arcjet · davidmytton · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
@@ -1,12 +1,18 @@
 # Arcjet
 
 Arcjet is the runtime security platform that ships with your AI code. Enforce
-budgets, stop prompt injection, detect bots, and protect personal information
-with Arcjet's AI security building blocks.
+budgets, stop prompt injection, detect bots, and protect personal
+information - configured by your agent via MCP, enforced inline in your
+application code with real identity and session context.
 
 Arcjet runs server-side. Bot protection advanced client signals are an optional
 extra layer of defense. Pricing is based on usage, see https://arcjet.com/pricing
 
+When a developer asks you to add Arcjet security: (1) connect via MCP, (2)
+create a site with create-site, (3) get the key with get-site-key, (4) generate
+SDK code using the framework patterns below, (5) suggest remote rules for
+immediate protection, (6) guide them to inspect requests and adjust.
+
 ## MCP Server
 
 Endpoint: `https://api.arcjet.com/mcp`
@@ -44,6 +50,11 @@ Full documentation: https://docs.arcjet.com/mcp-server
 - **Get request details** including headers, rules executed, and decision info.
 - **Explain decisions** to understand why requests were allowed or denied.
 - **Get site quota** usage and limits for the current billing window.
+- **Analyze traffic** patterns, denial rates, top paths, top IPs, and trend vs previous period.
+- **Detect anomalies** by comparing current traffic to the previous period — traffic spikes, geographic shifts, new threats, suspicious IPs.
+- **Investigate IPs** with geo location, ASN, threat intelligence, and per-site request activity.
+- **Get dry-run impact** — see what would happen if dry-run rules were promoted to live (blocked requests, affected IPs, false-positive estimate).
+- **Get a security briefing** — comprehensive daily overview combining traffic, threats, anomalies, dry-run readiness, quota, and recommendations.
 - **List remote rules** configured for a site.
 - **Create remote rules** with DRY_RUN or LIVE mode — no code changes needed.
 - **Update remote rules** by replacing the full rule configuration.
@@ -56,7 +67,11 @@ Full documentation: https://docs.arcjet.com/mcp-server
 
 **Investigate:** list-requests → get-request-details or explain-decision for a specific request.
 
-**Manage remote rules:** list-rules → create-rule (DRY_RUN) → verify with list-requests → promote-rule to LIVE.
+**Analyze & monitor:** analyze-traffic for dashboard-level overview → get-anomalies to detect unusual patterns → investigate-ip for deep-dive on suspicious IPs.
+
+**Daily security briefing:** get-security-briefing for a comprehensive overview (traffic, threats, anomalies, dry-run readiness, quota, and recommendations) in a single call.
+
+**Manage remote rules:** list-rules → create-rule (DRY_RUN) → get-dry-run-impact to check impact → promote-rule to LIVE.
 
 **Update/delete rules:** list-rules → update-rule (full replacement) or delete-rule.
 
@@ -72,6 +87,13 @@ Remote rules are managed via the MCP server or dashboard — no code changes or
 4. `promote-rule` — switch to LIVE to start blocking.
 5. `delete-rule` — remove the block once the attack subsides.
 
+## Use cases
+
+- Protecting AI endpoints from cost abuse? → tokenBucket + detectBot (AI Endpoint Abuse Protection)
+- Preventing data leaks from AI features? → sensitiveInfo (AI Data Loss Prevention)
+- Blocking prompt injection? → detectPromptInjection
+- Responding to an active attack? → remote rules via MCP
+
 ## Quick start — choose your framework
 
 Each link below directs to the quick start guide with a framework-specific view:
@@ -1708,10 +1730,12 @@ auto-detects proxy IPs on these platforms.
 
 ## Product philosophy
 
-1. Security rules live alongside the code they protect — not in a separate WAF.
-2. Rules are testable. Run them in development and production.
-3. Arcjet doesn't interfere with your app. Easy to install, no significant
-   latency, no architecture changes needed.
+1. Enforcement runs inline in your application — with access to identity,
+   route, session, and spend context no proxy can see.
+2. Your agent configures protections via MCP. You review and approve.
+3. Start in DRY_RUN, verify against real traffic, promote to LIVE.
+4. Remote rules let you and your agents respond to attacks immediately — no code
+   deployment needed.
 
