...

The MCP Security Survival Guide: Best Practices, Pitfalls, and Real-World Lessons


my stuff, then you know that not too long ago, I wrote a piece about the Model Context Protocol (MCP)—explaining what it is, how it works, and even walking you through building your own custom MCP servers. It was a deep dive into the shiny, promising world of agentic integration.

At the time, I was swept up by how elegant and powerful MCP felt. It was like discovering a universal adapter for AI agents (it is!)—finally, I could connect large language models to any data source, tool, or API with ease. Every use case suddenly looked like a perfect candidate for MCP: document generation, customer support automation, even managing cloud deployments.

Then the news started rolling in.

First, there was the GitHub MCP vulnerability—a flaw that let attackers exploit open-source MCP servers and siphon off user data. Then came the critical remote execution exploit that let unauthenticated users run arbitrary commands on hosts running improperly configured servers. And the cherry on top? Anthropic themselves had to patch a severe vulnerability in the official MCP inspector tool, which had quietly opened a backdoor on thousands of developer machines.

These weren’t theoretical risks. Real users—many just like me—were getting burned for trusting a shiny new thing a little too fast.

It was around this time my partner, who is deeply serious about security, asked me point-blank: “How in the hell is any of this secure? You’re just trusting random code from GitHub to run tools on your machine?”

That question stopped me cold. And it kicked off a long-overdue journey of digging into how other people were securing MCP—if they were at all.

I started reading the spec closer, looking at how enterprise users were configuring their deployments, checking out community write-ups and criticisms. What I found was equal parts encouraging and terrifying. Encouraging, because there are best practices and thoughtful security models being developed. Terrifying, because almost nobody was using them.

So I decided to write this guide.

MCP makes it incredibly easy to wire up an AI agent to do real, useful things—and that’s exactly what makes it a little dangerous. When something feels that seamless, most of us don’t stop to ask the hard questions about security. We just assume it’ll be fine… until it isn’t. Unless you’re someone who lives and breathes cybersecurity, chances are you didn’t think much about authentication, network exposure, or what happens if someone else finds your server. This guide isn’t here to kill the excitement—it’s here to help you use MCP without opening the door to trouble.


Table of Contents

  1. What “Secure MCP” Should Actually Mean
  2. How to Avoid Becoming the Deputy That Gets Played
  3. Case Studies: Learning from Real MCP Security Breaches
  4. General Critiques—It’s Not Just MCP
  5. Future Outlook: Evolving Security in MCP and Agentic Protocols
  6. References

What “Secure MCP” Should Actually Mean

MCP does have a few things going for it: built-in tool isolation, user consent prompts, and a local-first approach that keeps data on your machine unless you say otherwise. This is the part where the spec does its job.

But—and it’s a big but—none of that will save you if you’re out here YOLO-deploying your servers with root access, public ports, and no logging. That’s like putting a deadbolt on your front door and then leaving the keys in it. So let’s talk about what actual secure MCP usage looks like, according to Anthropic, the community, and people who’ve already learned these lessons the hard way.

How OAuth Works in MCP (Without Doing Anything Sketchy)

OAuth diagrams can feel like someone took a flowchart, spilled spaghetti on it, and decided that was good enough. Boxes everywhere. Arrows in all directions. Mysterious “consent cookies” floating around like they’re self-explanatory.

But at the heart of it, the idea is simple—especially if you’re using MCP and you care about not being creepy.

Image by author, inspired by Anthropic

Let’s say your MCP-powered app wants to access a third-party service on the user’s behalf—maybe Dropbox, maybe Notion, maybe some obscure SaaS tool the finance team swears by. The catch: you want to do it with the user’s consent, not by sneaking behind their digital back.

So here’s the flow—minus the spaghetti:

Step 0: The User Already Logged In

You’re not starting from scratch. The user has already authenticated with your system, so you’ve got the basics: identity confirmed, session running, good to go.

No need to ask them to prove they’re not a robot again.

Step 1: Actually Ask for Consent (Like a Decent System)

Now comes the important part—third-party access.

Instead of doing something shady like token scraping or pretending to be the user, you redirect them to the actual third-party authorization server. Think Google, Microsoft, or Dropbox—the real deal.

