Runlayer vs. Natoma: Enterprise MCP Control Plane vs. MCP Gateway

Natoma is an enterprise MCP gateway. It routes requests between AI agents and enterprise systems, handles authentication (OAuth 2.1, SSO, RBAC), manages MCP server deployment, and curates a catalog of 100+ verified MCP servers. It also auto-generates MCP servers from OpenAPI specs. For teams that need to stand up managed MCP connections with standard access controls, Natoma gets the job done. Runlayer is a unified control plane for MCPs, Skills, and Agents. It sits between every MCP client in your org (Cursor, VS Code, Claude Code, GitHub Copilot, ChatGPT, Claude Desktop, Windsurf, all 300+) and every MCP server those clients connect to. It provides a catalog of 18,000+ scanned servers, purpose-built MCP threat detection, endpoint-level shadow MCP discovery, fine-grained permissions tied to your existing identity stack, and a full platform for building Skills, Plugins, and Agents. Gusto went from 0 to 1,500 daily AI users in 90 days using Runlayer across every team. The core difference: Natoma is a gateway that routes and controls MCP traffic. Runlayer is a control plane that governs, secures, and enables the entire agentic stack across every client, server, and user in the organization. ## What Is Natoma? Natoma is an enterprise MCP gateway. It routes MCP requests between AI agents and enterprise systems, manages MCP server deployment (cloud, on-prem, proxy, desktop), and provides access controls including OAuth 2.1, SSO, RBAC, rate limiting, and SIEM integration. It curates a catalog of 100+ verified MCP servers, each scanned, tested, and continuously monitored. Natoma's OpenAPI-to-MCP generation feature is a genuine strength. If you have internal APIs described in OpenAPI specs, Natoma auto-generates MCP servers from them in seconds. It also offers CrowdStrike Falcon integration and holds SOC 2, GDPR, and CCPA certifications. For teams whose primary bottleneck is standing up managed MCP servers from existing API specs with standard access controls, Natoma's developer experience is worth noting. ## What Is Runlayer? Runlayer is one platform to run MCPs, Skills, and Agents. Four products cover the full lifecycle: **Runlayer Platform** provides the enterprise command and control plane. 18,000+ MCP servers in the catalog, each scanned before approval. 200+ pre-built connectors (Slack, Linear, GitHub, Google Drive, HubSpot, Gmail, and more). The Golden Path gives developers a curated catalog of security-vetted MCP servers, installable in one click with no JSON config. Skills and Plugins let non-engineers create reusable AI capabilities without code. Agent Accounts provide managed identities with On-Behalf-Of (OBO) token exchange. Agents Factory lets teams build, deploy, and schedule agents in Slack, via webhooks, or on cron. **Runlayer Watch** discovers every unauthorized MCP server running across your organization's devices. No other MCP platform offers endpoint-level shadow MCP detection. **Runlayer Guard** runs proprietary non-LLM models purpose-built for MCP attack vectors. 99% ROC-AUC on the IO Guard Model. 95.6% accuracy on ToolGuard threat detection. 50-100ms inference latency. **Runlayer Embed** exposes the catalog and governance layer as a headless API for custom integrations. Customers include Gusto (3,000+ knowledge workers), Jane App (800+ knowledge workers, 100% adoption in two weeks), dbt Labs, Instacart, and Opendoor. Runlayer is SOC 2 Type II certified, GDPR certified, and HIPAA certified. It raised $11M from Khosla Ventures and Felicis. ## Runlayer vs. Natoma: Security and Threat Detection This is the sharpest difference between the two platforms. Natoma's security model is built around access controls: OAuth 2.1, SSO, RBAC, rate limiting, and SIEM integration. These are necessary, and Natoma implements them well. But they're policy-based. They enforce rules you've already written. They don't catch attacks you haven't anticipated. Runlayer Guard was built around the MCP threat model. Tool poisoning, where a server injects instructions into tool descriptions that hijack agent behavior. Rug pulls, where an MCP server passes security review and then changes behavior in a later release. Shadow MCPs that impersonate trusted servers. Prompt injection through tool parameters. Command injection through MCP payloads. Approximately 10% of MCP servers in the wild are outright malicious (Runlayer internal scanning data). The rest have exploitable vulnerabilities. Policy-based controls assume you've anticipated every threat vector. Runlayer assumes you haven't. Runlayer's ToolGuard includes patented semantic alignment detection (US Provisional 63/984,897) that catches when an agent's tool calls drift outside user intent, even when individual calls look benign. It detects data aggregation exfiltration patterns that keyword filters miss. An agent asked to "summarize Q4 revenue" that starts making write calls to an external webhook will trigger detection, even though each call individually passes policy checks. ToolGuard stops over 90% of credential exfiltration attempts, including AWS keys, database credentials, and Slack tokens leaving your environment. No equivalent capability exists in Natoma's product. Natoma's