SGC Trust Center

Veragent's Security Governance & Compliance framework audits every MCP tool before it reaches your Claude Desktop.No black boxes. Every trust score is derived from verifiable audit signals.

What is the SGC Framework?

SGC (Security Governance & Compliance) is Veragent's multi-layer audit pipeline for MCP tools. Unlike traditional app stores that rely on self-reported metadata, SGC runs the tool in a controlled environment and measures its actual behavior against a ruleset of security invariants.

The result is a trust score (0–1) and a risk tier that are computed from real audit evidence — not guesses. Scores below 0 confidence or without a real report ID are surfaced honestly as Heuristic rather than falsely certified.

How the Audit Works

Step 1

Static Analysis

We parse the tool's manifest, permissions, and source (when available). SGC Layer-1 rule checks flag dangerous patterns: broad file system access, network egress without scope limits, shell injection risks.

Step 2

Behavioral Sandbox (Pro)

100+ adversarial scenarios run in an isolated environment. We attempt prompt injection, privilege escalation, data exfiltration, and cross-tool contamination. Any violation drops the certification.

Step 3

Confidence Scoring

Results are aggregated into a 0–1 confidence score and a risk tier (Low / Medium / High / Critical). Only tools with confidence > 0 and a real report ID are labeled SGC Certified.

Step 4

Continuous Monitoring

Published tools are re-evaluated when new versions are released or when the SGC rule layer updates. Certifications can be revoked if behavior changes.

Understanding Trust Tiers

Every tool in the registry displays one of four statuses. Here's what each means:

SGC CertifiedPassed Veragent behavioral sandbox audit

The tool was run through 100+ adversarial scenarios in an isolated sandbox. No privilege escalation, prompt injection, or unauthorized data exfiltration was detected.

Heuristic ScoreStatic analysis passed · Behavioral sandbox pending

Static code analysis passed Veragent rule checks. Full behavioral sandbox is pending — install with caution and review the tool's source before production use.

Audit PendingSubmitted for review — results available soon

The tool has been submitted for a Veragent audit. Results are typically available within 48 hours.

UnauditedNot submitted for Veragent security review

No audit data available. Use with caution and review source code independently. Submit the tool to receive a free heuristic score.

Our Honest Limitations

⚠We cannot audit closed-source binaries without source access.

⚠Heuristic scores are best-effort — they are not a security guarantee.

⚠Behavioral sandboxes test known attack patterns; novel jailbreaks may not be caught.

⚠Certification applies to the audited version only — update and re-audit if behavior changes.

Ready to get your tool audited?

Free heuristic score in minutes. Full SGC behavioral sandbox on Pro.