The third-party server pops up a consent screen:

“Hey, this app (via MCP) wants to access your data. Cool with you?”

The user reads it, thinks, “Sure, I trust this,” and clicks Approve.

Magic doesn’t happen yet—but a very important cookie does.

Step 2: The Consent Cookie and the Golden Ticket

Once the user approves, the third-party server sets a consent cookie for the mcp-proxy client. Think of it as a little flag that says, “Yes, this user gave explicit, non-coerced permission.”

Along with that, the server issues a 3P (third-party) authorization code and sends it back to the MCP Proxy Server. This code is like a golden ticket—limited-use, time-bound, but powerful enough to grant access.

Step 3: Code Exchange — The Secret Handshake

Now the MCP Proxy Server does what all good proxies do:
It takes the third-party authorization code and exchanges it for an actual access token — the thing that lets your app act on the user’s behalf.

But there’s a twist: the proxy also wraps that token into a format that the MCP Client can understand—a proper MCP authorization code. Basically: it translates it from “Dropbox-speak” to “MCP-speak.”

Step 4: Pass It Back (With Boundaries)

The Proxy sends the wrapped code back to the MCP Client.

Now, and only now, the MCP Client can use it to call tools or access data on behalf of the user. But—and this part is important—it can only do what the user consented to. No freelancing, no tool-hoarding, no “oops we accessed your calendar too” moments.


Why This Whole Thing Matters

This flow might look a bit complicated—but it’s designed that way for a reason.

  • It puts the user in control of what gets accessed.
  • It guarantees consent is real, not assumed.
  • And it avoids the horror movie scenario where the MCP Proxy becomes a silent middleman with superpowers.

Anthropic (and most people serious about agent security) recommend this pattern for a reason. If you’re building agent systems that interact with third-party APIs, this is the right way to do it—with transparency, with structure, and most importantly, with the user’s explicit say-so.

How Malicious OAuth Proxying Works (a.k.a. How to Impersonate a User Without Asking)

Sometimes, the most dangerous attacks don’t come from brute force. They come from confusion—not in the hacker, but in the system itself.

Enter the Confused Deputy Problem—a real thing with a real name, and yes, it sounds like something from a spaghetti western. But instead of a bumbling sheriff, we’ve got an OAuth proxy doing exactly what it was told… by the wrong person.

Image by author, inspired by Anthropic

Here’s how this kind of attack goes down:

Step 1: A Misleading Setup

Our attacker—we’ll call them EvilCorp (what can I say, I’m a fan of Mr. Robot)—starts by registering a legitimate-looking OAuth client with the third-party service. Think “TotallyRealApp, Inc.” with a redirect URI pointing to attacker.com.

The auth server approves it because, well, that’s how OAuth works—anyone can register a client.

Step 2: The Trap is Set

Next, EvilCorp sends the user a malicious link. This link looks normal on the surface—it references the legitimate mcp-proxy client ID—but it’s crafted to redirect to the attacker’s domain after authorization.

Here’s where things start to smell fishy.

Step 3: The Cookie That Lied

The user clicks the link. No red flags pop up, because they’ve previously given consent to mcp-proxy, and their browser still holds the consent cookie from that session.

So when the third-party server sees the request, it shrugs and says:

“Ah, this again? Cool, they’ve already approved it. No need to bug them.”

No consent screen. No confirmation. No idea they’re being targeted.

This is the confused deputy moment:
The third-party auth server is acting as the deputy. It thinks it’s helping the legitimate client (mcp-proxy) do its job.
But it’s actually helping the attacker—because it doesn’t realize it’s being misled about who initiated the request and where the result is going.

Step 4: The Token Goes to the Wrong Place

The third-party service sends the authorization code to the MCP Proxy Server (still thinking this is a normal flow).
The Proxy exchanges it for an access token, then wraps it into an MCP authorization code—standard procedure.

Then, the Proxy sends that MCP code to…
😬 attacker.com, because that’s the redirect URI EvilCorp snuck into the flow.

Congratulations: the attacker now has a fully authorized token tied to the user’s identity.

