[May 2026 Release] AI Agent Skill Governance, Guardrail Remediation & More. Learn more->

[May 2026 Release] AI Agent Skill Governance, Guardrail Remediation & More. Learn more->

[May 2026 Release] AI Agent Skill Governance, Guardrail Remediation & More. Learn more->

Top MCP Security Best Practices for 2026

Learn the top MCP security best practices for 2026, including authentication, authorization, prompt injection defense, and runtime protection.

Rushali Das

Rushali Das

MCP Security Best Practices
MCP Security Best Practices

The Model Context Protocol (MCP) that connects the AI agents with the tools, APIs, and Data they work with has emerged as a connective. This has prompted rapid adoption of MCP across the AI ecosystem, from companies such as Anthropic and OpenAI to numerous open-source projects that have been developed. This type of growth costs resources. Each tool that an agent can call, each session it maintains, and each external integration it engages increases the attack surface that defenders must "think about. The way each agent comes about is autonomous and typically not from trusted input, which means that using the traditional perimeter approach is not enough. This guide explores MCP threat modeling, authentication and authorization controls, execution sandboxing, supply chain risks, monitoring, automated testing, and a practical checklist of points for your actual deployments.

What is MCP and Why Security Matters?

It's beneficial to first educate yourself about what MCP is and where its security weight falls before you start talking about specific risks. It's about the architecture of the protocol; how it can provide agents with tools; and why that architecture makes it difficult to run the protocol in production.

Understanding the Model Context Protocol (MCP)

Model Context Protocol is an open standard representing a way to connect applications of AI with outside capabilities. The host application (the AI client) communicates with one or more servers (the MCP), and each server publicizes a collection of tools, resources, and prompts that are available to the model.

In terms of architecture, there are three roles of the MCP. The host performs tasks such as running the language model and directing requests. The client runs on the host with an open connection to every server. The server is open for exposing capabilities, and for executing the actual invoking, it can query the database, invoke 3rd party API, or read a file. Any client that supports the defined transport all the way to a JSON-RPC server will be able to communicate with any server perfectly.

This is the strength of MCP. An AI agent does not require customized code for each system that it will interact with. It searches for tools on connected servers, fetches the tool definition available for the servers, and determines which tools should be invoked to meet the user's request. The model can then be chained together in an agentic setting, with the output of one step acting as the input for the next through a series of tools, planned multi-step workflows, with limited to no human control between steps. The following may occur with only a few lines of code changes: a coding agent may read a repository, execute tests, open a pull request, and post a status update - all via MCP tool calls.

Why MCP Introduces New Security Risks

These attributes that make MCP useful also make for new categories of risk that classic application security could not have covered.

The first one is dynamic tool execution. Right at run-time, the model decides which tools to call given natural language input and intermediate results. Because there is no 'static' call graph that a reviewer can review in advance, the set of actions that an agent can submit has a significant degree of emergentness.

Now add autonomous workflows to the mix. A single poor decision in an owner's chain can have a negative impact when an agent performs several steps independently. If an agent misreads an instruction, then it will not stop and confirm deletion of records unless the system was designed to stop and confirm deletion of records.

External integrations increase your exposure. Unlike traditional applications, each incremental instance of an MCP server might contact APIs, internal services, and data stores – items that exist far outside the bounds of the application itself, thereby creating an opportunity for a minor failure with one server to become a pathway to the systems outside the scope of the application.

It adds an outside-the-box element too, in the form of cross-agent communication. If you are specifying multiple agents, each agent's output will feed into another agent's input. A faulty or altered agent may send "poisoned" context, "bad" instructions, or "bad" results downstream, and trustworthy context is hard to determine from an altered one.

Common MCP Attack Surfaces

Knowing where attackers really push is the first step in a good model context protocol security. The most important application attack surfaces can be mapped into five areas of the MCP.

The first are the tool discovery mechanisms of the MCP. Because of the dynamic reading of the tool definitions, an attacker who can manipulate the tool definitions, either by means of a malicious server or by simply modifying the registry, can "fool" the client by creating a fake tool or by hiding instructions, and the model will execute these instructions as a result.

