MCP Security

Every MCP server your agent connects tois a new attack surface

The Model Context Protocol made it trivial to give an agent real tools โ€” and just as trivial to hand an attacker a path to them. Indirect prompt injection, tool poisoning, and confused-deputy tool calls don't show up in traditional security tooling, because the exposure lives in the gap between untrusted text and privileged actions.

Contributor, OWASP Top 10 for Agentic Applications 2026 ยท CISSP ยท PhD ยท 15+ years enterprise security

What actually breaks in MCP deployments

These are the exposures that most often go unreviewed, each mapped to the OWASP Top 10 for Agentic Applications 2026.

ASI03

Indirect prompt injection through MCP resources

An agent reads a document, ticket, or record served by an MCP resource and treats its contents as instructions. Attacker-controlled text reaches the model as trusted input and drives the next tool call.

ASI04

Tool poisoning and hijacking

A malicious or compromised MCP server returns crafted tool descriptions or results that steer the agent toward unintended, privileged actions โ€” without ever touching your code.

ASI02

Confused-deputy tool calls

The agent holds a broad credential and invokes a state-changing MCP tool on behalf of whatever text reached it. Authorization is checked when the credential is issued, never at the moment of action.

ASI05

Data exfiltration via tool chains

A connected tool with network or file access becomes an egress path. Sensitive context is funneled out through a legitimate-looking tool call the agent was convinced to make.

ASI08

Unverified MCP server supply chain

Third-party MCP servers enter the tool path with no provenance, no allow-list, and no egress controls. You inherit the security posture of every server your agent can reach.

ASI01

Privilege escalation across the tool boundary

Capabilities meant for one context leak into another. An agent scoped to one customer or order reaches tools and data it should never have been able to touch.

How an MCP review works

We pick one system. The agent and the MCP integration you're least sure about. I threat-model where untrusted text reaches privileged tools, then reproduce the exposures against your staging environment โ€” no production data touched.

You get findings you can act on. Each issue ships with a concrete reproduction, an OWASP/NIST/MITRE mapping, and a specific remediation โ€” quarantining retrieved content, enforcing per-action authorization at the tool boundary, allow-listing and gating MCP servers โ€” sequenced by risk reduction per unit of effort.

The fastest way in is the Sprint. Two working days on one system, an 8โ€“10 page findings memo, one walkthrough call. The fee credits toward a full Review if you continue.

Shipping MCP integrations this year?

If they haven't been security-reviewed for prompt injection and tool misuse, that's the place to start.