Step 5: The Attacker Becomes the User

With this MCP code, EvilCorp can impersonate the user. They didn’t need the user’s password. They didn’t need their approval. They just needed the system to confuse who was asking for what.

The proxy became the deputy—dutifully carrying out orders—without realizing it was working for the wrong sheriff.


Why This Is a Security Nightmare

This is what security folks (like Anthropic) call a Confused Deputy Problem:

  • The system that has the authority (the MCP Proxy) gets tricked into using it on behalf of someone who shouldn’t have it (the attacker).
  • The real user? Completely out of the loop.
  • Consent? Skipped.
  • Damage? Potentially massive — from unauthorized data access to rogue tool execution.

How to Avoid Becoming the Deputy That Gets Played

This isn’t a “we’ll fix it later” kind of bug. It’s a fundamental architectural risk if you don’t lock things down properly.

To avoid turning your proxy into an unwitting accomplice, Anthropic recommends a few security best practices:

Image by author

Authenticate Like You Mean It

Strong auth isn’t optional. It’s not a nice-to-have. It’s your entire defense line between “useful AI assistant” and “this thing just deleted my company database.” MCP now supports OAuth 2.1, so there’s no excuse.

Always treat MCP servers like protected resources. “MCP servers MUST validate the aud claim or resource parameter to confirm the token is intended for the resource being accessed.” Don’t let random clients connect and ask them to execute tools unless they can prove they’re allowed. Bonus points for using per-client API keys, dynamic registration, and actually verifying the token audience.

Do not—and I can’t stress this enough—reuse static client credentials across different services. That’s how you accidentally invent a confused deputy attack and make your entire architecture one bad token reuse away from going full Mr. Robot.

Thou Shalt Not Pass (User Tokens)

One of the worst anti-patterns? Token passthrough. Imagine a client hands an MCP server a raw cloud token, and the server just forwards it like “sure, bro, I trust you.” Now the logs are broken, the audit trail is gone, and you’ve bypassed all downstream rate limits.

The spec makes it clear—token passthrough is a no-go. Your server should either fetch its own tokens or thoroughly validate anything a client sends over. Every token needs to be tied to your server and used strictly for what it was meant for.

Validate Everything (And Then Validate It Again)

MCP servers often wrap local system tools. That’s great — until someone passes image.jpg; rm -rf /. Suddenly, your “image converter” is also a “file deleter.”

Validate all input. Do not interpolate strings directly into shell commands. Use subprocess.run([...], shell=False) or similar safe calls. Normalize paths. Whitelist formats. Assume the AI is trying to trick you—even if it isn’t. That’s just healthy paranoia.

This also applies to prompt injection. Sanitize incoming content. Wrap it. Audit it. MCP doesn’t magically make your LLM immune to prompt attacks. If anything, it makes them more dangerous by giving those prompts real-world power.

Run It Like It’s Malware (Because It Might Be)

MCP servers should run with the fewest permissions humanly possible. Don’t give them root. Don’t give them access to your entire file system. Don’t let them talk to the internet unless they absolutely need to.

Containerize them. Use AppArmor. Use a sandbox. Restrict APIs. Block egress. Just assume that one day, something will go wrong—and when it does, you want the blast radius to be a spark, not a crater.

A compromised MCP server with write access to your database isn’t just bad—it’s “regulatory breach with an apology blog post and 2FA codes getting reset”-bad.

Sessions Are Not Security

Sessions are for keeping track of context, not authenticating clients. Never treat session IDs as proof of identity. Never expose them in URLs. Always tie them to user identity and store them server-side.

MCP’s statefulness makes this a little tricky, especially across nodes. So yes, you’ll need to get creative: shard sessions by user, validate identity on each request, and don’t let a valid session on node A mean anything on node B without re-authentication.

Otherwise, welcome to session hijacking hell.

Verify Tools Like They’re Explosives

Just because someone published an “email-sender” MCP server doesn’t mean it only sends emails. It could log them. Or rewrite them. Or forward them to your boss with a helpful “I QUIT” note.

