Launch HN: Traceforce (YC S26) – Company-wide security monitoring for AI apps

Startup says it can watch your office AI tools — commenters instantly start a turf war

TLDR: Traceforce wants to help companies watch how workplace AI tools behave and stop risky actions before they cause damage. Hacker News immediately turned it into a fight over whether this is a genuinely new safety layer or just one more piece of software watching employees while bigger rivals do the same thing.

A new Y Combinator startup, Traceforce, showed up on Hacker News with a big promise: help companies see what employee AI tools are doing on work devices before something embarrassing, expensive, or catastrophic happens. The pitch is basically, “Let people use ChatGPT and friends, but give security teams a panic button.” The founders say they’re already on more than 1,000 devices and can catch risky behavior like exposed secrets or an AI assistant trying something destructive.

But the real show was in the comments, where the crowd immediately split into two camps: “finally, someone gets the problem” and “isn’t this just another layer of corporate spyware?” One skeptical commenter came in swinging, saying major security products already do this and calling another device monitor a total non-starter. Another piled on with the classic startup doom forecast: if the giant incumbents can copy it and newer rivals are already sprinting ahead, what exactly is the moat here?

Still, not everyone was throwing tomatoes. One supporter popped in with launch-day congratulations, while another brought the most deliciously nerdy horror story of the thread: an add-on that quietly nudged the AI to favor its own search tool. Not a hack, not a leak — just sneaky behavior hidden in the fine print. That’s where Traceforce’s argument landed best: maybe the scariest AI risks aren’t dramatic movie-villain attacks, but subtle, weird little manipulations nobody notices until it’s too late.

Key Points

  • Traceforce launched a product that monitors AI applications on company devices and maps their connections to MCPs and tools.
  • The system is installed as a lightweight binary and browser extension, then sends live device data to a dashboard for real-time monitoring and controls.
  • Traceforce says it collects metadata and telemetry by default, performs optional content inspection locally on-device, and does not store prompts unless administrators explicitly enable it.
  • The company built an open-source tool, mcp-xray, to pentest MCPs and detect vulnerabilities.
  • Traceforce reports deployment across more than 1,000 devices at 10 organizations and says it has helped identify plaintext secrets, prevent API key leaks, and warn against destructive commands.

Hottest takes

"All EDR providers have this capability now" — bitlad
"install another EDR along with this is a no-go" — bitlad
"vendor steering agent behavior in a way you only notice if you read the raw tool definitions" — belschak
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.