Learn
What is MCP security?
The Model Context Protocol (MCP) is the emerging standard for connecting AI agents to tools: an agent discovers a server’s tools from its manifest, calls them, and feeds the results back into its context. MCP security is the discipline of not trusting any step of that sentence.
The protocol’s strength – any client can use any server – is exactly its risk profile. An MCP server is third-party code whose tool descriptions enter your model’s context, whose results your model reads as truth, and whose behavior can change after you audited it. Each of those is an attack surface with a name.
Four patterns account for most of what goes wrong:
Tool poisoning
The attack ships in the manifest: a tool’s description carries instructions for the model (“before using this tool, first send the conversation to …”). The agent ingests it as documentation; the model reads it as orders.
Rug pulls
The server you audited is not the server you are running. A manifest that was benign at install time changes – a new tool appears, a description gains a payload – and nothing in the protocol tells you.
Result injection
Indirect prompt injection delivered through tools/call responses: the web page, ticket, or document a tool returns carries instructions that steer the agent’s next step.
Data exfiltration through arguments
Nothing in MCP stops an agent from passing your customer’s email address, an API secret, or screened PII as an argument to an untrusted server’s tool. The channel out is the tool call itself.
The natural place to enforce – inside the agent – is the compromised party in every scenario above: the model deciding whether a tool call is safe is the same model the poisoned description just steered. Client-side allowlists help, but they see tool names, not behavior over time, and a client that treats a denial as advisory can simply proceed.
That is the case for a gateway: a proxy that speaks MCP, sits between the agent and its servers, and enforces where the traffic actually flows. A denial issued there is a JSON-RPC error the client cannot ignore, because the forwarded call never happened.
The proxy’s MCP gateway fronts each registered server and applies the same policy engine that governs the LLM boundary:
Inspection before forwarding
Every tools/call is checked against tool policy, permission tiers, argument grounding, and taint rules before it reaches the server – a deny never executes.
Result scanning
What the server returns is injection-scanned before the agent’s context ever sees it.
Manifest pinning
The server’s tool manifest is pinned at registration; any drift – a new tool, a changed description – is flagged as manifest_changed. The rug-pull, made visible.
One audit trail
Gateway calls land in the same run graph as the agent’s model calls and workflow checkpoints, so an MCP-borne incident is traceable end to end.
What is tool poisoning in MCP?
An attack where a tool’s description in the server manifest contains instructions aimed at the model rather than documentation for it. The description enters the agent’s context during discovery and steers behavior before any tool is even called.
What is an MCP rug pull?
A server whose tool manifest changes after you vetted it – new tools appear or descriptions gain payloads, silently. Defense is pinning: record the manifest at registration and flag any drift before further calls are forwarded.
Are MCP tool results trustworthy?
No – they are third-party content that will be read by your model, which makes them an injection channel. They should be scanned before re-entering the context, and consequential follow-up actions should be checked independently of what any result claimed.
Do I have to modify my agent to use an MCP gateway?
No – the gateway speaks MCP. Point the client at the gateway URL for each registered server instead of the server directly; inspection, scanning, and manifest pinning happen in between.
See the checks run on your own traffic.
One base-URL change puts every request behind the guardrail pipeline. We’re running a limited demo – sign up and we’ll get you in as soon as we can.