Read the code. Use trusted registries. Don’t auto-update from GitHub without checking diffs. For critical use cases, fork the tool and control the lifecycle yourself. Until the MCP ecosystem has signing, metadata, and reputation baked in, the burden is on you.

Basically: if you wouldn’t install a random binary from Reddit, don’t plug in a random tool from GitHub.

Log Like a Forensic Investigator

MCP isn’t like calling an API. Agents chain tool calls. They reason. They retry. You’ll want to know exactly what happened when things go sideways.

Log all tool calls, inputs, outputs, timestamps, and user approvals. Monitor outbound traffic. Watch for spikes. If your AI suddenly wants to call send_email 100 times at 3AM, maybe don’t sleep on that alert.

No logs = no visibility = no clue what the agent just did = good luck in the postmortem.

Humans Must Approve the Scary Stuff

This one’s obvious but often overlooked: AI should not delete files, send emails, or spend money without someone saying “yes, I want this.”

That doesn’t mean you need a 20-step approval flow. Just have a button. A prompt. Something. Even Claude Desktop requires you to approve tools one-by-one (unless you override that, which you shouldn’t).

Avoid consent fatigue. Batch low-risk approvals. Flag anything new or sensitive. Don’t let the AI train you to click “Allow” reflexively like a caffeine-deprived cookie pop-up zombie.


These best practices aren’t just nice ideas—they’re seatbelts. You don’t skip the seatbelt because the car’s fast. You wear it because the car’s fast. And MCP is very fast.

Now let’s look at some case studies of what happens when those seatbelts are missing…

Case Studies: Learning from Real MCP Security Breaches

To illustrate why these best practices matter, let’s examine a few real-world incidents and vulnerabilities that have emerged in the early days of MCP’s ecosystem. Each case highlights how failing to follow security guidelines can lead to serious consequences – and conversely, how applying the above best practices can prevent or contain the damage.

Case 1: Remote Code Execution via Exposed MCP Inspector (CVE-2025-49596)

Sometimes, security lessons arrive in the form of massive forehead slaps. One of the earliest—and most avoidable—MCP-related vulnerabilities was discovered July 2025, courtesy of the Oligo Security team. The target? Anthropic’s own MCP Inspector: a developer tool meant to make testing local MCP servers easier.

Instead, it made remote code execution easier.

The vulnerability—CVE-2025-49596—turned a local utility into an accidental attack surface. And all it took was a bad network config, no authentication, and a browser quirk with a catchy name: “0.0.0.0 Day.”

What Went Wrong (Spoiler: Basically Everything)

MCP Inspector runs two components: a local UI client (your browser) and a local proxy server (handling MCP calls). But here’s the problem:

  • The proxy server was listening on 0.0.0.0—which means every network interface, not just localhost.
  • It had no authentication.
  • It also lacked any kind of origin or cross-site request forgery (CSRF) protection.

Combine that with “0.0.0.0 Day”—a bug where some browsers treated 0.0.0.0 as localhost—and you’ve got a cocktail for remote code execution.

Oligo demonstrated that a malicious website could silently send commands to MCP Inspector using a cross-site request forgery (CSRF) attack. All the user had to do was… open a page. That’s it. No clicks. No warnings. Just vibes and root access.

Once exploited, the attacker could run shell commands, exfiltrate data, or burrow deeper into the system. All from the tool you installed to debug your AI agent.

The Fix (a.k.a. What Should’ve Been There in the First Place)

The patch—MCP Inspector v0.14.1—was a direct implementation of the same best practices you’ve read about 14 times in this post:

  • Authentication token required for every request
  • Origin and Host header validation to block CSRF
  • Session token verification before executing any action
  • Localhost-only binding — no more listening on the whole internet by default

With these guardrails in place, those “just visit this site to get pwned” exploits stopped working. Because the server finally checked who was talking to it—and stopped trusting every request like an overenthusiastic intern.

What We Learned (The Hard Way)

This breach was a greatest-hits album of rookie mistakes:

  • Trusting that “local” means “safe”
  • Exposing tools on open interfaces
  • Forgetting that browsers don’t care what you intended—only what’s possible

If the MCP Inspector had followed even a basic web app threat model, none of this would’ve happened. But because it was “just a local tool,” those precautions were skipped.

