Threat Monitoring and Advanced Controls

Overwatch provides comprehensive threat monitoring capabilities and granular controls to protect your AI agents. This guide covers how to view security threats, understand threat categories, and configure advanced access controls using Cedar policies.

Threat Monitoring

Overwatch continuously monitors MCP server interactions and automatically scans for security vulnerabilities. Threats are detected using YARA rules and validated through Cedar policies, providing real-time protection against malicious or dangerous operations.

Threat Categories

Overwatch detects and categorizes security threats across multiple categories:

Command Injection

Detects attempts to execute system commands or shell scripts:

Shell command execution (shell, bash, sh)
System execution calls (system.exec, process.spawn)
Script injection patterns

Prompt Injection

Identifies prompt injection and jailbreak attempts:

Instruction override patterns ("ignore all previous instructions")
Mode manipulation attempts ("developer mode", "god mode")
System prompt extraction attempts
Role manipulation patterns

Secrets Leakage

Detects exposure of sensitive credentials and secrets:

API keys and tokens
AWS access keys and secrets
GitHub tokens
SSH private keys
JWT tokens
Bearer tokens
Database credentials

Path Traversal

Identifies path traversal vulnerabilities:

Access attempts to sensitive directories (/etc, /var, /root)
Credential file access (.env, .pem, .ssh/*, .aws/*)
System directory traversal

SQL Injection

Detects SQL injection patterns in requests:

SQL command patterns
Database query manipulation attempts

Cross-Origin Escalation

Identifies cross-origin request vulnerabilities:

Unauthorized cross-origin access attempts
Privilege escalation patterns

SSRF (Server-Side Request Forgery)

Detects SSRF attack attempts:

Requests to private IP ranges (RFC1918)
Loopback address access
Link-local address access

Severity Levels

Threats are classified by severity levels for prioritization:

Severity	Description	Action Required
Critical	Immediate security risk requiring urgent attention	Block immediately, investigate root cause
High	Significant security risk	Block and investigate within 24 hours
Medium	Moderate security risk	Review and address within 48 hours
Low	Minor security concern	Monitor and review periodically
None	No security issues detected	No action required

Viewing Threats in IDE

The Overwatch extension provides multiple ways to view and monitor security threats directly in your IDE.

The Overwatch sidebar panel provides a tree view of all MCP servers and their security status.

Open the Overwatch sidebar:
- Click the Overwatch icon in the Activity Bar
- Or use Command Palette: "Overwatch: Open Threats"
View server threat summaries:
- Each server shows threat count and top severity level
- Server capability counts (Tools, Resources, Prompts) displayed as [T:X R:Y P:Z]
- Color-coded icons indicate severity (green=OK, red=critical, orange=high, yellow=medium)
Expand server entries to view individual issues:
- Click on a server to see detailed security issues
- Each issue shows severity and description
- Click any issue to open the detailed server report

Status Indicators

Scanning: Shows "Scanning MCP servers..." while scan is in progress
Empty State: Shows "No scan results yet" when no scans have been run
Server Status: Each server shows OK or issue count with severity

Threats Dashboard Webview

The Threats Dashboard provides a comprehensive web-based view of security threats.

Opening the Dashboard

Command Palette Method:
- Open Command Palette (Cmd/Ctrl + Shift + P)
- Run "Overwatch: Open Threats Dashboard"
From Sidebar:
- Click on any server in the sidebar to open its detailed report
- Or use Command Palette: "Overwatch: Open Threats Dashboard"

Overview Dashboard

The overview dashboard shows:

Summary Cards: Total issues, Critical, High, Medium, Low counts
Server List: All servers with issue counts and top severity
Click to Drill Down: Click any server to view detailed report

Server-Specific Report

Clicking a server opens a detailed report showing:

Server Information:

Server name
Total security issues
Top severity level
Scan status (completed or failed)

Capabilities Overview:

Tools count
Resources count
Prompts count

Tools Section:

List of all tools exposed by the server
Security status per tool (OK or issue count)
Tool descriptions
Visual indicators for tools with issues

Resources Section:

List of all resources available
Resource types and MIME types
Resource descriptions

Prompts Section:

List of all prompts available
Prompt descriptions

Security Issues Section:

Tool-specific issues grouped by tool
General server issues
Severity indicators for each issue
Detailed issue descriptions

Raw JSON:

Expandable raw scan result for debugging

Status Bar Indicators

The status bar provides real-time threat monitoring:

Protection Status:

"Overwatch: ON" - Protection is active
"Overwatch: OFF" - Protection is disabled

Threat Count:

Shows total number of security issues detected
Color-coded by severity (red for critical, orange for high)
Updates automatically when threats are detected

Click Actions:

Click status bar to toggle protection
Click to open quick actions menu
Access threats dashboard from status bar menu

Viewing Threats on Web

Overwatch integrates with the Javelin web dashboard for comprehensive threat monitoring and analysis.

