Skip to main content
Your AI coding tools — Claude Code, Cursor, Codex, Copilot, and more — now route through Unbound. We see every prompt, every terminal command, and every MCP tool call your agents make, and we enforce your policies inline, before anything runs. Nothing changes for your users. Everything changes for your security team. This playbook walks you through what’s in the platform, what each part is for, and how to get value fast.

1. Getting started (5 minutes)

1

Sign in

Go to your Unbound gateway at gateway.getunbound.ai — or your organization’s custom tenant domain, if you have one.
2

Connect your first tool

Open Connect → AI Coding Tools, pick your tool, and follow the one-line setup. For Claude Code and Codex, choose Subscription mode — keep your existing Claude / OpenAI subscription while Unbound observes and enforces via hooks.
3

Roll out to your team (admins)

Open Connect → Device Deployment, choose the tool and platform (macOS / Windows), and copy the single MDM install command. It deploys Unbound to every user on a device with no per-user setup.
Once a tool is connected, its activity starts flowing into Unbound immediately.

2. The dashboard — your home base

Your landing page is an at-a-glance health view of your whole org: devices and tools connected, agentic activity (terminal commands and MCP calls), how many actions were blocked / warned / allowed, total spend, and recommendations. It’s built to be skimmed — start here each day, then click into whatever needs attention.

3. See what your AI tools are actually doing

Before you write a single policy, get visibility. Open AI Tools Discovery → Summary. This is your mission control: it inventories every AI tool detected across your org and flags risk. Three things to check on day one:

Shadow AI tools

Unsanctioned AI tools users installed on their own. Review the list and decide what’s approved.

Unconfigured Full-Auto users

Users running with auto-accept and no deny rules and sandboxing off — the highest-risk setups. The Permissions sub-page shows exactly who.

Unverified MCP servers

MCP servers whose publisher is unofficial or unknown. The MCP Servers sub-page flags each one so you can spot shadow MCP.
The other sub-pages — Users, Tools, Tool Rules, Skills, Setup — let you drill into per-user detail. You don’t need them on day one.

4. Tool Policies — guardrails on what AI can do

Tool Policies govern the actions AI agents take — the terminal commands they run and the MCP tools they call — and stop the dangerous ones before they execute. Find them under Policies → Tool Policies.

What each action does

ActionStops the operation?Logged?What your user sees
AuditNoYesNothing — it runs normally and you get a log entry
WarnNoYesA warning, then it proceeds
BlockYesYesAn error explaining the block
Require Slack ApprovalPausesYesA Slack DM to approve or deny; the agent retries after the decision (needs the Slack integration)
Warn is supported on Claude Code and Copilot. On other tools, use Audit or Block instead.
If your users run agentic workflows, start with Audit to learn what’s normal, then tighten to Warn / Block. A hard Block mid-chain returns an error that can interrupt a multi-step agent task.

Three ways to create a policy

  1. Guided form (UI). Open Policies → Tool Policies and click Create Policy, then choose Terminal Commands or MCP Actions. Build the rule with dropdowns: When (command family) → If (field to match + pattern) → Then (action) → optionally scope to User Groups. A live preview shows the rule in plain English as you build it.
  2. Describe it in plain English. The create dialog has a “Describe a policy or paste a command…” box. Type what you want — e.g. “Block any database command that drops or truncates” — and Unbound fills in the form.
  3. Ask your AI agent (CLI). Any user onboarded with the Unbound CLI can ask their agent (Claude Code, Cursor, Codex) to create the policy. The agent runs the unbound CLI for you. Requires the CLI installed and logged in with an Admin role. 
    unbound policy tool create-mcp \
  --name "Block destructive GitHub actions" \
  --mcp-server github \
  --mcp-action-type destructive \
  --action BLOCK \
  --custom-message "Destructive GitHub actions are blocked — contact your admin."

Command families you can target (terminal commands)

Unbound classifies every command an agent runs into a family, grouped by area:
AreaFamilies
SystemUpdate System File, Environment Setup, Package Management, Build Operation
FilesystemRead File, Write File, Delete File
ProcessProcess Management, Execute Script, Update Cron
NetworkRemote Access, Data Transfer, Remote Execution, Container Operation
CloudCloud Read, Cloud Provision, Cloud Destroy, Cloud IAM, Cloud Secrets, Cloud Config
SecurityAccess Password, Privilege Escalation, Environment Exposure
GitGit Action
DatabaseDatabase Read, Database Write, Database Admin
Each family matches on specific fields — e.g. Database Admin matches on database, table, operation, environment; Delete File matches on path.

Tool Policy Examples

Terminal-command and MCP examples, plus the recommended day-one set — each with a prompt you can give your agent to see the policy fire.

5. Where to find things

You’re looking forGo to
Every request / prompt through the gatewayLogs
Terminal commands AI executed (family, risk, policy match)Analytics → Tool Use → Terminal Run
MCP tool calls AI madeAnalytics → Tool Use → MCP Actions

6. Settings you should know (admins)

Under Settings:
  • Integrations — connect Slack (required for the Require Slack Approval action).
  • Policy Enforcement — choose what happens if Unbound is ever unreachable: Allow (operations run as usual — the default) or Block (operations are denied). Pick based on your risk tolerance.
  • Users & User Groups — invite teammates, assign roles (Admin / Member), and create groups to scope policies to specific teams.

7. Troubleshooting

  • Policy not firing? Confirm it’s Active and scoped to the right user group (empty = everyone).
  • MCP policy not matching? Check the exact MCP server name on the MCP Servers page.
  • Command classified differently than you expected? Open the command in Analytics → Tool Use → Terminal Run — the family and risk score are shown on every entry.
  • “Require Slack Approval” not prompting? Connect Slack under Settings → Integrations.
Questions? Reach us in Slack or email support@unboundsecurity.ai.