What Is MCP Security? Securing the Model Context Protocol

MCP security is the practice of securing the Model Context Protocol, the standard that connects AI agents to external tools, data sources, and services. MCP makes agents far more capable, and far more exposed: every connected tool is new attack surface. Because MCP turns model decisions into real actions, the durable defense is to constrain what each connection can do and watch it at runtime.

July 15, 2026
July 15, 2026

0 min read

AI Security
Application Security
Agentic Security
What is MCP Security?

What is MCP security?

The Model Context Protocol (MCP) is a standard way to connect AI models and agents to external tools, data sources, and services. Instead of hard-wiring each integration, an agent can discover and call MCP servers that expose capabilities: reading a database, calling an API, browsing a file system, running a task. MCP security is the discipline of doing that safely, because every capability an agent can reach through MCP is also something an attacker can try to reach through the agent.

MCP is what makes modern agents useful. It is also what makes them dangerous when unguarded. The protocol moves an AI system from producing text to taking action, and action is where security consequences live.

Why MCP expands the attack surface

Every MCP server an agent connects to is a new door. A connected tool can hold broad permissions, accept arguments the model chooses, and return content the model then trusts. Three properties make this risky: tools often run with more privilege than any single task needs; the model decides how to call them based on input that may be attacker-influenced; and tool output flows back into the model's context, where it can carry further instructions. Chain those together and a single over-trusted connection can become a path to real damage.

The main MCP security risks

  • Prompt injection through tool content. Data returned by an MCP tool can carry hidden instructions the model then follows. This is indirect prompt injection, and MCP is a common delivery path.
  • Over-privileged tools. An MCP server with broad scopes lets an influenced agent do broad harm. Excessive agency is the highest-leverage weakness.
  • Unvalidated tool arguments. If the model's requested arguments are executed without checks, a crafted request becomes a real action.
  • Untrusted or malicious servers. Connecting to an MCP server you do not control means trusting its behavior and its output.
  • Token and credential exposure. MCP connections hold credentials to the systems they reach, which makes them a target.

How to secure MCP

Treat every MCP connection as untrusted capability and contain it. Give each tool least privilege and the narrowest scopes it needs. Validate the arguments the model asks a tool to run against policy before execution, rather than trusting model output. Sandbox tool execution and keep connections isolated so a foothold in one does not become control of all. Gate irreversible actions behind explicit confirmation. And treat content returned by tools as untrusted input, not as instructions.

Because MCP turns decisions into actions, the decisive control is watching what agents actually do. Runtime intelligence observes the real tool calls, arguments, and side effects an agent performs, so an injected instruction that becomes a harmful action is caught when it executes. This is the same containment logic behind agentic AI security, and it fits into Kodem's broader approach to securing the AI application stack. Place MCP in the wider picture of AI application security.

Frequently Asked Questions

What is MCP security?

MCP security is the practice of securing the Model Context Protocol, the standard that connects AI agents to external tools, data, and services. It focuses on constraining what each connection can do and monitoring it at runtime, since every connected tool is new attack surface.

What is the Model Context Protocol?

MCP is a standard way for AI models and agents to discover and call external tools, data sources, and services, rather than hard-wiring each integration. It makes agents more capable by letting them take actions through connected servers.

What are the main MCP security risks?

Indirect prompt injection through tool content, over-privileged tools, unvalidated tool arguments, untrusted or malicious MCP servers, and exposure of the credentials those connections hold.

How is MCP related to prompt injection?

Content returned by an MCP tool flows back into the model's context and can carry hidden instructions the model then follows. MCP is a common delivery path for indirect prompt injection.

How do you secure MCP connections?

Give each tool least privilege, validate tool arguments against policy before execution, sandbox and isolate connections, gate irreversible actions, treat tool output as untrusted input, and monitor the agent's real behavior at runtime.

Table of contents

Related blogs

What is an LLM Jailbreak?

What is an LLM Jailbreak?

An LLM jailbreak bypasses a model's safety guardrails to produce restricted output. How jailbreaks work, how they differ from prompt injection, and defenses.

July 15, 2026

4

What is RAG Security?

What is RAG Security?

RAG security covers the risks of retrieval-augmented generation: injection through retrieved content, data poisoning, and leakage. The threats and how to defend.

July 15, 2026

4

What Is an SBOM? (Software Bill of Materials)

What Is an SBOM? (Software Bill of Materials)

A software bill of materials (SBOM) inventories every component in your software. What an SBOM includes, why it matters, and how runtime makes it actionable.

July 15, 2026

5

Stop the waste.
Protect your environment with Kodem.

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

The State of the Application Security Workflow

This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.

3D book mockup of Kodem's State of the Application Security Workflow 2025 report

Get real-time insights across the full stack…code, containers, OS, and memory

Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.

Kodem issues list with a magnified view of insight icons: runtime, ingress, and exploitability
Combined author
Pavel Furman
Publish date

0 min read

AI Security

Application Security

Agentic Security