Why enterprises are blocking self-hosted MCPs (and what the alternative looks like)
Enterprise security teams are blocking local MCP servers: tool execution risk, no audit trail, data exfiltration concerns. Here's what the hosted alternative looks like in practice.
Why Enterprises Are Blocking Self-Hosted MCPs (and What the Alternative Looks Like)
Enterprise security teams are beginning to review MCP deployments — and a significant number are blocking local MCP servers entirely before developers can use them. The reasons are consistent, predictable, and not going away.
The four blockers security teams cite
Tool execution risk. A local MCP server executes operations in the user's environment. A browser automation MCP can navigate to arbitrary URLs, interact with web pages, and access anything the user's browser can reach. To a security team, this is an uncontrolled execution surface that an AI model can trigger — similar to how shell-execution tools in AI assistants got blocked at most enterprises last year.
No audit trail. Standard local MCP servers produce no logs by default. Security teams can't answer basic compliance questions: what URLs did the browser visit? What data was extracted? What actions were taken? Without visibility, MCP usage is invisible to the SOC. For regulated industries (finance, healthcare, legal), this is an automatic block.
Data exfiltration vectors. A browser automation MCP that captures screenshots and returns them to an AI model can, in principle, capture sensitive internal dashboards and transmit them to an external AI provider. Whether this is the intended use case is irrelevant to the security review — the vector exists, and enterprise security policy blocks on attack surface, not intent.
Inbound network exposure. Local MCP servers bind to localhost ports. Recent DNS rebinding vulnerabilities in Playwright MCP have demonstrated that this creates an attack surface a malicious website can reach, gaining access to the local MCP server's tools. This specific CVE class has accelerated enterprise blocking decisions.
What the hosted model removes
A hosted MCP server moves the execution surface off the user's machine entirely. The local process is a thin API client that makes outbound HTTPS calls — no browser, no local port binding, no execution environment on the developer's machine.
From the security team's perspective, this is a qualitatively different risk profile. Instead of reviewing "an AI model that can execute arbitrary browser operations on the user's machine," they're reviewing "an outbound HTTPS call to a known API endpoint." That's a review that typically takes a week instead of a quarter.
The specific enterprise objections map cleanly:
| Concern | Self-hosted MCP | Hosted MCP (PageBolt) |
|---|---|---|
| Tool execution surface | Runs on developer's machine | Runs on vendor infrastructure |
| Audit trail | None by default | Full API request logs |
| Data exfiltration vector | Screenshots processed locally, sent to AI | Output stored on vendor CDN, key-scoped |
| Inbound network attack surface | Localhost port exposed | No local port |
| Blast radius if key compromised | Local machine access | Rotatable API key |
The practical path to approval
Most enterprise security reviews of hosted APIs follow a standard pattern: vendor security questionnaire, SOC 2 review, data processing agreement, allowlist the outbound domain. This is a known process with a known timeline.
Local MCP servers don't fit into this pattern at all — there's no vendor to questionnaire, no SOC 2 to review, and no clear answer to "what data leaves our network and when." That's why hosted wins the enterprise approval process even when self-hosted would technically work.
Try it free — 100 requests/month, no credit card. → pagebolt.dev
Get Started Free
100 requests/month, no credit card
Screenshots, PDFs, video recording, and browser automation — no headless browser to manage.
Get Your Free API Key →