Threat Alerts Page

The Threat Alerts page in the Javelin dashboard provides a centralized view of all security incidents:

Access:

Navigate to Threat Alerts in your Javelin dashboard
View all threats from Overwatch-protected MCP servers

Features:

Centralized Hub: Aggregate security events from all sources
Alert Categories: Filter by threat type (see Threat Alerts Documentation)
Interactive Filters: Click category cards to filter requests
Request List View: Detailed list with request time, model, provider, status
Detailed Insights: Click any request to see full details
Time Filters: Filter by last 24 hours, 7 days, 30 days, or 365 days
Application/Route Filters: Filter by specific applications or routes

Threat Categories Available:

Command Injection
SQL Injection
Path Traversal
Secrets Leakage
Prompt Injections
Jailbreak Attempts
Sensitive Data (PII, PHI)
And more (see Threat Alerts for complete list)

Chronicles and Audit Logs

All Overwatch-protected requests are logged in Javelin Chronicles:

Access:

Navigate to your Application's Chronicles tab
View all MCP requests made through Overwatch

Information Available:

Request and response data
Tool invocations
Guardrail checks applied
Security decisions made
Policy violations

This provides a complete audit trail for compliance and security analysis.

Advanced Controls

Overwatch provides granular access controls using Cedar policies. You can blacklist or whitelist servers, tools, file paths, and HTTP endpoints to meet your organization's security requirements.

Blacklisting MCP Servers

Block access to specific MCP servers using Cedar forbid rules.

Example: Block All Tools from a Specific Server

// Block all tools from the playwright server
forbid (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource
) when {
  context has server_name &&
  context.server_name == "playwright"
};

Example: Block Server Connection

// Prevent connection to a specific server
forbid (
  principal == User::"mcp_client",
  action == Action::"connect_server",
  resource == Server::"untrusted_server"
);

Whitelisting/Allowlisting

Use allowlists to explicitly permit only approved servers, tools, or endpoints.

Server Allowlists

Allow only specific MCP servers:

// Default: deny all servers
forbid (
  principal == User::"mcp_client",
  action == Action::"connect_server",
  resource
);

// Explicitly allow approved servers
permit (
  principal == User::"mcp_client",
  action == Action::"connect_server",
  resource == Server::"filesystem"
);

permit (
  principal == User::"mcp_client",
  action == Action::"connect_server",
  resource == Server::"web_search"
);

Tool Allowlists

Allow only specific tools from approved servers:

// Allow only read operations from filesystem server
permit (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource
) when {
  context has server_name &&
  context.server_name == "filesystem" &&
  (resource == Tool::"read_file" ||
   resource == Tool::"list_directory")
};

// Block all other tools
forbid (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource
) when {
  context has server_name &&
  context.server_name == "filesystem"
};

HTTP Endpoint Allowlists

Control which external services can be accessed:

// Block all HTTP requests by default
forbid (
  principal == User::"mcp_client",
  action == Action::"http_request",
  resource
);

// Allow only approved external APIs
permit (
  principal == User::"mcp_client",
  action == Action::"http_request",
  resource == HttpEndpoint::"https://api.example.com"
);

permit (
  principal == User::"mcp_client",
  action == Action::"http_request",
  resource == HttpEndpoint::"https://api.github.com"
);

Tool Restrictions

Control which tools can be executed, either globally or per-server.

Global Tool Restrictions

Block dangerous tools across all servers:

// Block shell command execution globally
forbid (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource == Tool::"shell"
);

// Block file deletion globally
forbid (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource == Tool::"fs.delete"
);

Per-Server Tool Controls

Allow or block specific tools per server:

// Allow only safe tools from filesystem server
permit (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource
) when {
  context has server_name &&
  context.server_name == "filesystem" &&
  (resource == Tool::"read_file" ||
   resource == Tool::"write_file" ||
   resource == Tool::"list_directory" ||
   resource == Tool::"create_directory")
};

// Block dangerous filesystem operations
forbid (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource
) when {
  context has server_name &&
  context.server_name == "filesystem" &&
  (resource == Tool::"delete_file" ||
   resource == Tool::"execute_file" ||
   resource == Tool::"move_file")
};

File Path Controls

Control file system access by restricting or allowing specific paths.

