The response-side scanning gap is real. I've been building agent infrastructure and noticed the same blind spot. Most security tooling assumes the server is trusted once you've decided to connect, but MCP servers are arbitrary code endpoints, and prompt injection through tool responses is one of the harder attack vectors to defend against because the agent has to parse the response to do anything useful.

Curious about the regex approach at scale. With agents connecting to dozens of MCP servers simultaneously, how does latency overhead look in practice? The microsecond claim for individual checks makes sense, but the pattern set must grow fast as you add coverage for new attack vectors. At what point would you need to batch or cache pattern compilations?

The monitor mode default is smart for adoption. Did you find that teams who started in monitor mode actually switched to enforcement? In my experience with security proxies, monitor mode tends to become permanent.