As Oligo Security put it:

“Developers unknowingly opened a backdoor to their machine by trusting a debug tool with no security.”

The takeaway? Every MCP interface—no matter how local, internal, or “just for testing”—needs real security controls. That means:

  • Require authentication
  • Validate request origins
  • Default to localhost
  • Don’t leave debug ports listening on the public internet

Because in 2025, even your dev tools can be attack vectors—and your browser may not have your back.

Case 2: Prompt Injection via SQLite MCP Server Exploit

Let’s rewind to late June 2025, when Trend Micro turned on the spotlight: one of Anthropic’s reference SQLite MCP server implementations—not production-grade—harbored a classic SQL injection flaw that morphed into a prompt injection nightmare. The blog headline says it all: “Why a Classic MCP Server Vulnerability Can Undermine Your Entire AI Agent”.

What Exactly Happened?

  • The repo had already been archived by May 29, 2025, but had been forked over 5,000 times before then.
  • The vulnerable engine built SQL queries by concatenating unsanitized user input with Python’s sqlite3 driver—no parameterization, no checks, just trust.
  • Enter prompt injection: the AI later reads database output and treats it as instructions. Cue malicious data disguised as a support ticket. The AI agent executes it—sending emails or deleting records—because it trusted “internal” data more than logic.

Sean Park from Trend Micro summed it up:

“AI agents tend to treat internal data as safe… so if an attacker embeds a prompt at that point, the agent may execute it unaware.”

In short: SQL injection isn’t just a data layer flaw anymore—it’s a command prompt waiting to spring.

Why It Was Especially Dangerous

  • The vulnerable server was openly available and meant as a reference, yet many reused it in real environments.
  • It carried a supply chain risk: code widely copied and never patched.
  • Anthropic explicitly said no fix will be issued—it was archived and marked “out of scope”.

That patch never happened, meaning vulnerabilities persist in the wider MCP world.

What Should’ve Been Done (And Still Can Be)

This attack chain—SQL injection → stored prompt injection → compromised agent workflows—demands layered defenses:

  1. Fix the server code: Use parameterized queries (never string-concat SQL) to sanitize inputs. It’s 2025, but OWASP basics still apply.
  2. Treat all stored content as untrusted: When your agent pulls content from a local DB, validate it like it came from a stranger. Check the data types, escape special characters, and use safe wrappers or delimiters before including it in prompts or tool calls. Just because you wrote it doesn’t mean it’s safe now.
  3. Require human approval for dangerous operations. Even after the AI processes internal data, any destructive command (e.g. deleting records or elevating privileges) should be gated behind a prompt or admin confirmation.

Trend Micro’s summary: if yesterday’s web-app mistakes slip into AI systems, an attacker gains a shortcut from SQL bug to full agent compromise.

Case 3: When Enterprise Integration Met the Real World

It’s one thing to prototype with MCP in a local dev loop. It’s another thing entirely when a billion-dollar company hooks it up to real user data. In 2025, several early enterprise adopters of MCP learned this the hard way—on live infrastructure, with real customers watching.

Asana: The “Oops, That Wasn’t Your Data” Moment

In June 2025, Asana quietly rolled out a new MCP integration: the goal was to connect AI agents to their product suite to power automation and smart assistant features. But shortly after launch, things took a wrong turn.

A bug in the system allowed one customer to access another customer’s data—a textbook multi-tenant access control failure. When Asana discovered the issue, they acted fast: integration shut down, fix deployed, affected customers notified. Full credit for transparency.

Still, the root cause was a classic: shared infrastructure without properly isolated auth tokens or data partitions. In an MCP world, where agents and tools can span tenants, these controls aren’t optional—they’re survival gear.

Lesson: If your MCP server serves multiple orgs, segregate everything.
That means:

  • Auth tokens scoped per tenant
  • Namespacing on tool invocations
  • Context boundaries the AI can’t cross
  • And no shared memory unless you really know what you’re doing

Atlassian: Living Off AI, Literally

Over at Atlassian, the team integrated MCP into Jira Service Management, aiming to bring AI into ticket handling and workflow orchestration. It worked—maybe a little too well.

