What Is MCP Security? Securing the Model Context Protocol
MCP security is the practice of securing the Model Context Protocol, the standard that connects AI agents to external tools, data sources, and services. MCP makes agents far more capable, and far more exposed: every connected tool is new attack surface. Because MCP turns model decisions into real actions, the durable defense is to constrain what each connection can do and watch it at runtime.

What is MCP security?
The Model Context Protocol (MCP) is a standard way to connect AI models and agents to external tools, data sources, and services. Instead of hard-wiring each integration, an agent can discover and call MCP servers that expose capabilities: reading a database, calling an API, browsing a file system, running a task. MCP security is the discipline of doing that safely, because every capability an agent can reach through MCP is also something an attacker can try to reach through the agent.
MCP is what makes modern agents useful. It is also what makes them dangerous when unguarded. The protocol moves an AI system from producing text to taking action, and action is where security consequences live.
Why MCP expands the attack surface
Every MCP server an agent connects to is a new door. A connected tool can hold broad permissions, accept arguments the model chooses, and return content the model then trusts. Three properties make this risky: tools often run with more privilege than any single task needs; the model decides how to call them based on input that may be attacker-influenced; and tool output flows back into the model's context, where it can carry further instructions. Chain those together and a single over-trusted connection can become a path to real damage.
The main MCP security risks
- Prompt injection through tool content. Data returned by an MCP tool can carry hidden instructions the model then follows. This is indirect prompt injection, and MCP is a common delivery path.
- Over-privileged tools. An MCP server with broad scopes lets an influenced agent do broad harm. Excessive agency is the highest-leverage weakness.
- Unvalidated tool arguments. If the model's requested arguments are executed without checks, a crafted request becomes a real action.
- Untrusted or malicious servers. Connecting to an MCP server you do not control means trusting its behavior and its output.
- Token and credential exposure. MCP connections hold credentials to the systems they reach, which makes them a target.
How to secure MCP
Treat every MCP connection as untrusted capability and contain it. Give each tool least privilege and the narrowest scopes it needs. Validate the arguments the model asks a tool to run against policy before execution, rather than trusting model output. Sandbox tool execution and keep connections isolated so a foothold in one does not become control of all. Gate irreversible actions behind explicit confirmation. And treat content returned by tools as untrusted input, not as instructions.
Because MCP turns decisions into actions, the decisive control is watching what agents actually do. Runtime intelligence observes the real tool calls, arguments, and side effects an agent performs, so an injected instruction that becomes a harmful action is caught when it executes. This is the same containment logic behind agentic AI security, and it fits into Kodem's broader approach to securing the AI application stack. Place MCP in the wider picture of AI application security.
Frequently Asked Questions
MCP security is the practice of securing the Model Context Protocol, the standard that connects AI agents to external tools, data, and services. It focuses on constraining what each connection can do and monitoring it at runtime, since every connected tool is new attack surface.
MCP is a standard way for AI models and agents to discover and call external tools, data sources, and services, rather than hard-wiring each integration. It makes agents more capable by letting them take actions through connected servers.
Indirect prompt injection through tool content, over-privileged tools, unvalidated tool arguments, untrusted or malicious MCP servers, and exposure of the credentials those connections hold.
Content returned by an MCP tool flows back into the model's context and can carry hidden instructions the model then follows. MCP is a common delivery path for indirect prompt injection.
Give each tool least privilege, validate tool arguments against policy before execution, sandbox and isolate connections, gate irreversible actions, treat tool output as untrusted input, and monitor the agent's real behavior at runtime.
Related blogs

What is an LLM Jailbreak?
An LLM jailbreak bypasses a model's safety guardrails to produce restricted output. How jailbreaks work, how they differ from prompt injection, and defenses.
4
Stop the waste.
Protect your environment with Kodem.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.



