Mapping the MCP attack surface: what we look for
Model Context Protocol servers and agent frameworks share one property that changes the security picture: they let a language model act. A tool call writes a file, hits an internal API, or runs a command. That capability is the whole point, and it is also the attack surface.
This is the first in a series of notes on what an AI-native security review should actually cover. It is deliberately about classes of exposure, not specific targets.
The shift: from wrong output to wrong action
Traditional prompt-injection framing worries about a model producing bad text. With tools attached, the concern is different: an injected instruction becomes a privileged action taken on the model’s behalf. The blast radius is whatever tools the agent can reach.
What we look for
- Tools without per-invocation authorization. If the agent asks and the tool runs, there is no boundary between “the agent decided to” and “an attacker convinced it to.”
- Over-broad scopes. A single tool that grants file writes, shell access, or arbitrary HTTP is far more capability than most tasks need. Excess scope is leverage.
- Injection paths that reach a real call. The interesting question is not “can you inject text” but “does that text reach a tool with side effects.”
- Confused-deputy chains. The agent holds credentials and trust the caller does not. Getting the agent to act is getting those privileges to act.
Why this is under-reviewed
The tooling most teams reach for was built for software that does what it is told. Agents do what they are convinced to do. That is a different threat model, and it deserves a review that starts from it.
We are building that review in the open. More notes to follow.