Security researchers at Cato Networks’ Threat Labs took a closer look and discovered what they called a “Living Off AI” attack. The idea? Use prompt injection not just to hijack the AI’s response, but to abuse its access to backend tools—think scripting unauthorized actions by smuggling them into ticket comments or user fields.

Because the AI had elevated privileges and direct access to Jira APIs, a single poisoned prompt could trigger real, privileged behavior—without tripping the usual alarms. In a real incident, this could escalate quickly from “weird ticket reply” to “suddenly deactivated accounts and modified permissions.”

To Atlassian’s credit, the design had audit logs and bounded actions, so this was caught before it caused damage. But the report underscored something everyone needs to hear:

AI privilege != user privilege
Just because the AI can call a tool doesn’t mean it should do so unsupervised.

What These Incidents Really Tell Us

Enterprise adoption of MCP isn’t just about scaling—it’s about operationalizing security and trust. These real-world cases revealed that:

  • Multi-tenant MCP servers must enforce strict data and token isolation
  • Prompt injection isn’t theoretical when agents are hooked into real workflows
  • Privileged agents need bounded permissions and human-in-the-loop approvals

The good news? Both companies shared their experiences early—before things got worse. Their disclosures are a reminder that early transparency can be just as valuable as early adoption.


These cases above are just the tip of the iceberg. Trend Micro’s survey uncovered 492 MCP servers publicly exposed—none with client authentication or encryption—offering unfettered access to internal APIs, proprietary data, and backend systems, many hosted in public cloud environments like AWS and GCP.

Their research warns: these are not theoretical vulnerabilities. Exposed servers often act as direct backdoors into confidential systems, sometimes enabling attackers to list, modify, or delete cloud infrastructure using hardcoded credentials or wide-open tokens.

General Critiques—It’s Not Just MCP

A lot of what’s going wrong with MCP security isn’t new—it’s the same old web risk in a flashier package. Think of MCP servers like third-party desktop plugins or browser extensions: easy to install, easy to trust… until they’re not.

The danger? “MCP is standardized, so it must be safe” thinking—when in reality, defaults were wide open. Thought leaders in AI security emphasize that traditional security principles still apply:

Moreover, the design of MCP made trade-offs—favoring usability over strict security. That made life easy for developers until attackers started treating MCP servers like entry points. Now, developers are tightening default security settings, making token pass‑through forbidden by default, and hardening recommendations in the specification itself .

Future Outlook: Evolving Security in MCP and Agentic Protocols

Right now, MCP and its cousins (similar agentic protocols such as Agent2Agent, ANP, Agora, etc.) are like teenagers with superpowers—capable of amazing things, but still figuring out boundaries, safety rules, and how not to blow up the house. But things are maturing fast. The next generation of agent protocols will be less “duct tape and hope” and more “zero trust by design.”

Here are some ways we can expect things to evolve:

Image by author

Stronger Identity and Trust Models

Currently, if you show up with a working token, the MCP server shrugs and says, “Good enough.” That’s fine for now—but long term, we’re heading toward a zero-trust model, where identity is verified not just once at login, but on every single tool call.

We may see concepts like agent identity tokens that cryptographically identify not just the human user but the specific agent or chain-of-tools involved, allowing finer access control. Other agent protocols (e.g. inter-agent communication standards like A2A or ANP) are being designed with structured handshakes for every interaction. This means when Agent A wants to talk to Agent B, they perform a capability negotiation and auth exchange each time, ensuring neither blindly trusts the other without verification. Such patterns could inform a future MCP 2.0 where every tool execution request carries a proof of the caller’s authenticity and perhaps intent. Also, as industry consortia get involved, we might see standard schemas for agent identity (similar to how OIDC standardizes user identity claims).

