Install the AO Toolkit on your infrastructure. Our cloud maps it, tags it, learns it. Your agents query our MCP and get enriched context — not raw API output.
SOC 2 in progress Outbound-only Toolkit MCP-native SSO / SCIM / SIEM
The architecture
Every agent MCP request flows through AO Cloud. Policy, audit, on-demand diagnostics, and enriched context are applied once — then the call lands on the right system, with the right identity, every time.
Your agents
Gateway
Your stack
Toolkits, on your infra
Observability + data
Workflow + alerts
Agent → AO Cloud + MCP → Your stack
Telemetry up, diagnostics down — same outbound channel. No inbound holes on your infra.
Every tool call from every agent lands in one audit log. Export to your SIEM.
Read-only by default. Writes route through your existing approval flow.
Retries, backoff, streaming, caching — all handled before the request leaves our edge.
Wired into the systems your operators already trust
AWS
GCP
Azure
Kubernetes
Datadog
Grafana
Snowflake
Postgres
GitHub
GitLab
PagerDuty
Linear
Slack
Stripe
Vercel
Cloudflare
HashiCorp
Terraform AWS GCP Azure Kubernetes Datadog Grafana Snowflake Postgres GitHub GitLab PagerDuty Linear Slack Stripe Vercel Cloudflare HashiCorp TerraformWhat you get
AO replaces the dozen brittle “agent integrations” you would otherwise build, audit, and maintain forever.
01
Install the lightweight Toolkit anywhere you run infrastructure — cloud, Kubernetes clusters, data centers, offices, edge. It auto-discovers your stack, exposes the tools your agents will need, and creates a secure outbound connection back to Automated Operations. No inbound holes in your network.
02
Telemetry from every Toolkit deployment streams into AO Cloud, where we aggregate, map, tag, and learn the relationships across your infrastructure. Services, owners, deploys, dependencies, error patterns — assembled into a live model of how your systems actually work.
03
Your agent doesn't get the output of `kubectl get pods`. It gets: "api-prod-3 is in checkout, owned by team-payments, deployed via PR #2843 yesterday, OOM-killing on the new deserialization path." When the agent needs deeper signal, the MCP pulls fresh diagnostics on-demand from the Toolkit and joins them into the same answer.
04
A full roles-and-policies model with three explicit effects on every action — ALLOW, DENY, REQUIRE_APPROVAL. Policies pin to your toolkit tags, so production hosts hit the approval queue while staging stays read-only; a Finance role can read billing but never reach a shell — shape it to whatever access model your org already runs. Every call carries the human and agent session that made it. SSO / SCIM for identity; SIEM export for the audit trail.
05
Native MCP for Claude (Code, Desktop, API), Cursor, Windsurf, Codex, Zed, VS Code. Shims for OpenAI tool-calling and Google Vertex. LiteLLM proxy support. One endpoint, every agent surface — without rewriting them.
06
Your stack is already modeled in AO Cloud — graph reads return in milliseconds. On-demand diagnostics pull fresh data from your Toolkit and return as soon as the underlying tool does — no extra hops, no SaaS rate-limits between your agent and the answer.
How it works
Three layers, one outcome. Toolkit on your infra, model in our cloud, MCP for your agents — no inbound holes, no SOW, no six-month rollout.
Install the AO Toolkit anywhere you run infrastructure — cloud, Kubernetes, data centers, offices, edge. It creates a secure outbound connection back to Automated Operations. Read-only discovery inventories your stack in minutes.
Telemetry flows from every Toolkit into AO Cloud. We aggregate across your fleet, map service relationships, tag ownership, and build a live model of how your systems actually work.
Point Claude, Cursor, Codex, or any MCP-compatible client at our MCP endpoint. One URL, one bearer token. Tools come from your Toolkits — answers come from the enriched cloud model.
Triage incidents, ship infra changes, answer "why is prod slow" in natural language. Your agents finally see what your senior engineers see.
Drop-in
Point your agent at our MCP endpoint. The cloud serves enriched answers from whatever your Toolkits report. Auth, policy, retries, streaming, and audit are handled before the request leaves our edge.
{
"mcpServers": {
"automated-operations": {
"url": "https://mcp.automatedoperations.com",
"headers": {
"Authorization": "Bearer $AO_TOKEN"
}
}
}
}What teams build
Every team gets the same enriched context, the same audit trail, the same approval gates. Different workflows, one platform.
SRE
01 / 04
Your on-call agent receives the paging_alert with the affected Service, its most recent deployment, and any open incident_transition already joined. It proposes a rollback before a human joins the call.