Session management layers are next. A solid understanding of the implications of stateful connections is necessary for MCP connections, and flaws in session creation, binding, and termination introduce weaknesses to reusing or hijacking sessions.

A common collection target is consent and authorization flows. The logic determining approval of actions is fragile or inconsistent, and agents start doing things that the user never authorized.

When you are integrating with external APIs, they are sharing the server's outbound reach. A server that forwards agent-supplied input to the backend calls can be converted to a pivot point.

The picture is completed by plugins and extension ecosystems. The third-party MCP servers and add-ons are executed with full privileges; an unvetted plugin is an unvetted path of code in the border of the agentic AI security.

Understanding MCP Security Risks and Threat Models

The basic concept of the MCP threat model is to categorize the threats throughout the layers: consent, prompting, sessions, token handling, and configuration. We will discuss one by one, and they are those that appear most in the field in actual deployments.

Consent Flow Vulnerabilities in MCP

The way to prevent an autonomous agent from acting without authority is by using consent. However, if it breaks, the agent's autonomy turns to the attacker's autonomy.

Consent bypass attacks involve attacking gaps that do not require an action to pass through a consent check to reach the action. Occurs when some tool paths do not provide the consent gate, when the consent policy is enforced on the client computer but not the server computer, or when a specifically crafted request structure avoids the code that should trigger the prompt for the user to click the consent button.

Weak Approval Logic is more subtle. The advance of the value is limited, but too coarse. Once a category is approved, from then on, all calls from that category have that same permission, even if the risk associated with the call changes. If an approval doesn't define what resources, scope or parameters were agreed, then attacks will have the space for them to get bigger.

The problem of cross-session permission leakage occurs when permissions granted from one session bleed into other sessions. If permission is stored in the approval state on the user instead of on context and session, a new session could be granted permissions that are user-specific and could not be requested again, or an interceded session would be able to use permissions granted by other users at an earlier time.

Prompt Injection in MCP Systems

The largest threat to MCP that immediately exploits the disparity between data and instructions is prompt injection. Content that should be data may be interpreted as a command, since agents have a tendency to process text as both.

Direct Prompt Injection

Direct is when the attacker issues instructions to the agent's prompt. User message, chat input area, or any text information that gets into the model could contain instructions such as ignoring previous constraints and invoking the payment tool. If it doesn't signal an approved system command from its user text, then it might execute it.

Indirect Prompt Injection Through Tool Responses

Indirect injection is more difficult to detect as the malicious instruction is embedded within data the agent can obtain through it. A tool returns the contents of a web page, support ticket, or document, and buried in that document is text targeted at the model. The issue was evident from the MCP server case on GitHub: instructions inside public issues were processed by an agent and resulted in unauthorized access and data leakage. The agent believes the tool output, and the tool output is "hostile".

Prompt-Based Tool Manipulation

Tool manipulation is another step in which injected text is used to control the execution of tools and their behavior. The attacker sends the agent input to make it go to a sensitive tool, tampers with the arguments it is supposed to pass, or hooks up calls one after the other in such a way that things happen that the user did not want to happen. The model is following the instructions given. It was prematurely announced by the wrong source.

MCP Session Hijacking Risks

Illegal access to Client-Server stateful connection is known as stateful connection hijacking known as MCP session hijacking. Find control of the session and control the rest of whatever the agent is allowed to do in the session.

Stealing a session token is the direct path. Unsecured storage or insecure tokens (those embedded in a URL or log), or ones that expire too late, can be stolen and repurposed. An attacker speaks with the server as the legitimate client, using the same token as the legitimate client.

Context manipulation campaign attacks on the conversation state itself. If a token is carried across multiple calls due to a three-way handshake or similar scenario, then the attacker can inject or change the context carrying agent between calls, and change the agent's understanding of its task without ever contacting the token itself.

Unauthorized session reuse is an attack on sessions that have a useful life greater than the period of their use. Long-lived or never-expired sessions provide an attacker with great latitude, and sessions without linking to client identities can be intercepted by another.

Multi-agent systems with shared session handles or shared context, or cross-agent session abuse, occur. It can be a problem when someone has compromised one agent and is reusing it to do something it was not authorized to do.