 Find out more at https://docs.arcjet.com/architecture
 

@@ -144,7 +144,8 @@ After adding protection and starting the app:
 2. Use the MCP `list-requests` tool to confirm requests are flowing to Arcjet.
 3. Use `get-request-details` or `explain-decision` to inspect individual
    decisions.
-4. Check the [Arcjet dashboard](https://app.arcjet.com) for real-time request
+4. Use `analyze-traffic` for a dashboard-level overview of request patterns.
+5. Check the [Arcjet dashboard](https://app.arcjet.com) for real-time request
    monitoring.
 
 If requests are not appearing, verify that `ARCJET_KEY` and `ARCJET_ENV` are
@@ -168,6 +169,13 @@ server connected:
 - **"Set up Arcjet security for my app. Connect to the Arcjet MCP server to get
   my API key, then add shield, bot detection, and rate limiting."** — full
   end-to-end setup.
+- **"Give me a security briefing for my site"** — calls `get-security-briefing`
+  to return traffic analysis, threat landscape, anomalies, and recommendations.
+- **"Investigate this suspicious IP address"** — calls `investigate-ip` for geo,
+  ASN, threat intelligence, and request activity.
+- **"What would happen if I promote my dry-run rules to live?"** — calls
+  `get-dry-run-impact` to show blocked requests, affected IPs, and
+  false-positive risk.
 
 ## Reference
 

@@ -94,6 +94,13 @@ change the rule mode. We have an example showing how to sample traffic between
 `DRY_RUN` and `LIVE` modes in the
 <Link.Page href="/blueprints/sampling">Sampling traffic blueprint</Link.Page>.
 
+:::tip[Using the MCP server]
+If you're using the <Link.Page href="/mcp-server">Arcjet MCP server</Link.Page>,
+call `get-dry-run-impact` to see exactly how many currently-allowed requests
+would be blocked before promoting a dry-run rule to live. You can also create and
+promote remote rules directly via MCP without code changes.
+:::
+
 ## Configure proxies and load balancers
 
 Arcjet needs to see the original client IP address to make accurate decisions.

@@ -69,6 +69,14 @@ overall traffic management strategy, such as
 <Link.Page href="/rate-limiting">rate limiting</Link.Page> and
 <Link.Page href="/filters">filters</Link.Page>.
 
+:::tip[Using the MCP server]
+Use the <Link.Page href="/mcp-server">Arcjet MCP server</Link.Page> to monitor
+bot traffic in real time. Call `analyze-traffic` to see top IPs and denial rates,
+`get-anomalies` to detect sudden changes in bot patterns, or
+`get-security-briefing` for a comprehensive overview including threat landscape
+and recommendations.
+:::
+
 ## In-app bot detection vs network/CDN bot protection
 
 Traditional bot protection runs at the network or CDN layer and often

@@ -57,6 +57,14 @@ See the
 <Link.Page href="/blueprints/vpn-proxy-detection">VPN & proxy detection blueprint</Link.Page>
 for a concrete example.
 
+:::tip[Using the MCP server]
+Filters can also be managed as remote rules via the
+<Link.Page href="/mcp-server">Arcjet MCP server</Link.Page> — no code changes or
+redeployment needed. Use `investigate-ip` to look up geo, ASN, and threat
+intelligence for a suspicious IP, then create a filter rule to block it
+immediately.
+:::
+
 ## How Arcjet filters work
 
