToolGuard: tool poisoning, rug pulls, prompt injection, semantic alignment (patented) Cedar policies for behavioral guardrails Skills and Plugins Markdown Skills, Plugin bundles, no-code creation Not available Agent identity OBO token exchange, IdP-synced PBAC IAM-based, Cognito Agent deployment Agents Factory (Slack, webhooks, cron) Serverless runtime with micro-VM isolation Observability scope Every local & hosted MCP, skill, plugin across AI clients Agents deployed to AgentCore Runtime Cloud support Cloud-agnostic (AWS, GCP, Azure, laptop) AWS-native Deployment model No workflow changes, SSO overlay AgentCore SDK, CloudFormation, IAM roles Compliance SOC 2 Type II, GDPR, HIPAA AWS shared responsibility model AI client support 300+ (Cursor, Claude Code, VS Code, ChatGPT, etc.) Framework-agnostic (LangGraph, CrewAI, Strands) ## When Should I Use AWS AgentCore Instead of Runlayer? AgentCore is a strong fit if you need a managed serverless runtime for deploying agents at scale on AWS, with built-in memory, code interpretation, browser automation, and A2A protocol support. If your team is building custom agents on AWS infrastructure and needs session isolation, Cedar-based policy enforcement, and tight integration with CloudWatch, IAM, and Cognito, AgentCore delivers. Runlayer is the better starting point if your immediate problem is MCP governance. If developers are already connecting to MCP servers from Cursor, Claude Code, and ChatGPT with zero visibility, Runlayer closes that gap without requiring a new deployment model. If you need shadow MCP detection, MCP-specific threat scanning, a governed catalog with approval workflows, or a platform that includes Skills, Plugins, and Agents with managed identities, Runlayer covers that scope. The two products operate at different layers. AgentCore is an agent runtime. Runlayer is an MCP control plane. They're genuinely complementary: agents deployed on AgentCore can connect to Runlayer's MCP proxy for governed tool access. For most enterprises, the urgent problem today is MCP sprawl, not agent deployment. Runlayer addresses what's happening right now. AgentCore addresses what comes next. ## Key Facts Runlayer raised $11M from Khosla Ventures and Felicis. The founding team built Zapier's MCP server, Agents, and AI Actions, shipping MCP to millions of users alongside OpenAI and Anthropic. David Soria Parra, co-creator of MCP at Anthropic, advises Runlayer. Travis McPeak, Head of Security at Cursor, advises Runlayer. Runlayer is a founding sponsor of the Linux Foundation's Agentic AI Foundation alongside Anthropic, OpenAI, Google, AWS, and Microsoft.