Token Passthrough and SSRF Risks in MCP Servers

Unsafe token propagation is a particularly hazardous pattern. An MCP server picks up a token for a certain use and passes it on, unchanged, to a service downstream. Sharing an inbound token directly with a backend API without verifying any audience and scope parameters gives an audience that much haste, creating unexpected audiences for the token.

When an MCP server attempts to make an outbound request with attacker-supplied values, it's called server-side request forgery (SSRF). An agent can provide a URL or host to the server that is accessible to that server for fetching. An attacker may send that retrieved request to internal hosts, cloud metadata or admin interface/panels that should be inaccessible from the outside.

Internal resource access abuse is the payoff of both. When an attacker can drive the calls from the server, or is able to retrieve reused propagated tokens from the server, then the MCP server can act as a gateway to the protected network. Think of all outbound requests by the server on behalf of an agent as a privileged activity requiring validation, allow-listing and network restriction.

MCP Misconfiguration Risks

So many real events stem from the setting of wrongs, not clever exploits. Powerful MCP misconfiguration detection makes these hidden issues easy to detect before attackers do.

Most frequently, over-permissible access to tools exists. There are more tools exposed by the server, or a more powerful set of tools, than what the use case expects to use, and the agent can access all of them.

There are numerous server frameworks, in particular MCP, where the default setting is insecure. Defaults that are easy to use, open transports, and verbose error printing, all of which are convenient in development, are drawbacks in production.

A faulty isolation measure other than the tool/server can impact a broader area. A single failure has a "ripple effect", if there is no control at all concerning tools, between sessions, and between the server program and the host program.

Excessive agent permissions are the identity-layer version of the same mistake. When the credentials an agent runs with carry broad rights across many systems, every other weakness becomes more damaging because the blast radius is larger.

MCP Server Authentication Best Practices

Authentication is the first control that has to hold, since everything downstream assumes the caller is who they claim to be. The practices here cover the core mechanisms, how to enforce identity per client, and the OAuth details that quietly break when they get rushed.

MCP Server Authentication Best Practices

Strong Authentication for MCP Servers

Authentication answers a single question: Is the client connecting to this server actually who it claims to be? Get this wrong, and every later control rests on sand.

OAuth 2.0 implementation gives MCP servers a standards-based way to handle authorization without managing raw credentials. Use the authorization code flow with PKCE for interactive clients, keep access tokens short-lived, and validate every token's signature, audience, issuer, and expiry on the server side rather than trusting the client to have done so.

Mutual TLS (mTLS) raises the bar for service-to-service connections. Both client and server present certificates, so the server confirms the client's identity at the transport layer before any application message is processed. This is well-suited to MCP servers that sit inside an enterprise and are called by known automated clients.

Secure API key management covers the cases where keys are still the right tool. Generate keys with sufficient entropy, store them hashed rather than in plaintext, scope each key to the minimum it needs, rotate them on a schedule, and revoke them the moment a client is decommissioned or a leak is suspected.

Per-Client Authentication Enforcement

Treating all callers as one anonymous blob removes any ability to attribute or contain actions. Per-client enforcement fixes that.

Unique identity validation means every client gets its own verifiable identity, its own credentials, and its own scopes. When something goes wrong, you can tell which client did it and cut off just that one.

Session-bound authentication ties the authenticated identity to the specific session, so a session cannot be detached from the client that opened it and reused elsewhere. Each session carries proof of who established it.

Device verification adds a check on where the client is running, which matters for agentic tools that operate from employee laptops or distributed nodes. Confirming the device alongside the identity closes a gap that identity alone leaves open.

OAuth Security Best Practices

Strong MCP server authentication depends on getting the OAuth details right, since the protocol fails quietly when small things are skipped.

OAuth state validation defends against cross-site request forgery during the authorization flow. Generate an unpredictable state value, bind it to the user's session, and reject any callback whose state does not match.

Redirect URI validation stops an attacker from redirecting the authorization response to a server they control. Match redirect URIs exactly against a pre-registered allow-list rather than using prefix or wildcard matching.

Token scope restrictions keep a token's power proportional to its job. Request the narrowest scopes an action needs, and have the server enforce that a token presented for one operation actually carries the scope for it.

