Updated
Runlayer and Harbor are competitors when the buyer wants a governed tool surface for agents. Runlayer's distinguishing surface is MCP-security-first marketing — tool poisoning, OWASP MCP Top 10, Dynamic Client Registration, OAuth CIMD. Harbor's distinguishing surface is workspace tenancy plus an all-in-one agent execution layer: typed `hrbr exec`, workspace tools, credentials, state, artifacts, jobs, apps, workflows, and run / trace audit as first-class product objects. Pick by whether MCP-security governance or workspace-tenanted execution is more load-bearing for your team.
Runlayer is an enterprise MCP control plane whose 2026 headline framing is "Enterprise MCPs, Skills, & Agents," with marketing organised by Security, IT, and Engineering personas. The public surface speaks the OWASP MCP Top 10, tool poisoning, Dynamic Client Registration, and OAuth CIMD, layered with threat detection, fine-grained permissions, and observability for connecting AI agents to a large curated MCP-server catalogue. The vocabulary is aimed at security-conscious enterprise buyers who want the MCP layer to come with named threat coverage rather than a generic auth story.
Harbor leads on workspace tenancy as the top-level isolation primitive, a Cloudflare-native runtime substrate (Workers + D1 + KV + R2 + Vectorize + Workflows + Durable Objects), a typed `hrbr exec` execution layer, and run / trace history for inspecting workspace executions. Durable workflow primitives — step.do, step.sleep, step.waitForEvent — can route step-based exec paths through the Workflows lane.
Runlayer leads when your security review treats MCP-threat-model vocabulary as load-bearing and when the procurement audience spans Security, IT, and Engineering rather than a developer-only buyer. If your buyer recognises and asks about OWASP MCP Top 10, DCR / RFC 7591, OAuth CIMD, or named MCP attack classes (tool poisoning, rug pulls, prompt injection), and wants a vetted MCP-server catalogue with built-in security scanning, Runlayer's positioning is a closer match to that procurement shape than Harbor's runtime-first framing.
Where a winner is indicated, it reflects Harbor's view of which fit is better for an AI-agent control-plane use case. Where neither cell has a marker, the choice depends on context.
| Attribute | Harbor | Runlayer |
|---|---|---|
| Workspace tenancyHarbor: apps/api schema. Runlayer: runlayer.com | Harbor's pick: Harbor.Workspace is the top-level isolation primitiveevery plugin connection, OAuth grant, run, and trace is bound to a workspace_id | Not publicly disclosedverify Runlayer’s current account / project / tenant model on runlayer.com docs before quoting |
| MCP server hosting modelHarbor: CLAUDE.md "MCP Mental Model". Runlayer: runlayer.com | Harbor's pick: tie.Consumes third-party MCP servers; exposes a protected Harbor MCP endpointmcp.tryharbor.ai/mcp advertises protected-resource metadata; Harbor also installs third-party MCP servers as plugins | Harbor's pick: tie.Positioned explicitly as an MCP control planeRunlayer markets a hosted MCP surface; confirm the exact set of supported modes (consume / proxy / expose) on runlayer.com |
| Integration / plugin countHarbor: registry catalog (build-time). Runlayer: runlayer.com | 149 registry entries / 135 unique provider familiesderived at build time from packages/sdk/registry-catalog/data/v1/catalog.json | Not publicly disclosedverify whether Runlayer publishes a public connector / tool count on runlayer.com before quoting a number |
| Deployment modelHarbor: apps/api Cloudflare Workers deploy. Runlayer: runlayer.com | Hosted onlymanaged tryharbor.ai; first-party self-host is on the Enterprise roadmap | Not publicly disclosedverify whether Runlayer offers self-host or hosted-only on runlayer.com |
| Runtime substrateHarbor: apps/api/wrangler.jsonc. Runlayer: runlayer.com | Harbor's pick: Harbor.Cloudflare Workers + D1 + KV + R2 + Vectorize + Workflows + Durable Objectsapps/api on Workers; runs persisted to D1; credential state is KV-backed | Not publicly disclosedRunlayer runs a managed cloud product; the underlying substrate is not stated on runlayer.com |
| OAuth modelHarbor: apps/api/src/plugins/oauth/. Runlayer: runlayer.com | Workspace-scoped grants and policy checksauthorization above the provider consent screen; tokens bound to workspace_id, not user profile | MCP-security-shaped grantsRunlayer markets MCP-security depth (Dynamic Client Registration, OWASP MCP Top 10, OAuth CIMD); confirm the per-tool / per-server granularity on runlayer.com |
| OSS licenseHarbor: github.com/zonko-ai. Runlayer: runlayer.com + github.com | SDK public on github.com/zonko-ai/harbor-sdkcontrol plane closed source | Not publicly disclosedcheck github.com for a public Runlayer org / repos before classifying OSS posture |
| Pricing modelHarbor: tryharbor.ai/. Runlayer: runlayer.com | Free + Workspace + Enterprise tiersWorkspace tier usage-based units not yet priced publicly | Not publicly disclosedverify whether Runlayer publishes self-serve pricing or contact-sales only on runlayer.com |
| Observability surfaceHarbor: apps/api/src/plugins/worker/. Runlayer: runlayer.com | Harbor's pick: Harbor.Runs + spans + workspace-scoped history, persisted to D1exec paths create runs with spans for query and inspection | Not publicly disclosed as a first-class product objectverify whether Runlayer surfaces runs / traces as a product object on runlayer.com |
