Definition

MCP Security is the set of policy, scoping, and audit controls applied to Model Context Protocol servers so AI agents can only call sanctioned tools, with validated arguments, under explicit approval modes, and with tamper-evident logs.

Why It Matters

Why MCP Security matters

MCP exposes real tools to agents — SIEM queries, EDR isolate calls, ticketing writes. Without a security layer in front of MCP, the agent's identity becomes a flat, undifferentiated key to every tool it has been wired to.

How It Works

How it works

A guardrail proxy sits between the agent and the MCP server. It allow-lists tools, validates arguments against schemas, redacts sensitive fields, applies approval modes per tool, and writes a tamper-evident audit of every call.

  • The agent issues an MCP tool call.
  • The proxy checks the tool against the agent's allow-list.
  • Argument schemas validate every parameter.
  • Redaction strips sensitive fields from arguments and outputs.
  • Approval mode (auto / review / blocked) is applied per tool.
  • The call and decision are hash-chained into the audit store.
Architecture

Reference architecture

Agent → Allow-list → Argument validation + redaction → MCP Server (tools) → Tamper-evident audit.

Risks

Common risks

  • Flat MCP tool surfaces with no per-tool scoping.
  • Tools that accept arguments outside the agent's intended scope.
  • No approval gate on consequential MCP tools.
  • Missing or mutable audit of tool calls.
  • Secrets flowing through tool arguments.
Controls

Security controls

  • Per-tool allow-listing
  • Argument schema validation
  • Approval modes (auto / review / blocked)
  • Redaction at the proxy
  • Append-only, hash-chained audit
Examples

MCP security scenarios

Over-permissioned tool surface

An agent can see every MCP tool on the server. Allow-listing reduces it to the four it actually needs.

Out-of-scope argument

A siem.query call requests an index the agent is not scoped for. Argument validation rejects it.

Consequential tool without a gate

edr.isolate is exposed in auto mode. MCP Security moves it to review with an approval surface.

Secret in a tool argument

An agent passes an API key inside a webhook URL. Redaction strips it before the call leaves the proxy.

Untraceable failure

A tool call fails mid-session with no record. The audit store captures the attempt, arguments, and error for replay.

Cross-tool confused deputy

The agent chains two tools to do indirectly what neither allows directly. Policy evaluates the combined effect, not just each call.

Pitfalls

Mistakes to avoid

  • Assuming MCP is secure by default because it is a standard.
  • Exposing every server tool to every agent persona.
  • Validating tool names but not arguments.
  • Keeping mutable logs that cannot prove what happened.
Related Projects

Related projects

Related Research

Related research

Related Services

Related services

FAQ

Frequently asked questions.

What is MCP Security?
MCP Security is the set of policy, scoping, and audit controls applied to Model Context Protocol servers so AI agents can only call sanctioned tools, with validated arguments, under explicit approval modes, and with tamper-evident logs.
Is MCP itself insecure?
No. MCP is a protocol; security is a property of how it is deployed. A guardrail proxy is the standard pattern for applying policy without modifying tools or the agent.
Where does MCP Security fit relative to Agent Security?
MCP Security is the boundary-layer slice of Agent Security focused on the tool-call surface itself.
Next step

Put a guardrail between your agents and your tools.

See MCP Guardian in the projects, or get in touch to compare notes.