MongoDB security for AI agents focuses on collection-level writes, structural changes, and aggregation patterns. FutrixData inspects Mongo operations by type (find, aggregate, updateMany, dropDatabase) and uses explain output to catch collection scans before they ship gigabytes to the agent.
MongoDB risk does not look like SQL. The dangerous operations are collection drops, role grants, aggregation stages that write to other collections ($merge, $out), and unbounded find calls that materialize the whole collection into agent context.
FutrixData parses Mongo operations in both JSON and shell syntax, so db.users.drop() and { "drop": "users" } resolve to the same rule.
| Operation | Default action |
|---|---|
find, aggregate, count | allow |
insertOne, insertMany, updateOne, updateMany, replaceOne, deleteOne, deleteMany | warn |
Cross-collection aggregations ($lookup, $unionWith) | warn |
Aggregations with $merge or $out | require_approval |
renameCollection, collMod, dropIndexes | require_approval |
drop, dropDatabase | block |
createUser, dropUser, grantRolesToUser | block |
For find and aggregate, FutrixData runs explain and checks:
A query that targets an indexed field stays at low risk; the same query with a regex on an unindexed field gets escalated to medium.
events in production; require approval for any users update.$out targeting audit_logs regardless of source.// Agent attempts:
db.users.drop()
// FutrixData response:
{ "ok": false, "risk": "block", "rule": "mongo.drop_collection", "audit_id": "audit_01HQ8N..." }// Agent attempts:
db.events.aggregate([
{ $match: { kind: "purchase" } },
{ $out: "purchases_summary" }
])
// FutrixData response:
{ "ok": false, "risk": "require_approval", "rule": "mongo.aggregate_writes_other_collection" }Yes. FutrixData connects via the standard MongoDB driver, so anything the driver supports — replica sets, sharded clusters, MongoDB Atlas — works the same way. Rule evaluation runs in FutrixData; explain probes use the same connection as the real query.
Aggregations and finds containing $where are flagged at warn or higher. The rule is configurable per collection — you can hard-block $where against production sources while allowing it on dev.
Yes. Scope can be a database type (all MongoDB), a specific data source instance (just prod-mongo), or a specific collection. Rules with more precise scope outrank broader ones.
Yes. FutrixData treats Atlas like any other MongoDB endpoint — connection string in, masked results out. Atlas IP allowlists need to include the FutrixData host (or, for self-hosted, your network egress).
Static rule evaluation is microseconds. Explain probes add one extra round-trip on reads where the access path matters. Writes are evaluated statically — no probe.
Free desktop app on macOS, Windows, and Linux. Self-hosted Enterprise Edition for production deployments.