STACK vs. Stacklok

Stacklok and STACK answer different questions. Stacklok asks: how do I run MCP servers safely in my Kubernetes cluster? STACK asks: how do I keep an agent inside its lane while it executes, wherever the MCP servers live? The right question for you depends on whose trust anchor you're treating as primary.

Trust anchor: pod, not agent

Stacklok's trust anchor is the pod. ToolHive (Apache 2.0 open source, with a hardened commercial version on top) deploys each MCP server inside its own Kubernetes namespace, and the cluster does the isolation work: namespace boundaries, network policies, service accounts, claims-based JWT authorization. Observability runs through OpenTelemetry on a pipeline the customer already operates. The product is built by people with deep Kubernetes pedigree, and it shows in the architecture choices. If your security model already gates at the pod boundary, ToolHive (stacklok.com) slots in cleanly.

STACK's trust anchor is the agent. The passport carries intent and scope. The proxy re-checks scope on every outbound call. Detectors fire on the call payload: prompt-injection, output exfiltration, scope drift, behavioral anomaly. Audit logs each action against the agent's identity in a hash-chained per-tenant chain that's externally verifiable. Your agents can run on a laptop, a managed runtime, or a Kubernetes cluster sitting next to ToolHive, and the gate STACK provides moves with them.

What you actually decide between

The decision isn't usually between equivalent products. It's between operating models.

If you have a Kubernetes platform team and self-hosting on your own infrastructure is the goal, ToolHive is built for you. Apache 2.0 covers procurement teams that won't accept closed-source SaaS. The pod-shaped boundary lets you route everything through observability and policy infrastructure you already operate. The catch is that you're operating Kubernetes: pod restarts, namespace boundaries, OTel pipelines, the works.

STACK is the inversion. Managed SaaS that ships in 30 seconds with one MCP install command, no cluster to operate, no Apache 2.0 license to procure, no observability pipeline to maintain. The trade is that you're trusting our managed-SaaS guarantee for the gate, and the architectural boundary is the agent rather than the pod.

STACK also adds a runtime-detector layer at the proxy boundary, hash-chained externally verifiable audit, and EU AI Act Article 14 mapped clause-by-clause publicly. Stacklok's authorization is claims-based and rate-limited at the MCP-tool level. They're solving different problems at different layers, and the choice between them tracks the choice between operating models more than the choice between feature lists.

If your trust anchor is the pod and you can run Kubernetes, ToolHive. If your trust anchor is the agent and you'd rather not, STACK.

Talk to usSee all alternatives

Last reviewed 2026-05-09. Stacklok claims sourced from stacklok.com, the ToolHive docs, and the public ToolHive GitHub repository.

stack | STACK vs. Stacklok