# Discovery and Metrics

This guide walks administrators through the **Discovery** experience in Highflame Studio: what coding assistants, MCP servers, tools, and skills are in use across the organization, who is using them, and how to use that picture to drive policy.

Code Agent Control Plane is built around a simple principle: **discover first, then govern**. Before you write a single policy, Discovery shows you exactly what your developers are doing — and what's connecting to your network through their AI assistants — so the policies you ship are grounded in observed behavior, not assumptions.

***

## Discovery Page

Open **Studio → Code Agents → Discovery**. The page has three sections:

1. **Summary metrics** — at-a-glance counts across the organization.
2. **Activity and risk charts** — usage timelines and a top-threat snapshot.
3. **Detail tables** — MCP Servers and Agent Skills, with the ability to expand, filter, and drill in.

### Summary metrics

Six KPI cards across the top answer the questions administrators ask first:

<table><thead><tr><th width="200">Metric</th><th>What it tells you</th></tr></thead><tbody><tr><td><strong>Servers discovered</strong></td><td>Total number of MCP servers connected to from any developer's IDE in the organization.</td></tr><tr><td><strong>Tools discovered</strong></td><td>Total number of distinct tools exposed by those servers. A single server typically exposes many tools.</td></tr><tr><td><strong>Total Scans</strong></td><td>How many security scans Overwatch has run against discovered MCP servers, with a sub-count of failed scans and detected threats.</td></tr><tr><td><strong>MCP Calls</strong></td><td>Number of tool invocations made through MCP, with a sub-count of how many were blocked by policy.</td></tr><tr><td><strong>Vulnerable Users</strong></td><td>Number of users connecting to MCP servers that have at least one open security issue.</td></tr><tr><td><strong>Agent Skills</strong></td><td>Number of agent skills observed, with sub-counts for unique skills and unique users invoking them.</td></tr></tbody></table>

Together these answer the foundational questions: *What is connecting? How risky is what's connecting? How widely is it being used? And where are the users that need attention?*

### Charts

Below the KPI row, Discovery shows a series of visual breakdowns:

* **Server Activity** and **MCP Usage Timeline** — how connections and tool calls trend over time.
* **Scan Activity** — when servers were scanned and what the scans found.
* **Server Overview** and **Tool Exposure** — distribution of servers and tools by usage and risk.
* **Top Threats** and **Highest Risk** — the specific servers, tools, and threat categories that need attention first.

### MCP Servers tab

The **MCP Servers** tab lists every MCP server Overwatch has seen. You can flip the view between two perspectives:

* **Group by Server** — one row per server, showing how many users connect to it.
* **Group by Users** — one row per user, showing how many servers each developer has connected to.

In **Group by Server** mode, the columns are:

<table><thead><tr><th width="140">Column</th><th>Description</th></tr></thead><tbody><tr><td><strong>Server</strong></td><td>Server name and identifier.</td></tr><tr><td><strong>Users</strong></td><td>How many distinct developers have connected to it. A high number means the server is shared; a low number means it's used by a small group.</td></tr><tr><td><strong>Tools</strong></td><td>How many tools the server exposes. Useful for gauging scope and blast radius.</td></tr><tr><td><strong>Scans</strong></td><td>How many security scans have run against this server.</td></tr><tr><td><strong>Threats</strong></td><td>How many open threat findings exist for this server. Click to see severity breakdown.</td></tr><tr><td><strong>Code Agent</strong></td><td>Which AI assistant(s) connect to this server (Cursor, Claude Code, Copilot, etc.). A server can appear with multiple agents.</td></tr><tr><td><strong>Last Scanned</strong></td><td>When the most recent scan ran. Older timestamps are worth re-scanning.</td></tr></tbody></table>

Click any row to open a **detail panel** with the full scan output, exposed tool list, severity-tagged issues, and per-user connection history. From the detail panel you can disable a server organization-wide if it's compromised — see [Threat Response](/code-agents/threat-response.md#how-to-disable-a-specific-mcp-server-from-the-console).

### Agent Skills tab

The **Agent Skills** tab covers the other side of agent extensibility: skills (custom agent behaviors and toolkits) that developers have installed and invoked. The page shows charts and a data table with unique skills, the users running them, and where they came from. Use this view to spot unsanctioned skills before they spread.

***

## Turning Discovery into Policy

Discovery is the input to policy, not the end of the workflow. Once you understand what's running, the typical path is:

| Question                                             | Where to look                                                       |
| ---------------------------------------------------- | ------------------------------------------------------------------- |
| Which MCP servers and tools are in use, and by whom? | Discovery → MCP Servers tab (toggle between Group by Server/Users). |
| What custom skills are developers installing?        | Discovery → Agent Skills tab.                                       |
| What's our risk posture? What needs attention first? | Discovery → KPI row + Top Threats and Highest Risk cards.           |
| How is each code agent being adopted across the org? | Code Agents → Agent Usage.                                          |
| Which events were allowed or denied, and why?        | Code Agents → Threats (events list and filters).                    |
| Which command patterns are most common?              | Code Agents → Command Analysis.                                     |
| Who did what in a given session?                     | Code Agents → Sessions.                                             |
| Configure rules for what we've discovered?           | Code Agents → Policies (define) and Playground (test).              |

For cross-product correlation — connecting code agent activity with gateway traffic, browser policy events, or other agent activity for the same user — see [Observatory](/observatory/observatory.md). The [Tools & Agents](/observatory/tools-and-agents.md) view in Observatory provides a unified tool inventory across all Highflame products, including MCP servers routed through Agent Gateway.

***

## What's Next

* [Code Agent Policies](/code-agents/setting-up-policies.md) — define and deploy guardrails based on what you discovered
* [Threat Response](/code-agents/threat-response.md) — triage threats as they come in
* [Observatory](/observatory/observatory.md) — correlate code agent activity with other surfaces


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.highflame.ai/code-agents/discovery-and-metrics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.