MCP Security
Every MCP server your agent connects to
is a new attack surface
The Model Context Protocol made it trivial to give an agent real tools โ and just as trivial to hand an attacker a path to them. Indirect prompt injection, tool poisoning, and confused-deputy tool calls don't show up in traditional security tooling, because the exposure lives in the gap between untrusted text and privileged actions.
Contributor, OWASP Top 10 for Agentic Applications 2026 ยท CISSP ยท PhD ยท 15+ years enterprise security
What actually breaks in MCP deployments
These are the exposures that most often go unreviewed, each mapped to the OWASP Top 10 for Agentic Applications 2026.
Indirect prompt injection through MCP resources
An agent reads a document, ticket, or record served by an MCP resource and treats its contents as instructions. Attacker-controlled text reaches the model as trusted input and drives the next tool call.
Tool poisoning and hijacking
A malicious or compromised MCP server returns crafted tool descriptions or results that steer the agent toward unintended, privileged actions โ without ever touching your code.
Confused-deputy tool calls
The agent holds a broad credential and invokes a state-changing MCP tool on behalf of whatever text reached it. Authorization is checked when the credential is issued, never at the moment of action.
Data exfiltration via tool chains
A connected tool with network or file access becomes an egress path. Sensitive context is funneled out through a legitimate-looking tool call the agent was convinced to make.
Unverified MCP server supply chain
Third-party MCP servers enter the tool path with no provenance, no allow-list, and no egress controls. You inherit the security posture of every server your agent can reach.
Privilege escalation across the tool boundary
Capabilities meant for one context leak into another. An agent scoped to one customer or order reaches tools and data it should never have been able to touch.
How an MCP review works
We pick one system. The agent and the MCP integration you're least sure about. I threat-model where untrusted text reaches privileged tools, then reproduce the exposures against your staging environment โ no production data touched.
You get findings you can act on. Each issue ships with a concrete reproduction, an OWASP/NIST/MITRE mapping, and a specific remediation โ quarantining retrieved content, enforcing per-action authorization at the tool boundary, allow-listing and gating MCP servers โ sequenced by risk reduction per unit of effort.
The fastest way in is the Sprint. Two working days on one system, an 8โ10 page findings memo, one walkthrough call. The fee credits toward a full Review if you continue.
Shipping MCP integrations this year?
If they haven't been security-reviewed for prompt injection and tool misuse, that's the place to start.