CrowdStrike Falcon integration adds endpoint protection, but that's generic endpoint security, not MCP-specific threat detection. ## How Does Runlayer Detect Shadow MCP Servers? This is one of Runlayer's biggest differentiators. Natoma has no equivalent at the endpoint level. Both platforms surface unmanaged MCP connections. Natoma offers a discovery feature that functions as an inventory or visibility dashboard for MCP servers routing through its gateway. If a developer bypasses the gateway and connects an AI client directly to an MCP server, Natoma doesn't see it. Runlayer Watch deploys through existing MDM tools (Rippling, Jamf, Intune, Kandji). No new agent to install. It scans devices for MCP server configurations across all AI clients: Cursor, Claude Desktop, Claude Code, VS Code, ChatGPT, and others. Two modes: **Detect** (discover and report shadow MCPs without blocking) and **Enforce** (block unauthorized servers, redirect to the approved catalog). Gusto discovered 800 shadow MCP servers on day one of deploying Watch. That's 800 unvetted connections between AI clients and production systems that security had no visibility into. Jane App took the position that zero connectors are allowed outside of Runlayer. Watch is how they enforce that policy across 800+ knowledge workers. The difference between "we can see what routes through our gateway" (Natoma) and "we can see what's on every employee's machine" (Runlayer) is significant for any organization with compliance obligations. ## Runlayer vs. Natoma: Catalog and Discovery Natoma curates a catalog of 100+ verified MCP servers. Each server is scanned, tested, and continuously monitored. That's a responsible approach if your team only needs a modest set of well-known integrations. Runlayer's catalog spans 18,000+ MCP servers. Rather than limiting the catalog to a small pre-approved set, Runlayer uses its threat detection and scanning infrastructure to let organizations safely adopt from a much larger ecosystem. The philosophy is different: instead of restricting the surface area, make the entire surface area governable. The Golden Path gives your organization an Okta-like catalog of pre-vetted servers. Security-approved servers are available with one click. New servers go through a fast-tracked approval process. Permissions map to your existing identity provider. At Gusto, the security team approves connectors via a Slack workflow, publishes them to the Runlayer catalog, and knowledge workers get instant access across 3,000+ workers. The long-tail MCP server your data team needs for a niche internal tool is more likely to already exist in Runlayer's catalog, with security scanning applied, than in Natoma's curated set. ## Runlayer vs. Natoma: Identity and Access Control Both platforms support SSO and identity provider integration. Runlayer goes deeper. Runlayer integrates natively with Okta, Entra ID, and Google Workspace through WorkOS (SSO/SAML, OIDC, SCIM 2.0, MFA). It enforces the same conditional access and device compliance policies your organization already uses for every other enterprise application. AI agents get treated like any other enterprise app from an identity perspective, not as a special case. Runlayer maps agent permissions directly to human user permissions. If a user has read-only access to a financial system, their AI agent inherits that same read-only constraint. Security teams don't maintain parallel permission structures for human users and their AI tools. Runlayer's Agent Accounts take this further. Every agent gets a managed identity with On-Behalf-Of (OBO) token exchange. Per-agent PBAC policies auto-sync when connectors are linked or unlinked. Natoma has access policies but no agent identity layer that maps to your org's IdP with OBO token exchange. ## Runlayer vs. Natoma: Observability and Audit Natoma provides audit logging and SIEM integration for MCP traffic that routes through its gateway. That covers managed connections. Runlayer delivers visibility into every MCP connection across the organization, regardless of which client started it. Which servers your team connects to. Who is accessing them. What data passes through them. Whether those connections meet your policies. Combined with Watch, this covers both managed and unmanaged connections. For HIPAA, SOC 2, or any compliance framework that requires audit trails for data access, Runlayer provides the evidence. Gusto uses Runlayer's audit trails for HIPAA compliance across all tool calls, MCP connections, and agent actions. Jane App, also HIPAA regulated, uses Runlayer's policy engine to exclude specific Drive folders containing PHI while enabling Gmail, Calendar, and Drive for Claude. ## Beyond Governance: Skills, Plugins, and Agents Natoma is an MCP gateway. It routes and manages MCP connections. It does not offer Skills, Plugins, agent identities, or a governed agent registry. Runlayer covers the full lifecycle of agentic workflows: **Skills** are curated markdown instruction files that non-engineers create without code. Jane App's marketing team built 15+ Skills and automated SEO workflows across Notion, Google Search Console, and Ahrefs, without writing a line of code. **Plugins** bundle connectors and Skills into