Blocking Sensitive Directories

// Block access to sensitive system directories
forbid (
  principal == User::"mcp_client",
  action in [Action::"read_file", Action::"write_file"],
  resource
) when {
  context has path &&
  (context.path like "/etc/*" ||
   context.path like "/var/*" ||
   context.path like "/proc/*" ||
   context.path like "/sys/*" ||
   context.path like "/root/*" ||
   context.path like "*/.env" ||
   context.path like "*.pem" ||
   context.path like "*/id_*" ||
   context.path like "*/.ssh/*" ||
   context.path like "*/.aws/*")
};

Workspace-Only Access

Allow access only to workspace and temporary files:

// Allow workspace and temporary file access
permit (
  principal == User::"mcp_client",
  action in [Action::"read_file", Action::"write_file"],
  resource
) when {
  context has path &&
  ((context has is_within_workspace &&
    context.is_within_workspace == true) ||
   context.path like "/tmp/*" ||
   context.path like "/var/tmp/*" ||
   context.path like "./tmp/*" ||
   context.path like "*/tmp/*" ||
   context.path like "~/tmp/*")
};

Path-Specific Restrictions

Block or allow specific file patterns:

// Block access to credential files
forbid (
  principal == User::"mcp_client",
  action == Action::"read_file",
  resource
) when {
  context has path &&
  (context.path like "*/.env" ||
   context.path like "*/.env.local" ||
   context.path like "*/.env.production" ||
   context.path like "*.key" ||
   context.path like "*.pem")
};

// Allow access to specific project directories
permit (
  principal == User::"mcp_client",
  action in [Action::"read_file", Action::"write_file"],
  resource
) when {
  context has path &&
  (context.path like "/home/user/projects/**" ||
   context.path like "/workspace/**")
};

HTTP Controls

Control HTTP requests to prevent SSRF attacks and restrict external access.

SSRF Protection

Block requests to private networks:

// Block requests to private/internal networks (SSRF protection)
forbid (
  principal == User::"mcp_client",
  action == Action::"http_request",
  resource
) when {
  context has ip_address &&
  (context.ip_address like "127.*" ||      // IPv4 loopback
   context.ip_address like "10.*" ||       // RFC1918
   context.ip_address like "172.16.*" ||   // RFC1918 subset
   context.ip_address like "192.168.*" ||  // RFC1918
   context.ip_address like "169.254.*" ||  // IPv4 link-local
   context.ip_address == "::1" ||          // IPv6 loopback
   context.ip_address like "fc*" ||        // IPv6 unique local
   context.ip_address like "fd*")          // IPv6 unique local
};

Allowed Endpoint Patterns

Allow requests only to specific domains:

// Allow only requests to approved external domains
permit (
  principal == User::"mcp_client",
  action == Action::"http_request",
  resource
) when {
  context has url &&
  (context.url like "https://api.example.com/*" ||
   context.url like "https://api.github.com/*" ||
   context.url like "https://*.trusted-domain.com/*")
};

// Block all other HTTP requests
forbid (
  principal == User::"mcp_client",
  action == Action::"http_request",
  resource
);

Custom Cedar Rules

Create custom policy rules for organization-specific requirements.

Context-Based Conditions

Use context attributes to create complex conditions:

// Allow read operations only during business hours (example)
permit (
  principal == User::"mcp_client",
  action == Action::"call_tool",
  resource == Tool::"read_file"
) when {
  context has current_hour &&
  context.current_hour >= 9 &&
  context.current_hour <= 17
};

Threat-Based Decisions

Use YARA threat data to make policy decisions:

// Block requests with critical threats
forbid (
  principal == User::"mcp_client",
  action == Action::"process_prompt",
  resource
) when {
  context has max_threat_severity &&
  context.max_threat_severity >= 4
};

// Allow low-severity threats with monitoring
permit (
  principal == User::"mcp_client",
  action == Action::"process_prompt",
  resource
) when {
  context has max_threat_severity &&
  context.max_threat_severity <= 1 &&
  context has monitoring_enabled &&
  context.monitoring_enabled == true
};

Conditional Tool Access

Allow tools based on multiple conditions:

// Allow file operations only for workspace files and specific servers
permit (
  principal == User::"mcp_client",
  action in [Action::"read_file", Action::"write_file"],
  resource
) when {
  context has server_name &&
  context.server_name == "filesystem" &&
  context has path &&
  context has is_within_workspace &&
  context.is_within_workspace == true &&
  !(context.path like "*/.env*") &&
  !(context.path like "*/.git/*")
};

Best Practices

Start with Defaults: Use default policies as a foundation, then customize incrementally
Principle of Least Privilege: Only allow what's necessary for legitimate operations
Regular Reviews: Review and update policies as security threats evolve
Test Policies: Validate policies with sample requests before deploying
Document Custom Rules: Add comments explaining why custom restrictions are needed
Monitor Threats: Regularly review threat dashboard to identify new attack patterns
Version Control: Store custom policies in version control for audit and rollback

Configuring Policies - Learn how to create and customize Cedar policies
Overwatch Overview - Understand Overwatch architecture and features
Threat Alerts - View threats in the Javelin web dashboard
Cedar Policy Language - Official Cedar documentation