Secure token storage protects tokens at rest and in transit. Keep them out of logs and URLs, store them encrypted, hand them to clients over secure channels only, and give them short lifetimes backed by refresh tokens so a stolen token expires fast.

MCP Authorization Controls and Access Management

With identity established, the next job is bounding what each identity is allowed to do. Let’s move from broad authorization policy down through per-client consent to the permissions on individual tools.

Implementing Granular Authorization Policies

Authentication proves identity. Authorization decides what that identity may do, and in agentic systems, it has to be granular enough to constrain an autonomous actor.

Role-based access control (RBAC) maps tools and resources to roles, then assigns clients and agents to roles. An agent built for read-only reporting gets a role with no write tools at all, so even a fully manipulated agent cannot reach destructive actions outside its role.

Policy-based access control goes beyond static roles by evaluating attributes at decision time: who the caller is, what they are asking for, the sensitivity of the target, the time, and the context. This lets you express rules like allow this tool only for requests originating from an internal network during a maintenance window.

Least privilege enforcement is the principle under both. Every agent, client, and tool gets the minimum access required, and nothing is held in reserve. Privileges are granted deliberately, reviewed regularly, and removed when no longer needed.

Per-Client Consent Enforcement

Solid consent flow implementation is what turns a policy on paper into an actual gate in front of risky actions, and it has to run per client rather than once for everyone.

Explicit approval workflows require a real decision for sensitive operations. Rather than assuming consent from a broad earlier click, the system surfaces what is about to happen, with the specific action and target, and waits for a clear yes.

Consent expiration policies stop approvals from living forever. Permission granted for a task expires when the task ends, or after a set window, so stale approvals cannot be reused weeks later by a different session.

Action-level authorization scopes consent to the individual action rather than a whole category. Approving one fund transfer does not silently authorize the next ten. Each high-risk action stands on its own approval.

Securing Tool Permissions in MCP

Strong MCP authorization controls come together at the level of individual tool permissions, where the abstract policies meet the actual capabilities an agent can invoke.

Restricting sensitive tools means the highest-risk capabilities, anything that moves money, deletes data, changes access, or reaches production, are gated behind tighter rules, additional approval, and narrower eligibility than ordinary tools.

Context-aware authorization weighs the situation around a call, not just the call itself. The same tool might be allowed for a small, routine request and blocked for one that touches an unusual volume of records or an unexpected target.

Dynamic policy evaluation runs these decisions in real time, on every invocation, so policy keeps up with changing context and newly added tools instead of relying on a snapshot taken at deployment.

Securing MCP Server and Tool Execution Environments

Not even a well-defined, authorized tool can be considered a normal tool, so everything needs to be contained within an environment. Below, we provide the necessary capabilities to stop just one bad call from spreading: sandboxing, scope minimization, and runtime monitoring.

Sandboxing MCP Tool Execution

A Tool is allowed to run or not based on the Authorization. If a tool is allowed to run, it can perform actions that it is not supposed to (bug, maliciously included via a plugin, or successfully injected), but sandboxing will help mitigate the damage.

File system isolation localizes each tool to a separate portion of storage. A properly sealed tool only interacts with the folders that it should and is not allowed to read secrets or otherwise touch files that do not belong to it, and that gives the compromised tool insight only into folders that others are going to use too.

The ranges of what a tool can access over the wire are determined by the network restrictions. Revert default deny outbound rules, set an explicit deny list to cut off an attacker's path for SSRF, exfiltration, or command and control.

The processing of isolating tools from interfering with each other and the host. When running tools in separate containers or restricted runtimes, a crash or compromise in one does not affect the others.

Protecting agentic workflows links these together. Since agents run the tools they’ve added to the front of them, isolation needs to be maintained over the entire workflow, which could be many steps, and not just a single tool, so that one corrupted step does not stealthily do its part in the process.

Scope Minimization Strategies

The wider one adopts an agent's footprint, the fewer advantages an attacker has in respect of subverting the agents and their tools.

Denying run-time permission allows one to focus each tool on its core capabilities. None of the environment variables, credentials, or system calls to which it has no access.