Platform
02 / 04
Developers ask in natural language: "give me a staging Postgres." Tag policy says env=prod writes require approval; env=staging auto-allows. The agent runs your blessed Terraform unblocked, opens the PR, and posts the connection string.
FinOps
03 / 04
Stop screenshotting cost dashboards. AO aggregates config_change and infra_change events across cloud + Kubernetes, joined to the Services they affect. The agent answers "where did spend grow this week and why" against one model — not three CSV exports.
Security
04 / 04
Verified domains. SSO via SAML or OIDC. Every tool call carries the human and agent session that made it. Time-bound staff access with written reason and expiry. Your SOC 2 evidence is the audit log — already exportable to your SIEM.
Built for serious teams
Read-only by default. Approvals route through your on-call tools. Every action recorded. Toolkit channel is outbound-only and mutually authenticated — no inbound listener on your infrastructure, ever.
Policy
Three explicit effects on every action — ALLOW, DENY, REQUIRE_APPROVAL. Policies pin to toolkit tags, so production hosts hit the approval queue while staging stays read-only. A Finance role can read billing but never reaches a shell.
Approvals
When a write hits REQUIRE_APPROVAL, the request lands in Slack, PagerDuty, or Linear — whatever your team already runs. The approver, timestamp, and reason are recorded in the audit log before the call ever executes.
Audit
Every tool call from every agent lands in one audit log: user, timestamp, action, resource, approval grant. Pipe it straight into your SIEM the moment it lands. No buffering, no batching, no "we’ll get you the logs next quarter."
Network
The Toolkit opens one mTLS channel out to AO Cloud and that’s it — no inbound listener, no public port, no service exposed on your infrastructure. Certificates are short-lived and rotate automatically, so a stolen credential expires before it can be used. Telemetry up and on-demand diagnostics back both travel the same authenticated tunnel.
Integrations
Agents plug in through MCP. AO Cloud joins your fleet into one model and serves enriched context back. Approval gates, audit, policy — all handled once, applied to every call.
New · Spotlight
Deploy the AO Toolkit as a DaemonSet. It watches every Kubernetes resource that matters and stitches each pod back to its host via a stable host identifier. Workloads become Service nodes. Jobs become ScheduledTasks. The agent sees the same shapes regardless of substrate — Kubernetes, VMs, or bare metal — so it never reasons about which stack the workload happens to run on.
Get started
Join the private beta. We will scope an integration with you and have a working MCP endpoint live this week.
Questions, answered
A layer. AO is the connective tissue between your existing agents (Claude, Cursor, your in-house ones) and your existing infrastructure. We do not replace your agent — we make it useful.
The AO Toolkit runs on your infrastructure — cloud, Kubernetes clusters, data centers, offices, anywhere you run servers — and creates a secure outbound connection back to Automated Operations. AO Cloud (where aggregation, mapping, learning, and the MCP server live) is hosted entirely by us. Your agents connect to our MCP at mcp.automatedoperations.com.
When your agent calls a tool, AO does not just proxy a raw API. The cloud joins the response against everything else it knows — service ownership, recent deploys, related alerts, dependency graphs, billing context, similar past incidents. Your agent gets one coherent answer instead of five raw blobs to reason over.
Yes. When the MCP needs deeper signal than the cloud has cached, it requests it on-demand from the AO Toolkit running on your infrastructure. The set of available diagnostic tools is configurable per environment and grows over time. Requests flow back down the same outbound channel the Toolkit opened, so there is still no inbound network exposure on your infra.
You can absolutely write your own. AO is what you build if you keep going for 18 months: a hardened collection agent, dozens of integrations, an aggregation pipeline, a tagging and ownership model, fine-grained policy, audit, caching, secrets handling, and an MCP server you trust to be on the agent hot path.
Default deny. Read-only by default. Every tool call is policy-checked and logged. Approvals route through your existing on-call tooling. Policies scope to toolkit tags — production hits the approval queue, staging is read-only, a Finance role can read billing but never reach a shell. SSO / SAML / SCIM, IP allowlists, and audit export to your SIEM. The Toolkit only opens outbound connections — no inbound listeners on your infra.
Anything that speaks MCP works out of the box: Claude (Code, Desktop, API), Cursor, Windsurf, Codex, Zed, VS Code. LiteLLM proxy support, plus shims for OpenAI tool-calling and Google Vertex if you are not on MCP yet. Per-client config snippets at /mcp.
Hit "Get Started" — we will set up a 20-minute call, scope an initial Toolkit deployment, and give you a working MCP endpoint against a sandbox slice of your infra the same week.