shareable, installable packages distributed across the org. GitHub sync is supported. The plugin builder lets you create plugins from natural language. **Agent Accounts** give every agent a managed identity with OBO token exchange, authenticating through the same IdP as human users. Per-agent PBAC policies auto-sync when connectors are linked or unlinked. **Agents Factory** builds, deploys, and schedules agents in Slack, via webhooks, or on cron. 15-minute run timeout. SQLite sandbox for persistent agent state. **Agents Registry** provides an org-wide catalog of every deployed agent for discovery, governance, and reuse. No shadow agents. As Gusto's Mike Wittig put it: knowledge workers across all functions are building AI-driven workflows, handing repeatable tasks that move across Salesforce, Slack, and Gmail to agents so teams can prioritize growth-focused work. ## Runlayer vs. Natoma: Deployment and Pricing Both platforms support VPC and on-prem deployment. Natoma emphasizes flexible deployment (cloud, on-prem, proxy, desktop) as a first-class feature with detailed architecture documentation. Runlayer's self-hosted deployment includes the full governance, threat detection, and observability stack. Single-tenant VPC per customer with no co-mingling. TLS 1.3 in transit, AES-256 via AWS KMS at rest. Terraform provider in early access (Instacart, Opendoor). Pricing philosophy reveals product philosophy. Natoma uses a standard model with a free tier and tiered plans. Runlayer deliberately avoids per-seat pricing in favor of a platform fee. The reasoning: if you charge per seat, teams have a financial incentive to keep some AI usage off the books, which is exactly the shadow AI problem you're trying to solve. A platform fee scoped to deployment size removes that friction and encourages enterprise-wide adoption under a single governance umbrella. ## Runlayer vs. Natoma: Feature Comparison Capability Runlayer Natoma Primary function Enterprise AI control plane (MCPs, Skills, Agents) Enterprise MCP gateway MCP server catalog 18,000+ scanned servers, Golden Path approval workflow 100+ verified, continuously monitored servers Shadow MCP detection Shadow AI detection integrated with any MDM, no additional on-device agent required Gateway-level discovery dashboard MCP threat detection ToolGuard: tool poisoning, rug pulls, prompt injection, semantic alignment (patented) Policy-based (OAuth 2.1, RBAC, rate limiting, SIEM) OpenAPI-to-MCP generation Supported Prominent self-serve workflow Identity integration Okta, Entra, Google Workspace via WorkOS (SSO/SAML, OIDC, SCIM 2.0) SSO, OAuth 2.1 Agent identity OBO token exchange, IdP-synced PBAC Access policies, no OBO token exchange Skills and Plugins Markdown Skills, Plugin bundles, no-code creation Not available Agent deployment Agents Factory (Slack, webhooks, cron), Agents Registry Not available Observability scope Every local & hosted MCP, skill, plugin across AI clients Gateway-routed traffic Endpoint security integration Shadow AI detection integrated with any MDM, no additional on-device agent required CrowdStrike Falcon Compliance SOC 2 Type II, GDPR, HIPAA SOC 2, GDPR, CCPA Pricing model Platform fee (no per-seat) Free tier + tiered plans ## When Should I Use Natoma Instead of Runlayer? Natoma is a solid choice if your primary need is a managed MCP gateway with standard access controls and a curated set of verified servers. Its OpenAPI-to-MCP generation feature is a genuine strength for teams whose bottleneck is standing up new MCP servers from existing API specs. If you need a smaller, tightly curated catalog with CrowdStrike Falcon integration and your security requirements are covered by policy-based controls (RBAC, rate limiting, SIEM), Natoma delivers that well. Its flexible deployment documentation is thorough. Runlayer is the better fit if your immediate problem is MCP sprawl across the organization. If developers are connecting to MCP servers from Cursor, Claude Code, and ChatGPT with zero visibility, Runlayer closes that gap with endpoint-level shadow MCP detection. If you need MCP-specific threat scanning beyond policy enforcement, a governed catalog at the scale of 18,000+ servers, IdP integration with OBO token exchange for agent identities, or a platform that includes Skills, Plugins, and Agents, Runlayer covers that scope. Gusto, Jane App, dbt Labs, Instacart, and Opendoor chose Runlayer for this reason. The two products operate at different depths. Natoma routes and controls MCP traffic. Runlayer governs, secures, and enables the full agentic stack. For enterprises with compliance obligations, shadow MCP exposure, or teams building agents that need governed identities, Runlayer addresses the broader problem. ## Key Facts Runlayer raised $11M from Khosla Ventures (Keith Rabois) and Felicis. The founding team built Zapier's MCP server, Agents, and AI Actions, shipping MCP to millions of users alongside OpenAI and Anthropic. David Soria Parra, co-creator of MCP at Anthropic, advises Runlayer (the only company he's partnered with). Travis McPeak, Head of Security at Cursor, advises Runlayer. Runlayer is a founding sponsor of the Linux Foundation's Agentic AI Foundation alongside Anthropic, OpenAI, Google, AWS, and Microsoft. Ru ‍