By providing restricted exposure of data, tools trivially know only what they need. Pass The Field Only Required: Pass only the field(s) a tool requires; Mask & Tokenize Sensitive Values: Mask or Tokenize sensitive elements; Avoid Giving a Single Field to a Tool Requiring One Attribute: Avoid passing entire records to a tool that requires one attribute.

Minimizing access scope treats the same rigor to the connections. Every server is contacted by only the ones that it relies on, keeping the set of reachable servers more manageable and traceable.

Runtime Monitoring and Isolation for MCP

There are static controls that set out the boundaries. The reason that it is difficult to predict the autonomous behavior in anticipation is that the runtime protection of those bounds must be completed during the execution of the agents.

During monitoring sessions, a specific session is monitored as a whole – what it has been authorized to do, what it is actually doing, and if it is actually doing what it was authorized to do. The early signals include a drift between the two.

Tool invocation tracking keeps a log of all the tools invoked, as well as the parameters passed and the return codes and values, giving a full view of what tools were executed and the order in which they were executed. This leads to detection and subsequently investigation.

Behavioral anomaly detection is a comparison of activity to historical norms. Any agent that appears in at least one of the following circumstances will be flagged before the chain completes: Called tools that it didn't use before, appeared at a volume that it couldn't have tried before, or appeared in the wrong sequence to complete the task.

runtime policy enforcement is acting on those signals on the spot, pauses/cancels a call if it contravenes the policy, and yet does not merely log a violation afterward. A continuous process in which an AS keeps a close eye on its execution while also having enforceable guardrails around the AS eliminates the risk of an autonomous system going “off the rails” between the approvals. Least-privilege checks and marking of unauthorized invocations aren't only possible; there are even platforms like Akto that offer runtime monitoring and guardrail enforcement specifically for MCP and agent traffic.

MCP Supply Chain Security Best Practices

An MCP deployment inherits risks, whether those are risks of what it pulls, or here what it builds. The following areas are focused on plugin and dependency integrity, deployment pipeline, and open source "plugins" most MCP stacks rely on:

MCP Supply Chain Security Best Practices

Plugin and Dependency Integrity Validation

If an MCP deployment isn't as reliable as the code that's pulled, it won't be very reliable at all. All plugins and dependencies are entry points – so do not assume integrity, check it.

Dependency verification ensures that the packages installed are the ones you want and are the versions you've seen. Use pin versions to ensure consistency across builds, verify checksums/hashes with known good source, and rely upon lockfiles to keep things consistent and not silently replace them.

Signed plugins allow for verifying plugin origin and plug-ins that have not been changed since the author's release. Only load plugins that are signed by a known publisher and then only if the signature is valid; refuse loading unsigned plugins, or those signed by a different key than one they recognize.

Third-party risk validation: beyond the artifact—the source. Before you put a plugin in your agent's trust boundaries, evaluate the maintainer, how active they are in patching, how patches are applied, what permissions it requests, and whether or not it has any history.

Securing MCP Deployment Pipelines

Who ships the MCP can control what should be put into production, too, as can the pipeline that does that.

To protect the code in the deployment path, CI/CD security controls exist. Apply minimal privilege to build agents, enforce code review and signed commits, scan artifacts prior to release, and exclude build credentials from build code.

SPP increases the difficulty for an attacker to accomplish if he/she accesses the hosts. Deprive the MCP server of access to everything around it, remove unused services, patch prompt, and lock down management interfaces.

Set settings and review configurations with secure configuration management. Keep configuration as code, audit changes, and identify drifts – never let your production code sit silently, permanently deviating from the signed-off-hardened configuration.

Managing Open-Source MCP Risks

Many of the MCP ecosystems are open source (OSS), which includes the exposure specifics as a standard feature of OSS, but also benefits from speed and transparency. Open dependencies aren't an 'acquired' element to be accepted and forgotten — they are an element to be watched and managed.

Dependency scanning is automated checks against the known vulnerability databases; if there are vulnerabilities that need to be reported, they are reported to you through your tooling - not an incident.

Version management allows you to stay on supported and patched releases. See what you run, make plans for upgrades, and don't hold off so long that you become locked in on something in a vulnerable way.

Vulnerability monitoring extends scanning across time. New flaws are disclosed in components you already shipped, so continuous monitoring with timely alerts is what closes the gap between disclosure and patch.

