Skip to content
← Research

Mapping the MCP attack surface: what we look for

Model Context Protocol servers and agent frameworks share one property that changes the security picture: they let a language model act. A tool call writes a file, hits an internal API, or runs a command. That capability is the whole point, and it is also the attack surface.

This is the first in a series of notes on what an AI-native security review should actually cover. It is deliberately about classes of exposure, not specific targets.

The shift: from wrong output to wrong action

Traditional prompt-injection framing worries about a model producing bad text. With tools attached, the concern is different: an injected instruction becomes a privileged action taken on the model’s behalf. The blast radius is whatever tools the agent can reach.

What we look for

  • Tools without per-invocation authorization. If the agent asks and the tool runs, there is no boundary between “the agent decided to” and “an attacker convinced it to.”
  • Over-broad scopes. A single tool that grants file writes, shell access, or arbitrary HTTP is far more capability than most tasks need. Excess scope is leverage.
  • Injection paths that reach a real call. The interesting question is not “can you inject text” but “does that text reach a tool with side effects.”
  • Confused-deputy chains. The agent holds credentials and trust the caller does not. Getting the agent to act is getting those privileges to act.

Why this is under-reviewed

The tooling most teams reach for was built for software that does what it is told. Agents do what they are convinced to do. That is a different threat model, and it deserves a review that starts from it.

We are building that review in the open. More notes to follow.