Enterprise
Cursor Enterprise: Security Hardening
Cursor and your team share responsibility: Cursor secures the platform, you configure how it is adopted. The controls you own group into identity and access, privacy and data, agent runtime limits, steering and extensibility, and monitoring. The fastest path is the admin quickstart - enforce Privacy Mode org-wide, set Run Mode to Auto-review with sandboxing, distribute hooks, apply network allowlisting and lock identity with SSO and SCIM - then layer best-effort guardrails with deterministic ones for defense in depth.
On this page
Who is responsible for securing a Cursor deployment?
Responsibility is split. Cursor builds, secures and operates the platform; you decide how to configure and adopt it for your environment. The table below sorts what Cursor commits to from the levers you configure, so you know which controls are yours to set.
- Side
- Cursor handles
- What it covers
- Platform security, encryption, infrastructure, certifications and the contractual commitments documented in the Trust Center
- Side
- You configure
- What it covers
- Identity, privacy enforcement, agent controls, extensibility trust and monitoring
| Side | What it covers |
|---|---|
| Cursor handles | Platform security, encryption, infrastructure, certifications and the contractual commitments documented in the Trust Center |
| You configure | Identity, privacy enforcement, agent controls, extensibility trust and monitoring |
For Cursor's own posture, see the Trust Center, Security page and Data Use policies.
Pair best-effort guardrails (Auto-review, allowlists, .cursorignore) with deterministic ones (approvals, hooks, sandboxing) rather than relying on a single layer. Most enforcement levers - org-wide policies, MDM, SIEM streaming - are Enterprise features set in the team dashboard or through MDM. Per-user controls such as .cursorignore and Run Mode defaults apply more broadly.
What should an admin configure first?
Cursor's admin quickstart is the order to work in. It starts with the controls that keep your code out of training data and bound what agents can do, then moves to identity, model access and audit. Cursor frames the steps below as the ones to do first.
- 1Enforce Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. org-wide so members can't disable Privacy Mode or its zero data retention guarantees for Cursor-routed models.
- 2Set the org Run Mode policy to Auto-review (not Run Everything) and enable sandboxing.
- 3Distribute hooks for enforcement and logging across the team.
- 4Apply network allowlisting and exclude Cursor domains from SSL inspection; set Cloud Agent network egress if you use Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop..
- 5Lock identity with SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool., SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. and Allowed Team IDs (MDM); restrict extensions, set an install cooldown and keep clients on a supported version.
- 6Decide which models your org allows and restrict the rest; restrict personal API keys (BYOK) if you rely on Cursor's ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. agreements.
- 7Periodically review and stream audit logs to your SIEM; enable CMEK when your compliance program requires customer-managed keys.
What are the deterministic limits on what agents can do?
These are the hard boundaries on agent behavior - steering belongs alongside them, never instead of them. The table maps each runtime control to how Cursor recommends configuring it, so you can set the boundaries before turning agents loose on real repos.
- Control
- Auto-review (Run Mode)
- Recommendation
- Prefer it over Run Everything; it runs allowlisted calls, sandboxes shell commands when it can, and routes the rest through a best-effort classifier, so combine it with hooks
- Control
- Network allowlisting
- Recommendation
- Allowlist
*.cursor.shand set per-server MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. network policy; exclude Cursor domains from SSL inspection so users don't disable security to make it work
- Control
- Cloud Agent network egress
- Recommendation
- Restrict outbound access with Default + allowlist or Allowlist-only modes; Enterprise admins can lock the policy org-wide
- Control
- Hooks
- Recommendation
- Enforce and observe at agent lifecycle points (block commands, scrub secrets, audit); distribute by MDM or cloud and set
failClosedfor critical hooks
- Control
.cursorignore- Recommendation
- Block agent read and context for secrets and regulated trees; terminal and MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. tools can't honor it, so pair with approvals and file permissions
- Control
- Other protections
- Recommendation
- Keep Browser, File-Deletion, External-File and
.cursordirectory protection enabled so risky actions still require approval
| Control | Recommendation |
|---|---|
| Auto-review (Run Mode) | Prefer it over Run Everything; it runs allowlisted calls, sandboxes shell commands when it can, and routes the rest through a best-effort classifier, so combine it with hooks |
| Network allowlisting | Allowlist *.cursor.sh and set per-server MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. network policy; exclude Cursor domains from SSL inspection so users don't disable security to make it work |
| Cloud Agent network egress | Restrict outbound access with Default + allowlist or Allowlist-only modes; Enterprise admins can lock the policy org-wide |
| Hooks | Enforce and observe at agent lifecycle points (block commands, scrub secrets, audit); distribute by MDM or cloud and set failClosed for critical hooks |
.cursorignore | Block agent read and context for secrets and regulated trees; terminal and MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. tools can't honor it, so pair with approvals and file permissions |
| Other protections | Keep Browser, File-Deletion, External-File and .cursor directory protection enabled so risky actions still require approval |
Call your SIEM, DLP, allowlist or policy APIs from hooks instead of relying only on defaults. For private source control, reach it through PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. or Cloudflare Tunnel and align Cursor traffic with your endpoint security (AV/EDR/DLP).
