MCP Security for Tool-Calling AI Agents
MCP Security is the set of policy, scoping, and audit controls applied to Model Context Protocol servers so AI agents can only call sanctioned tools, with validated arguments, under explicit approval modes, and with tamper-evident logs.
Why MCP Security matters
MCP exposes real tools to agents — SIEM queries, EDR isolate calls, ticketing writes. Without a security layer in front of MCP, the agent's identity becomes a flat, undifferentiated key to every tool it has been wired to.
How it works
A guardrail proxy sits between the agent and the MCP server. It allow-lists tools, validates arguments against schemas, redacts sensitive fields, applies approval modes per tool, and writes a tamper-evident audit of every call.
- The agent issues an MCP tool call.
- The proxy checks the tool against the agent's allow-list.
- Argument schemas validate every parameter.
- Redaction strips sensitive fields from arguments and outputs.
- Approval mode (auto / review / blocked) is applied per tool.
- The call and decision are hash-chained into the audit store.
Reference architecture
Agent → Allow-list → Argument validation + redaction → MCP Server (tools) → Tamper-evident audit.
Common risks
- Flat MCP tool surfaces with no per-tool scoping.
- Tools that accept arguments outside the agent's intended scope.
- No approval gate on consequential MCP tools.
- Missing or mutable audit of tool calls.
- Secrets flowing through tool arguments.
Security controls
- Per-tool allow-listing
- Argument schema validation
- Approval modes (auto / review / blocked)
- Redaction at the proxy
- Append-only, hash-chained audit
MCP security scenarios
Over-permissioned tool surface
An agent can see every MCP tool on the server. Allow-listing reduces it to the four it actually needs.
Out-of-scope argument
A siem.query call requests an index the agent is not scoped for. Argument validation rejects it.
Consequential tool without a gate
edr.isolate is exposed in auto mode. MCP Security moves it to review with an approval surface.
Secret in a tool argument
An agent passes an API key inside a webhook URL. Redaction strips it before the call leaves the proxy.
Untraceable failure
A tool call fails mid-session with no record. The audit store captures the attempt, arguments, and error for replay.
Cross-tool confused deputy
The agent chains two tools to do indirectly what neither allows directly. Policy evaluates the combined effect, not just each call.
Mistakes to avoid
- Assuming MCP is secure by default because it is a standard.
- Exposing every server tool to every agent persona.
- Validating tool names but not arguments.
- Keeping mutable logs that cannot prove what happened.
Related projects
Related research
Related services
Frequently asked questions.
What is MCP Security?
Is MCP itself insecure?
Where does MCP Security fit relative to Agent Security?
Put a guardrail between your agents and your tools.
See MCP Guardian in the projects, or get in touch to compare notes.