Operational Monitoring, Logging, and Audit for MCP

The trick is in being able to prevent—there's a lot of that—but you've got to pay attention to what's happening to you and get back on it. Here, we let you know the events to watch for, continuous monitoring during agents' operations, and the audit trail that enables investigation.

Critical MCP Security Events to Monitor

People can't react to what they can't see. There is a focused set of signals that give information when an MCP deployment is in trouble.

If credentials are being guessed, or credentials are being stolen and reused in the cluster, or the client is misconfigured and is trying to sneak into the cluster in that way, then many more failures to authenticate will most often be recorded.

An unauthorized tool access event means that the client making the event access the tool is not allowed to do so, which could indicate a broken integration or an attempt to escalate.

Prompt injection indicators appear in a suspicious fashion in the inputs/tool outputs, such as instruction-like text within data fields, roll back on the role of the agent, or content that attempts to redirect the applications of the agent.

The other options record when the action contravened specific policies or was prevented by policies (case of violation), resulting in a record of attempts and the level at which your policies are effective.

Continuous Runtime Monitoring for MCP

Point-in-time checks don't capture the behavior that only occurs during the execution of agents. With Continuous runtime monitoring for MCP, you can monitor continuously throughout the entire lifespan of each session.

Session behavior analysis can establish a notion of the behavior of each session and alert when its behavior changes, e.g., a reporting session becomes issuing writes.

In autonomous action monitoring, what agents are doing, when they aren't being touched by humans – that's where unsupervised errors and manipulation manifest themselves.

The runtime threat detection identifies patterns of behavior, as well as signals, that come from different sessions and/or from different tools and that together form a whole attack, such as a series of small actions that escalate to an exfiltration attack.

Audit Logging and Forensics

If something does go wrong, it's only possible to recreate it based on the quality of your logs. If audit logging is robust, it can be useful for runtime monitoring for MCP beyond the moment.

Immutable audit trails are used to track all important events without being able to edit or delete them later. With the append-only storage, an attacker who gets into your systems will not be able to remove their entry quietly without closing the log.

Session replay can take a user step back and, call by call, recreate the session to see exactly what was seen and done throughout an incident, rather than try to piece it together from parts.

Incident investigation workflows transform the logs into action – a process with a clearly defined scope for investigating what went wrong and who was affected, and a set of actions to limit damage and consolidate learning from the incident and make it part of your controls.

Automated Runtime Protection and Continuous Security Testing for MCP

The pace of the manual review is not able to match the rate of change of MCP estates and/or the rate at which agents service them. Here we define a process that can be automated from discovery to posture management, through red teaming, runtime blocking, and continuous red team policy validation.

Continuous MCP Discovery and Asset Visibility

It's impossible to protect the MCP servers you don't know. Everything else depends on a foundation of continuous discovery.

Discovering MCP servers is more about actively discovering all servers that exist across cloud, on-prem, and developer environments, and not as a stale manual inventory that goes by the day they're written.

In measuring connected tools, you're actually measuring what each of your servers exposes and what each of your tools can reach, giving you a view of what they can actually do.

One of the dangers lurks when these types of unmanaged MCP deployments are identified. Those “backdoor” servers that you use because of ease, or are remnants of an experiment, are waiting out of your view until discovered. Akto's agentic security approach begins here: Automation identifies and catalogs MCP tools, servers, and agents on infrastructure and employee endpoints, and eliminates blind spots from unmanaged deployments.

MCP Posture Management

When you can "see" the MCP estate, the attitude administration retains it in a known-good state throughout time.

Security posture visibility provides an accurate snapshot of a server's configuration, authentication, and permissions when compared to your security baseline.

Imagine if a server you hardened at deployment fails to remain hardened for three months and is discovered later in the process because of configuration drift. Imagine a server that was hardened when it was installed becoming exposed three months later without anyone noticing a change because of configuration drift.

Runtime risk analysis prioritizes what is most important to fix, combining configuration weaknesses and usage of each server, and what is accessible.

Automated Red Teaming for MCP

The real test is extremely costly, waiting for a real attacker to find your weaknesses. Adversarial testing is conducted automatically against your MCP systems at all times to give you the edge in identifying gaps in your systems.