Granular Permissions and Automatic Sandboxing

Future versions of MCP are likely to include first-class support for permission scopes. Imagine an MCP schema declaring: “This server provides a delete_file action—it requires admin privileges.” An AI client could then enforce that only certain roles or approved agents can call that action. Granular permissioning was noted on the MCP roadmap as an area of exploration (e.g., “granular permissioning for human-in-the-loop workflows”). Moreover, we can expect automated sandboxing to become standard. Think of it like browser extension permissions—but for tools like send_email or modify_infrastructure. Some proposals suggest that MCP servers could declare a “safety profile” – e.g., whether they perform file writes, network calls, etc. – and AI runtimes could then automatically run more dangerous servers in isolated sandboxes or VMs. This way, even if an MCP server is compromised, the harm is contained. The concept is analogous to web browser extensions that run in isolated contexts with only specific allowed API calls.

Integrated Audit and Traceability

If we want to trust agents with real work, we need to know what they did, when, and why. In the future, agent protocols like MCP may include built-in tracing, telemetry, and audit hooks—so when your AI assistant deletes 4,000 rows from the CRM, there’s a paper trail.

For example, an MCP request could carry a session fingerprint or trace token that all components must log, making it simpler to correlate events. Efforts could align with initiatives like OpenTelemetry—envision standardized telemetry for AI agent action. Security frameworks might also coalesce around a common event format for AI agent activity (much like Open Cybersecurity Schema Framework (OCSF) created a common format for security logs). The result? You can finally debug your agents without needing a prompt archaeologist.

Policy and Governance Layers

Just like we have firewalls and access control lists for networks, we’re going to need AI governance policies for agents. Think:

  • “Agent may not access financial APIs between 10pm–6am.”
  • “Never output more than 100 rows from a database unless redacted.”
  • “No, you can’t delete the production environment on a Friday.”

These rules won’t live inside the agent—they’ll sit above it, enforced by governance services or agent policy gateways (some of which already exist, like Zenity‘s policy-layer observability tooling).

In tandem, expect education and culture to evolve: organizations will craft AI acceptable usage policies. Just like we have HR policies for employee behavior, orgs will start publishing AI behavior guidelines—and protocols like MCP will need enforcement points to match.

Cross-Protocol Security Consistency

As MCP evolves, it won’t live alone. Agent protocols like A2A (for multi-agent collaboration), Agora (for open marketplaces), or even robot communication protocols are emerging—and they all need to play well together.

That means:

  • Shared security context across protocols
  • User identity and permission propagation between agent layers
  • Avoiding “loophole attacks” where an agent switches protocols to bypass policy

We’ll probably see security brokers that mediate between protocols—ensuring core security principles (auth, audit, allowlists, etc.) apply no matter where the agent operates. And yes, standards bodies like IETF or IEEE might eventually step in with the “Agent Security Best Practices RFC 9001.”

Until then, we’re stitching it together ourselves.

Continuous Community Involvement

Finally, the future of MCP security will be heavily influenced by community involvement. The current trajectory—with open RFCs, public debates, and rapid responses to discovered issues—is encouraging. We can expect more SEP (Standard Enhancement Proposal) submissions focusing on security (for instance, an SEP for a standardized permission schema, or an SEP for encrypted invocation contexts, etc.).

Security researchers, industry leaders, and devs are already shaping the protocol’s direction through:

  • Publicly disclosed flaws and postmortems that actually help others
  • Open-source audits and patches
  • Contributions from teams like Trail of Bits, and Protect AI
  • Blog posts and community debates (see: Omar Santos, Cisco)

Eventually, we may even get certified secure MCP server implementations—complete with an audit badge and a comforting checklist.

Until then, security in MCP isn’t a solved problem—it’s a live one. But at least we’re not pretending anymore.


MCP and its fellow agentic protocols are ushering in a new era of AI capabilities—one where AI agents don’t just think and speak, but act on our digital behalf. With that comes a blending of application security, API security, and AI safety concerns unlike anything before. The best practices we’ve outlined here boil down to a simple ethos: treat your AI agents as you would a new junior employee with root access – give them only the access they need, watch what they’re doing, and double-check when they try something risky. The community’s experiences so far show that when we do that, we can reap the benefits of MCP’s flexibility without opening the door to chaos. By building in security from the ground up—and continuously iterating on it as threats evolve—we can enable the future of agentic AI with confidence and control.

