Written by

Idan Habler, PhD, Staff AI/ML Security Researcher – Intuit / OWASP Agentic Security – Secure Agentic Apps Co-Lead

Vineeth Sai Narajala, Generative AI Security Engineer, AWS   / OWASP Agentic Security – Secure Agentic Apps Co-Lead

Ron F. Del Rosario VP – Head of AI Security @ SAP ISBN / OWASP GenAI Security Core Member and Agentic Security Initiative Co-lead

John Sotiropoulos,  Head of AI Security at Kainos / OWASP GenAI Security Project Board Director and Agentic Security Initiative Co-lead

The OWASP GenAI Security Project is driven by a shared belief: that rapid, community-driven collaboration of experts in the field with peer review content is our strongest defense in the evolving landscape of agentic AI systems. As the Alan Turing Institute highlights in their Towards Secure AI Paper, formal standards require time and can be heavily process-driven, whereas open standards communities can be nimble without losing their authoritative content.

When exciting new capabilities emerge, they often bring new risks, and it’s not just standards and policy we need but timely responses, too, to educate and empower people on the ground. The Model Context Protocol is one such example on how the OWASP’s GenAI Security project and its Agentic Security Initiative can strike the right balance of timely advice and longer term holistic guidelines.

Introduced by Anthropic, MCP provides a standardized way for AI systems to interact in real time with external tools and data sources—moving AI beyond static knowledge and into live, actionable contexts.. But as AI steps onto this new frontier, it faces novel security threats.  Whilst many of these threats are already highlighted in our recently released Agentic AI: Threats and Mitigations, MCP poses concrete aspects that need addressing and with its momentum, these could not wait for our next release cycle.

In response, Idan and Vineeth, our Secure Agentic Apps co-leads, rapidly published a research paper, “Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies”. The paper  provides actionable strategies to navigate these challenges. It has become viral on social media and the community and it will feed into our forthcoming “Securing Agentic App Guide” which aims to provide actionable guidance on designing, developing, testing, and deploying agentic applications securely.

In this blog post we provide an actionable summary of this paper to help builders and defenders navigate this space and connect the paper to our broader initiative. We highlight our forthcoming events and work and how you can be part of our work helping shape Agentic AI Security.

What is MCP and Why Does it Matter?

MCP  is essentially a bridge allowing AI systems to dynamically interact with external data sources and tools in real-time. This capability relies on three key components:

• MCP Host: The AI application environment where the main task is performed.
• MCP Client: An intermediary handling communication between the Host and external Servers.
• MCP Server: The gateway enabling interaction with specific external services and tools.

This connection allows AI to move beyond static knowledge, leveraging live information and specialized capabilities.

New Threats in a Dynamic Landscape

While MCP integration offers tremendous benefits, it opens doors for new security risks that traditional API security alone cannot fully address. The dynamic, conversational nature of these interactions creates unique vulnerabilities:

• Tool Poisoning: Imagine an attacker subtly modifying a tool’s description. They could trick the AI into executing unintended, potentially harmful actions – perhaps manipulating a financial tool to exfiltrate sensitive data disguised as a normal query.
• Data Exfiltration: Sensitive information could leak through compromised tools or insecure communication channels.
• Command and Control (C2): Malicious actors might establish covert communication channels by compromising MCP components.
• Identity Subversion: Flaws in authentication or authorization could be exploited, granting unauthorized access to tools or data.

 A Practical  Defense-in-Depth  Security Framework for MCP

Our research advocates for a comprehensive security framework built on defense-in-depth and Zero Trust principles, specifically tailored for MCP:

1.Server-Side Security:

• Network Segmentation: Isolate MCP servers in dedicated security zones. Use strict traffic filtering and end-to-end encryption to contain breaches and prevent lateral movement.
• Application Gateway Controls: Implement robust protocol validation, threat detection patterns (like identifying malicious prompts), and rate limiting at the gateway level.
• Tool and Prompt Security: Implement strict evaluation and screening processes for all integrated tools. Implement content security policies for tool descriptions and use advanced behavioral monitoring to detect anomalies indicative of tool poisoning. Client-Side Security (Zero Trust):

• Zero Trust Model: Operate on the principle of “never trust, always verify.” Every MCP interaction, regardless of its origin within the system, must be authenticated and authorized.
• Just-in-Time (JIT) Access: Issue specific, time-limited credentials only when needed for a particular task, drastically minimizing the attack window.
• Continuous Validation: Don’t just authorize once. Re-validate authorization for every request and implement behavioral anomaly detection to spot suspicious patterns (e.g., an AI suddenly trying to access an unusual tool).

2.Operational Security:

• Comprehensive Monitoring: Log all significant MCP events (tool calls, data requests, errors) and centralize these logs for effective analysis and threat hunting.
• Incident Response Procedures: Develop specific playbooks for MCP-related security incidents (like suspected tool poisoning or data leakage) with clear steps for containment, eradication, and recovery.
• Threat Intelligence Integration: Stay updated on emerging AI-specific threats by subscribing to relevant security feeds and participating in information-sharing communities.