How do we lock down identity, models and data?
Identity and data controls decide who signs in, on which device, which models they can reach and what code is allowed in. The two lists below cover the access and the privacy levers Cursor documents for these decisions.
- SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. and SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. centralize authentication and automate user deprovisioning.
- Allowed Team IDs (MDM) block personal accounts on corporate devices so Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. always applies.
- Allowed Extensions allowlist trusted publishers; any entry blocks the rest unless you add
"*": true. An install cooldown defers installs until a marketplace version has been public for a set number of hours, with optional signature verification. - Workspace Trust (MDM) opens untrusted folders in restricted mode, which limits AI features - use it for truly untrusted trees, not day-to-day repos.
- Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code., enforced org-wide, is on by default for Enterprise; exceptions apply under BYOK and models with provider retention.
- Personal API keys (BYOK) should be restricted - with your own keys, zero data retention is subject to your agreement with the model provider, not Cursor's.
- Model access approves specific models; non-ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. models require admin approval. A repository blocklist keeps sensitive repos out of Cursor entirely, and Protected Git Scopes lock your Git org or namespace to your teams for Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. and BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs..
- CMEK encrypts embeddings and Cloud Agent data with your own key when your compliance program requires customer-managed keys.
How do we monitor output and keep an audit trail?
Monitoring closes the loop: review the code agents produce, verify the controls hold and keep a trail security can read. The practices below are what Cursor recommends for that review-and-respond layer.
- Pre-production review
- Have BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. and Security Agents review Cursor-generated code before it ships to production.
- Audit logs
- Periodically review them and stream to SIEM, webhooks or S3 for authentication and admin events.
- Compliance logging
- Use hooks to capture development-activity metadata beyond Cursor's audit logs.
- Responsible disclosure
- Report vulnerabilities to security-reports@cursor.com.
Rules, plugins and MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers shape behavior and expand capability, but they are non-deterministic. Steer org-wide with Team RulesRules promoted to apply across a whole organisation and shared consistently between the Cursor IDE, Agent and Bugbot. while treating them as suggestions, review what each pluginA Cursor marketplace package that bundles MCP servers and skills (sometimes sub-agents and hooks); one click installs all of it into your Cursor instance. installs and favor private team marketplaces, and approve MCP servers with the allowlist while restricting per-server tools. Pair all of it with the deterministic runtime controls above.
Frequently asked questions
Which security controls are Enterprise-only?
Most enforcement levers - org-wide policies set in the team dashboard, MDM-distributed policies and SIEM streaming - are Enterprise features. Per-user controls such as .cursorignore and Run Mode defaults apply more broadly across plans.
Does enforcing Privacy Mode cover everything?
No. Privacy Mode enforces zero data retention for Cursor-routed models, but there are exceptions under BYOK and models with provider retention, and non-ZDR models require admin approval. Layer it with model access controls, a repository blocklist and CMEK where compliance requires it.
How long does Cursor retain indexed code and Cloud Agent data?
Indexed codebases expire automatically after 6 weeks of inactivity and Cloud Agent snapshots after 90 days. Enterprise admins can cap Cloud Agent retention (Indefinite or 90 days, with custom windows in early access), and deleting an individual account removes that user's data, including indexed codebases, within 30 days.
Sources & last verified
- Cursor - Security Hardening
- Cursor - Privacy and Data Governance
- Cursor - Run Modes
- Cursor - Hooks
- Cursor - Compliance and Monitoring
Cursor ships frequently. Facts verified against primary sources on June 28, 2026.