Governing MCP Servers in Cursor with Stacklok

Stacklok brings enterprise-grade security and governance to MCP servers in Cursor. Enforce policies, audit usage, and enable safe, powerful AI automation.

Enterprises are facing a common challenge when it comes to MCP server management. Developers are excited to use MCP servers to unlock powerful automation—enabling AI agents to interact with real systems, perform actions, and dramatically speed up workflows. For example, developers can inspect real-time production errors, debug code, and submit a PR fix directly in Cursor with the help of MCP servers.

For enterprise security teams, however, MCP introduces a familiar and uncomfortable problem: there is no standardized way to manage or monitor which MCP servers are being used.

The MCP governance problem

Today, organizations are forced to choose between two options for deploying MCP servers.

1. Block MCP usage: Enterprises can prevent security issues by prohibiting all MCP server usage, which will severely limit developer productivity.
2. Allow unmanaged MCPs: Developers are allowed to copy-paste servers from Slack or GitHub, reuse personal access tokens, and wire up enterprise secrets with little visibility or control at the risk of violating company security practices.

In the second case, security teams are left asking critical questions they can’t easily answer:

• What MCP servers are running?
• What data is flowing through them?
• Are they secure?

This is the exact gap Stacklok addresses with our Enterprise MCP Platform.

Defining an MCP platform

An MCP platform must bring enterprise-grade security and governance to MCP server deployment.

Stacklok provides a complete, auditable system for managing MCP servers safely across an organization. At a high level, Stacklok’s Enterprise MCP Platform consists of four core components:

• The curated Registry lets admins curate a catalog of approved MCP servers with verified configurations. The registry is, in essence, your organization’s app store for AI tools.
• The secure Runtime deploys MCP servers in isolated containers with only the permissions they need: secrets are encrypted, never stored in plaintext. The runtime can also proxy MCP servers running outside of your organization’s environment.
• The intelligent Gateway handles all inbound traffic, enforcing organizational policies, managing authentication, and providing centralized audit logging.
• The developer Portal allows developers to self-service discovery and install any pre-approved MCP server from the registry to any supported client, including Cursor.

With Cursor Hooks integration, Stacklok extends that governance directly into the Cursor agent, preventing it from calling any MCP server not hosted by Stacklok.

Cursor Hooks: Enforcing MCP policies at execution time

Cursor hooks provide a framework to intervene when the Cursor agent is performing a task. While Cursor allows you to plug into different hook events, the Stacklok Cursor hook is used with the `beforeMCPExecution` event. This event fires when an agent tries to make a call to an MCP server. At a high level, the hook prevents unapproved MCP servers from being called.

Specifically, when a Cursor agent tries to make a call to an MCP server, the Stacklok hook script runs and receives the MCP server URL, tool name, and tool arguments. The script returns `approve` if the MCP server is hosted by Stacklok and `deny` if it is not. When a request is denied, the hook returns a human- and agent-friendly explanation so the Cursor user understands why the MCP server is not allowed.

Security or platform teams can install the Stacklok Cursor hook for the entire organization using their existing endpoint management solutions, ensuring consistent configurations and enforcement for all developers using Cursor.

End-to-end governance and observability

By securely integrating Stacklok-managed MCP servers into Cursor, enterprises gain full governance and observability capabilities automatically. 

Unlike other MCP hosting gateways that deny or block MCP calls at the tool level, Stacklok takes a different approach. Admins can pre-filter at run-time which tools from an MCP server are enabled before developers even install that MCP server. What this means is the Cursor agent doesn’t even see the blocked tools in its context. The context is not polluted with disallowed tools and there is no fear of the model calling that tool as it simply doesn’t exist. And with the Stacklok Cursor hook, admins have complete control of which servers and tools can be used across their company.

Lastly, everything that happens in Stacklok is logged using OpenTelemetry (OTel). Admins can see server downloads, tool usage, and error rates for all MCP servers across their company. With OTel, metrics and logs can be hooked into any enterprise observability stack like Grafana or Splunk. Security teams get the insight they need to ensure security policies are being met.

Why Stacklok is different

Stacklok isn’t just a gateway—and it’s not just a SaaS wrapper. Stacklok is a complete MCP governance stack and is fully open source. You can deploy it in your own infrastructure, audit the code, and maintain full control over your environment—without sacrificing developer experience.

And Stacklok is differentiated by our desire to build in the open, with the community. If you’re interested in what Stacklok can do, you can get started today via our open source project, ToolHive. ToolHive offers all the critical platform components described above; we encourage you to explore the project on GitHub and engage with us via our Discord channel. 

With Cursor Hooks integration, we’ve extended governance all the way into Cursor. Developers move fast. Security teams stay in control. MCP becomes safe to adopt at scale. The Stacklok Cursor Hook is currently available for macOS and Linux systems. Check it out on GitHub.