Secure Deployment Patterns: Finding the Right Fit

Organizations have different needs and infrastructures. We outline three common deployment patterns:

• Dedicated Security Zone: Isolate all MCP components in a highly restricted network segment. (Best for high-security needs, e.g., finance).
• API Gateway-Centric: Place MCP servers behind existing enterprise API gateways to leverage current security investments. (Good for mature API management).
• Containerized Microservices: Deploy MCP components as microservices using platforms like Kubernetes, leveraging built-in security features. (Ideal for cloud-native setups).
  

Taking Control: Factors to Consider When Hosting Your Own MCP Server

While some MCP interactions might involve external, third-party MCP Servers, many organizations will need or prefer to host their own servers to expose internal tools, databases, or proprietary functionalities to their AI models. This provides enhanced control but also involves considerable responsibility.

Advantages of self-hosting

• Control: Full control over the tools exposed, their logic, and the data they access.
• Customization: Tailor tool interfaces and server behavior precisely to your needs.
• Data Sovereignty: Keep sensitive data interactions entirely within your infrastructure boundaries.
• Security Oversight: Direct management of the security posture of the server and its integrations.

Requirements for Hosting Your Own Server:

• Infrastructure: Requires provisioning compute resources (VMs, containers), configuring secure networking (essential for segmentation), and potentially storage.
• Server Software: You’ll need the MCP Server application logic itself. This might involve developing custom software based on the MCP specifications or utilizing potential future open-source or vendor implementations.
• Tool Integration: Developing secure adapters or connectors that allow the MCP Server to interact reliably and safely with your target tools (databases, internal APIs, legacy systems).
• Authentication & Authorization: Implementing robust mechanisms to authenticate MCP Clients and authorize their requests based on defined policies (linking back to Zero Trust).

Specific Security Responsibilities:

• Full Stack Security: You are accountable for safeguarding all components, including the foundational operating system, network settings, MCP server application code, and tool adapters.
• Stringent Configuration Management: Avoiding default settings, hardening the OS, and securely configuring the MCP server software together with the underlying web server/application gateway are essential.
• Careful Patching: A strict patching cadence is necessary for the OS, all software dependencies, the MCP server software, and any integrated tool components.
• Implementing the Framework: The “Server-Side Security” principles discussed earlier (Network Segmentation, Gateway Controls, Tool Vetting) become your direct implementation responsibility. Robust logging and monitoring (“Operational Security”) are essential for detecting issues on your server.

Practical Considerations

Implementing this framework requires careful planning:

• Complexity & Resources: Building robust MCP security requires dedicated security expertise and operational resources.
• Performance Impact: Some security measures (like deep inspection) might introduce latency. Balance security needs with performance requirements.
• Tool Ecosystem Vetting: The security of third-party tools is critical. Thorough assessment is essential.
• Evolving Threats: The AI security landscape changes rapidly. Controls must be continuously reviewed and updated.

The Road Ahead: The Future of MCP Security

MCP security is a dynamic field. Exciting research directions include:

• AI-driven security mechanisms specifically for MCP environments.
• Using confidential computing to protect MCP processes.
• Standardizing MCP security extensions.
• Developing quantitative metrics to measure MCP security posture.

Securely Embracing the Future

The Model Context Protocol offers transformative potential for AI. However, security cannot be an afterthought. By adopting a multi-layered, Zero Trust approach tailored to MCP’s unique characteristics, organizations can confidently harness its power while managing the inherent risks.

Treating MCP security as a core part of your AI governance strategy is crucial. We encourage you to assess your organization’s readiness and begin internal discussions on implementing robust protections. With careful planning using frameworks like the one detailed in our research, businesses can securely navigate this exciting new frontier.

Read the full paper

 For the complete technical framework and detailed implementation guidance, please refer to the full paper:

📄 Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies By Vineeth Sai Narajala (AWS), Idan Habler (Intuit)

 https://arxiv.org/abs/2504.08623

Join the Conversation

This paper exemplifies the open, collaborative ethos of the OWASP GenAI Security Project’s Agentic Security Initiative (ASI). It’s feeding directly into our forthcoming Securing Agentic App Guide and will be a key topic at our Agentic Security Open Workshop at RSAC 2025. Come meet the authors, hear major announcements, and shape the future of secure agentic AI. https://lu.ma/faskrds8

Or listen to expert voices and part of Agentic Review Panel at the OWASP AI Security Summit at RSAC 2025 – https://genai.owasp.org/event/rsa-conference-2025/

🔗 Join the initiative – we welcome contributors, reviewers, and practitioners from all backgrounds. – https://genai.owasp.org/initiatives/#agenticinitiative