Adversarial prompt simulations conduct a wide variety of injection and manipulation attempts at your own agents, and determine how many can slip through your input handling and guardrails.

ABUSE Testing is testing whether attackers can get an agent to misuse valid tools, use them with malicious parameters, or use them in a way that the agent is not supposed to.

Tests for session hijacking push the session layer, trying to reuse tokens, tamper with contexts, and use them across sessions to ensure that your session controls are maintained under duress.

Runtime Blocking and Threat Prevention

For autonomous systems that need to act in milliseconds, detection that only reports is not sufficient. In runtime blocking, attacks are prevented during the attack.

Blocking Prompt Injection Attempts

Injection never makes it to the decision point because it is caught as an instruction-type element on the inputs to the model and removed or blocked from the output stream of the tool.

Preventing Unauthorized Tool Execution

All tools called are checked for policy at the moment of their call, not when they are logged, and if they are not permitted to be called, or their parameters are outside call policy, the call fails (or the policy is violated), and the call is aborted.

Detecting SSRF Exploitation Attempts

Outbound requests are inspected against allow-lists and internal-range rules, so an attempt to make a server fetch internal endpoints or metadata services is caught and refused at the point the request is made.

Stopping Session Hijacking Attacks

Session integrity checks validate that the identity, binding, and context of each request match the session that opened it, breaking off activity that shows the signs of a stolen token or a manipulated session.

Continuous Validation of MCP Security Policies

Controls decay. Reading the validation files will turn out that they still work-in fact, they work all the time, not just when they sign off. No matter how strong the MCP guardrails are, you have to keep testing them to ensure that they do fire.

When a new feature is added to the security test results, or a change is made to the accompanying config, this will likely cause the code to regress since the new feature might have been a case that was previously closed, but opened as of the current change.

There are policies that exist in a config file, but don't trigger; Runtime policy validation will ensure that the policy you write will endure in production. When combined with the ongoing detection of misconfiguration in the MCP, automated red teaming becomes an ongoing measure of policy, instead of a periodic review.

Show, at any time, that your live controls meet the standards & requirements to which you are accountable, with continuous compliance checks mapping your deployment to them.

MCP Security Checklist

Below, we have condensed into a format that one can run through for review or during a deployment sign-off. They break down into two categories: by the physical location of the control and by the device the client uses to connect to the control.

Server-Side MCP Security Checklist

This serves as a document to keep on hand for the server/servers you operate.

  • Ensure that all servers have strong authentication; don't use open or shared access, but instead use OAuth 2.0 or mTLS.

  • Verify and validate the Redirect URI and state parameters on all flows.

  • Only allow minimum access to tools to each agent, and require higher policies for sensitive tools.

  • Per-tool Isolation of file system, network and processes in Sandbox execution environments.

  • Continuously watch those items that run at runtime, such as watch sessions, tool calls, and anomalies.

  • Support attachment of immutable audit logs to record all the important change events happening to tamper-evident storage devices.

  • Prevent the loading of scans if there are known vulnerabilities or if the integrity of the plugin and/or the dependency is not confirmed.

  • Detect prompt injection attempts in the input as well as the outcome of the tools and block them in-line.

  • Check session integrity on every request; Validate IDENTITY, BINDING & CONTEXT. Use regression testing and automated red teaming to test MCP configurations continually.

Client-Side MCP Security Checklist

The responsibility of the client is to be assumed as well.

  • Ask specific users permission to perform sensitive actions; scoped to the actual action not a general category.

  • Limit the use of tokens to access services so the credentials are not shared with services that don't need them.

  • Trusted MCP servers must be validated before connecting, and identity and provenance should not be trusted by connecting to anything advertised.

  • Watch a client while in session for signs of manipulation or straying from the intended job task.

  • Expire long sessions with reasonable time periods, a stolen session wouldn't last long.

  • Ban untrusted update distribution. Client and Connector updates are distributed over trusted channels and are signed and verified.

Common MCP Security Pitfalls

Most MCPs occur from the same set of common errors and not from new exploits. The patterns listed below are the ones that you should first examine your deployment against.