| Identity & inbound authHarbor: WorkOS dashboard + apps/api auth routes. Runlayer: runlayer.com | Harbor's pick: tie.WorkOS / AuthKit for web sign-in; protected metadata for inbound MCPSAML / OIDC / SCIM available via WorkOS on Enterprise | Harbor's pick: tie.OAuth 2.1 + DCR for inbound MCP (per marketing)Runlayer markets Dynamic Client Registration and OAuth CIMD for MCP; confirm SAML / OIDC / SCIM dashboard auth and tier availability on runlayer.com |
| Sandbox / execution isolationHarbor: apps/api/src/plugins/worker/. Runlayer: runlayer.com | Harbor's pick: Harbor.Cloudflare codemode Worker isolate, separate from the Harbor API Workerprovider tokens are never exposed to executing code; credentials are dispatched host-side | Not publicly disclosedverify Runlayer’s isolation model and token-exposure behaviour on runlayer.com |
| Durable workflow supportHarbor: harbor-workflows skill. Runlayer: runlayer.com | Harbor's pick: Harbor.step.do / step.sleep / step.waitForEvent via hrbr exec → Cloudflare Workflowsauto-routed to the Workflows lane when hrbr exec uses step.*; survives the 30s synchronous cap | Not publicly disclosedverify durable-execution primitives on runlayer.com |
| Public docsHarbor: docs.tryharbor.ai. Runlayer: runlayer.com | Harbor's pick: Harbor.docs.tryharbor.ai with concept docs, guides, recipes; llms.txt publishedllms.txt is live; verify any expanded LLM docs when they ship | runlayer.com with marketing + MCP-security contentrecord docs subdomain (if any) and llms.txt presence at edit time |
Source · Harbor cells grounded in this repository (routes, schemas, registry catalog, and runtime bindings). Runlayercells grounded in the competitor's own public site and docs at www.runlayer.com. Cells we could not verify from a primary source are marked “Not publicly disclosed” rather than guessed.
Runlayer is an MCP control plane with security-heavy positioning. Its public surface leads on MCP-domain vocabulary that other vendors do not match: tool poisoning, rug pulls, prompt injection, the OWASP MCP Top 10, Dynamic Client Registration, OAuth CIMD. The intended buyer is a security-conscious team that wants the MCP layer to come with named threat coverage rather than a generic auth story.
Specific advisor disclosures, named customers, pricing, and any self-host / OSS posture should be re-verified directly on runlayer.com at edit time with the page URL and capture date, rather than asserted from memory.
Harbor is shape-similar to Runlayer because both sit between agents and connected tools, but differs on three structural axes. First, runtime substrate: Harbor is Cloudflare-native — Workers for compute, D1 for runs and spans, KV-backed credential storage, R2 for artifacts, and Workflows for step-based execution paths. Second, execution layer: Harbor exposes server-side TypeScript execution with workspace tools and `orbit.*` runtime primitives (`hrbr.storage`, `hrbr.cache`, `hrbr.db`, `hrbr.ai`, `hrbr.tools`, `hrbr.jobs`), intended for agents that write typed code rather than chain individual MCP tool calls through the model context.
Third, observability: exec requests create run and span records for tool calls, runtime output, plugin dispatch, and orbit access where applicable; runs are queryable as product objects, not just log lines.
Pick Harbor when workspace tenancy is the right abstraction: connections, OAuth state, runs, artifacts, jobs, apps, workflows, and traces belong to a workspace and not only to a person. Pick Harbor when Cloudflare-native operational characteristics matter — KV-backed credential storage, runs in D1, workflow-routed step paths, isolated exec — and when you want a typed code-mode execution layer rather than a sequence of MCP tool calls.
Pick Harbor when run / trace history as a first-class product object is load-bearing, especially queryable execution records tied to workspace context.
Pick Runlayer when MCP-security-first marketing is procurement-critical and you need a vendor whose pages already speak the OWASP MCP Top 10 / DCR / OAuth CIMD vocabulary. If your buyer reads a Runlayer page and recognises the threat-model framing, that is a real advantage Harbor has not yet matched on the marketing surface.
Pick Runlayer when its specific MCP-threat coverage is more aligned with your security review than Harbor's workspace-tenanted runtime model.
Yes. Harbor can consume third-party MCP servers as plugins, including Runlayer-hosted ones if they're exposed over the standard MCP protocol. A team that wants Runlayer's security-first posture on one set of integrations and Harbor's workspace-scoped exec on another can run both and let them meet at the MCP boundary.
The reverse direction depends on the Runlayer-side client's support for Harbor's protected MCP endpoint and OAuth flow; verify that path end-to-end before treating it as a production integration.
These are the competitor-owned pages used to ground this comparison. We link primary sources instead of copying unsupported market claims.
Used only as security vocabulary context; verify Runlayer-specific claims on Runlayer-owned pages.
See pricing or review Harbor's security posture.