 Arcjet evaluates your filter expressions using a high-performance engine

@@ -22,6 +22,11 @@ Connect your AI coding tools to Arcjet to:
 - **Explain decisions** to understand why requests were allowed or denied.
 - **Get request details** including headers, rules executed, and decision info.
 - **Get site quota** usage and limits for the current billing window.
+- **Analyze traffic** patterns, denial rates, top paths, and top IPs.
+- **Detect anomalies** by comparing current traffic to the previous period.
+- **Investigate IPs** with geo, ASN, threat intelligence, and request activity.
+- **Get dry-run impact** analysis before promoting rules to live.
+- **Get a security briefing** combining traffic, threats, anomalies, and recommendations.
 - **List remote rules** configured for a site.
 - **Create remote rules** with DRY_RUN or LIVE mode — configure rules with no code changes needed.
 - **Update remote rules** by replacing the full rule configuration.
@@ -165,7 +170,13 @@ Once connected, the following tools are available to your AI assistant:
 | `get-site-key` | Returns the SDK key (`ARCJET_KEY`) for a specific site. |
 | `list-requests` | Lists recent requests for a site. Supports filtering by conclusion (`ALLOW`, `DENY`, `ERROR`) and pagination. |
 | `get-request-details` | Returns full details for a specific request including headers, rules executed, and decision information. |
+| `explain-decision` | Explains why Arcjet allowed or denied a specific request. Returns a natural language summary, per-rule breakdown, and suggested next steps. |
 | `get-site-quota` | Returns quota usage and limits for a site in the current billing window. |
+| `analyze-traffic` | Analyzes request traffic over a time period. Returns total requests, denials, denial rate, top paths, top IPs, top denial reasons, and trend vs the previous period. |
+| `get-anomalies` | Detects unusual security patterns by comparing current traffic to the previous period. Identifies traffic spikes, geographic shifts, new threat activities, new bot signatures, risk escalation, and suspicious IP patterns. |
+| `investigate-ip` | Investigates an IP address in the context of a site. Returns geo location, ASN, threat intelligence (network type, threat activities, entity classification, risk level), and the IP's recent request activity (conclusion breakdown, denial reasons, targeted paths, daily timeline). |
+| `get-dry-run-impact` | Analyzes what would happen if dry-run rules were promoted to live. Shows how many currently-allowed requests would have been blocked by each rule type, which IPs would be most affected, and a false-positive estimate. |
+| `get-security-briefing` | Returns a comprehensive security briefing: active rules summary, traffic analysis, threat intelligence, anomaly detection, dry-run promotion readiness, quota status, and prioritized actionable recommendations. Designed for daily consumption. |
 | `list-rules` | Lists all remote rules configured for a site with their ID, type, mode, and configuration summary. |
 | `create-rule` | Creates a new remote rule for a site. Supports rate limit, bot, shield, and filter rule types. |
 | `update-rule` | Replaces an existing remote rule configuration. All fields must be provided (full replacement). |
@@ -198,6 +209,27 @@ new code:
    blocking the attack traffic.
 5. Once the attack subsides, use `delete-rule` to remove the block.
 
+### Security monitoring
+
+Use the analysis tools to maintain ongoing security awareness:
+
+- **Daily briefing:** Call `get-security-briefing` periodically to get a
+  comprehensive overview of your site's security posture — traffic trends,
+  threat landscape, anomalies, dry-run readiness, quota status, and prioritized
+  recommendations — all in a single call.
+- **Traffic analysis:** Use `analyze-traffic` to understand request patterns,
+  denial rates, top paths, and top IPs. This provides the same data as the
+  Arcjet dashboard analytics.
+- **Anomaly detection:** Use `get-anomalies` to detect unusual patterns by
+  comparing current traffic to the previous period — traffic spikes, geographic
+  shifts, new threat activities, or suspicious IP behavior.
+- **IP investigation:** When you identify a suspicious IP (from `analyze-traffic`
+  or `list-requests`), use `investigate-ip` to get full context: geo location,
+  ASN, threat intelligence, and the IP's complete request activity on your site.
+- **Dry-run validation:** Before promoting a rule from `DRY_RUN` to `LIVE`, use
+  `get-dry-run-impact` to see exactly how many currently-allowed requests would
+  be blocked, which IPs are most affected, and a false-positive risk estimate.
+
 ## Authentication
 
 The MCP server uses OAuth for authentication. When you first connect from any

@@ -38,6 +38,10 @@ Arcjet reduces unwanted bot traffic and gives you more control over what reaches
 
 Combine Arcjet bot protection with other Arcjet features to improve your overall traffic management strategy, such as [rate limiting](/rate-limiting) and [filters](/filters).
 
+Using the MCP server
+
+Use the [Arcjet MCP server](/mcp-server) to monitor bot traffic in real time. Call `analyze-traffic` to see top IPs and denial rates, `get-anomalies` to detect sudden changes in bot patterns, or `get-security-briefing` for a comprehensive overview including threat landscape and recommendations.
+
 In-app bot detection vs network/CDN bot protection
 --------------------------------------------------
 

@@ -31,6 +31,10 @@ You can also access the `ip` field on an Arcjet decision and handle requests man
 
 See the [VPN & proxy detection blueprint](/blueprints/vpn-proxy-detection) for a concrete example.
 