Common MCP Security Pitfalls

Overly Broad Tool Permissions

Most common errors are giving agents too many capabilities as compared to what they need to do in their roles. If a server offers a large set of powerful tools to all of its clients, or an agent has a large set of powerful tools, on the other hand, then a small compromise becomes a large compromise. Understand the scope tools and revisit those scope tools with agents.

Weak Consent Enforcement

Many team discussions of consent as a one-off process instead of a per-action gate. Blanket authorizations, consent that lasts for any reason, and consent-by-cat–type, not allowing the user to only agree once for a specific action, mean that agents can act without the user ever agreeing to it.

Insufficient Runtime Visibility

There are numerous deployments that will tell you how an agent was deployed, but will not tell you what the agent is doing right now. If there isn't a session and tool event monitoring, manipulation, and errors occur in the background till they show in some other location.

Unsecured Third-Party Plugins

Trusting an MCP server simply out of convenience, without considering its source, the signatures, and its permissions, places untrusted code in your trust boundary. Plugin operation is in real sessions, and an unvetted one is an unmeasured risk.

Failure to Monitor Autonomous Actions

The activities of agents taken individually, from one man checkpoint to another, are the ones that are not monitored in many systems. Copernicus' unsupervised stretch is where injected instructions and flaws in reasoning become real, and therefore, deserve more, not less, monitoring.

Incomplete Session Isolation

If sessions are not well defined, they share permissions and context with each other. Proper isolation would close all the paths to reuse and hijack created through consent given in one session, and through the issues of tokens or through sharing the state from one agent to another.

Future Trends in MCP Security

MCP security is still nascent, and there are several ways in which it is going a great way. These are the changes that will most likely characterize the protection of agentic systems over the next several years.

Adaptive Runtime Security for MCP

As far as security for agentic systems, it's progressing towards the notion of dynamic, real-time adapted controls. Adaptive runtime security is stricter or laxer depending on its current seen level of risk: a more stringent check on a session that does something unusual, or largely unchecked, numerous actions that repeat frequently.

AI-Native Authorization Systems

Struggling agents reason and chain actions and authorization models designed for static services suffer from stress. Browse for the authorization intended for AI from the beginning, which can assess intent, context, and the semantics of a request, not just a predetermined set of acceptable endpoints.

Autonomous Threat Detection for Agentic AI

Detection is now going autonomous as attacks continue to become more sophisticated against agents. The agent-based systems that learn normal behavior and provide auto-detection for deviations will detect novel attacks that scanners will fail to do, at the same speed that agents travel.

Standardized MCP Security Frameworks

Early on, the MCP ecosystem had no uniformity around security. This is changing as shared frameworks, reference threat models, and common control standards become a reality, providing teams with a baseline to develop and assess.

The Future of Secure MCP Ecosystems

The focus is on ecosystems in which discovery, authentication, authorization, monitoring, and testing are inherent and assumed, and not bolted on. The secure-by-default deployment, the verifiable supply chain for the use of plugins, and continuous validation are going to be expected to be applied to any deployment of the MCP handling real systems and real data.

Final Thoughts on MCP Security Best Practices

Lack of identity causes innocence, unwanted action because of poor authorization and per-action consent controls, containment of action with sandboxing/scope minimization, surveillance, and ongoing testing are all critical: None of the controls is sufficient by itself.

A secure MCP architecture assumes that all agents are more-or-less unpredictable and defends against that potential by incorporating elements of least privilege, strict isolation, and complete visibility onto them from the first server, not as they emerged on the scene after the fact.

Agents have to work autonomously; they need to be interactive and quick, and sometimes they must work on questionable input; the run time is a crucial moment. The middleman between a manipulated agent and real damage is continuous protection that's able to identify and defend against an attack as it's occurring.

As the threats continue to evolve, the security posture will as well, and the idea is to get there. From this, Akto is able to gain the complete agentic stack; it discovers agents, their tools, and their links seamlessly, and has a probe library to automate the process of agentic red teaming, real-time agent runtime monitoring and guardrail enforcement into one execution platform, as well as has been mentioned in Gartner research papers about agent security. See how it secure your MCP and the agent ecosystem.

Important Links

Follow us for more updates

Experience enterprise-grade Agentic Security solution