References

  1. Anthropic. (2024). Model Context Protocol (MCP) Security Best Practices. https://modelcontextprotocol.io/specification/draft/basic/security_best_practices
  2. Anthropic. (2024). MCP Specification – Draft. https://modelcontextprotocol.io/specification/
  3. CyberNews. (2025). GitHub MCP vulnerability has far-reaching consequences. https://cybernews.com/security/github-mcp-vulnerability-has-far-reaching-consequences/
  4. The Hacker News. (2025). Critical MCP remote vulnerability allows unauthenticated RCE. https://thehackernews.com/2025/07/critical-mcp-remote-vulnerability.html
  5. GBHackers. (2025). Anthropic MCP Inspector vulnerability exposes developer machines. https://gbhackers.com/anthropic-mcp-inspector-vulnerability/
  6. The Hacker News. (2025). Experts uncover critical flaws in MCP and A2A protocols. https://thehackernews.com/2025/04/experts-uncover-critical-mcp-and-a2a.html
  7. Trend Micro. (2025). MCP security: Network-exposed servers are backdoors to your private data. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mcp-security-network-exposed-servers-are-backdoors-to-your-private-data
  8. Trend Micro. (2025). Why a classic MCP server vulnerability can undermine your entire AI agent. https://www.trendmicro.com/en_ca/research/25/f/why-a-classic-mcp-server-vulnerability-can-undermine-your-entire-ai-agent.html
  9. Cato Networks. (2025). CTRL+PoC: Attack targeting Atlassian’s MCP shows risks of connected AI action. https://www.catonetworks.com/blog/cato-ctrl-poc-attack-targeting-atlassians-mcp/
  10. CyberArk. (2025). Session hijacking in distributed AI agent systems. https://www.cyberark.com/resources/threat-research-blog/session-hijacking-ai-agents
  11. Strobes Security. (2025). Command injection flaws in 2025-era MCP agent tools. https://www.strobes.co/blog/mcp-agent-rce-analysis
  12. Trail of Bits. (2025). MCP security insights and audits. https://blog.trailofbits.com/categories/mcp/
  13. Protect AI. (2025). Security frameworks and telemetry standards for agent systems. https://protectai.com/research
  14. Wiz.io. (2025). Secure LLM deployment patterns. https://github.com/wiz-sec
  15. Zenity. (2025). AI governance with policy-driven agent enforcement. https://zenity.io
  16. Anup.io. (2025). The agentic protocols that will define AI infrastructure. https://www.anup.io/p/the-agentic-protocols-that-will-define
  17. RFC Editor. (2020). RFC 8707 – Resource Indicators for OAuth 2.0. https://datatracker.ietf.org/doc/html/rfc8707
  18. OpenTelemetry. (2024). OpenTelemetry observability framework. https://opentelemetry.io
  19. OpenID Foundation. (2014). OpenID Connect Core 1.0. https://openid.net/specs/openid-connect-core-1_0.html
  20. OCSF Project. (2024). Open Cybersecurity Schema Framework. https://www.ocsf.io/
  21. GitHub. (2025). mcp-stack: Secure MCP implementation examples. https://github.com/mcprotocol/mcp-stack
  22. GitHub. (2025). LangGraph: Workflow orchestration for agents. https://github.com/langchain-ai/langgraph
  23. Hacker News. (2025). Community discussions on MCP agent security. https://news.ycombinator.com/
  24. Think Robotics. (2023). Robot communication protocols: A comprehensive guide. https://thinkrobotics.com/blogs/learn/robot-communication-protocols-a-comprehensive-guide
  25. Noqta. (2025). Agent security architectures – Cisco community blog by Omar Santos. https://www.noqta.tn/blog/secure-agent-interaction-architecture

Copyright Notice
© 2025 Hailey Quach. All rights reserved.
This article and its contents are protected under copyright law. You are welcome to reference or quote portions of this work with clear attribution and a link back to the original source. However, no part of this publication may be reproduced, republished, or redistributed in full—whether in print, digital, or derivative form—without prior written permission from the author. Unauthorized use may result in legal action.

Source link

#MCP #Security #Survival #Guide #Practices #Pitfalls #RealWorld #Lessons