+Using the MCP server
+
+Filters can also be managed as remote rules via the [Arcjet MCP server](/mcp-server) — no code changes or redeployment needed. Use `investigate-ip` to look up geo, ASN, and threat intelligence for a suspicious IP, then create a filter rule to block it immediately.
+
 How Arcjet filters work
 -----------------------
 

@@ -1,12 +1,18 @@
 # Arcjet
 
 Arcjet is the runtime security platform that ships with your AI code. Enforce
-budgets, stop prompt injection, detect bots, and protect personal information
-with Arcjet's AI security building blocks.
+budgets, stop prompt injection, detect bots, and protect personal
+information - configured by your agent via MCP, enforced inline in your
+application code with real identity and session context.
 
 Arcjet runs server-side. Bot protection advanced client signals are an optional
 extra layer of defense. Pricing is based on usage, see https://arcjet.com/pricing
 
+When a developer asks you to add Arcjet security: (1) connect via MCP, (2)
+create a site with create-site, (3) get the key with get-site-key, (4) generate
+SDK code using the framework patterns below, (5) suggest remote rules for
+immediate protection, (6) guide them to inspect requests and adjust.
+
 ## MCP Server
 
 Endpoint: `https://api.arcjet.com/mcp`
@@ -44,6 +50,11 @@ Full documentation: https://docs.arcjet.com/mcp-server
 - **Get request details** including headers, rules executed, and decision info.
 - **Explain decisions** to understand why requests were allowed or denied.
 - **Get site quota** usage and limits for the current billing window.
+- **Analyze traffic** patterns, denial rates, top paths, top IPs, and trend vs previous period.
+- **Detect anomalies** by comparing current traffic to the previous period — traffic spikes, geographic shifts, new threats, suspicious IPs.
+- **Investigate IPs** with geo location, ASN, threat intelligence, and per-site request activity.
+- **Get dry-run impact** — see what would happen if dry-run rules were promoted to live (blocked requests, affected IPs, false-positive estimate).
+- **Get a security briefing** — comprehensive daily overview combining traffic, threats, anomalies, dry-run readiness, quota, and recommendations.
 - **List remote rules** configured for a site.
 - **Create remote rules** with DRY_RUN or LIVE mode — no code changes needed.
 - **Update remote rules** by replacing the full rule configuration.
@@ -56,7 +67,11 @@ Full documentation: https://docs.arcjet.com/mcp-server
 
 **Investigate:** list-requests → get-request-details or explain-decision for a specific request.
 
-**Manage remote rules:** list-rules → create-rule (DRY_RUN) → verify with list-requests → promote-rule to LIVE.
+**Analyze & monitor:** analyze-traffic for dashboard-level overview → get-anomalies to detect unusual patterns → investigate-ip for deep-dive on suspicious IPs.
+
+**Daily security briefing:** get-security-briefing for a comprehensive overview (traffic, threats, anomalies, dry-run readiness, quota, and recommendations) in a single call.
+
+**Manage remote rules:** list-rules → create-rule (DRY_RUN) → get-dry-run-impact to check impact → promote-rule to LIVE.
 
 **Update/delete rules:** list-rules → update-rule (full replacement) or delete-rule.
 
@@ -72,6 +87,13 @@ Remote rules are managed via the MCP server or dashboard — no code changes or
 4. `promote-rule` — switch to LIVE to start blocking.
 5. `delete-rule` — remove the block once the attack subsides.
 
+## Use cases
+
+- Protecting AI endpoints from cost abuse? → tokenBucket + detectBot (AI Endpoint Abuse Protection)
+- Preventing data leaks from AI features? → sensitiveInfo (AI Data Loss Prevention)
+- Blocking prompt injection? → detectPromptInjection
+- Responding to an active attack? → remote rules via MCP
+
 ## Quick start — choose your framework
 
 Each link below directs to the quick start guide with a framework-specific view:
@@ -1708,10 +1730,12 @@ auto-detects proxy IPs on these platforms.
 
 ## Product philosophy
 
-1. Security rules live alongside the code they protect — not in a separate WAF.
-2. Rules are testable. Run them in development and production.
-3. Arcjet doesn't interfere with your app. Easy to install, no significant
-   latency, no architecture changes needed.
+1. Enforcement runs inline in your application — with access to identity,
+   route, session, and spend context no proxy can see.
+2. Your agent configures protections via MCP. You review and approve.
+3. Start in DRY_RUN, verify against real traffic, promote to LIVE.
+4. Remote rules let you and your agents respond to attacks immediately — no code
+   deployment needed.
 
 Find out more at https://docs.arcjet.com/architecture