MCP Security for Enterprise Organizations: Real-world experiences and advanced defense
Article Brief
Why this article matters
MCP is being called the 'USB for AI'—but that universality is exactly what makes it a rich attack surface. This post catalogs the concrete threats (tool poisoning, RCE via powerful runtimes, prompt injection raids from ingested data, supply-chain typosquatting) and maps each to enterprise-grade defenses: Firecracker/gVisor isolation, ephemeral filesystems, zero-trust auth with mTLS and vault-backed secrets, and validation/rate-limit layers. You get a zoned reference architecture and curated links to the papers and tooling behind each recommendation.
Introduction
Hey, how are you? I hope you're doing great.
It's been literally one day since the whirlwind of Ekoparty and a little over a week since the community event we put together with the amazing team at ThreatX Security. This blog post will start on a more personal note before diving fully into the technical side of the MCP protocol, so you can get the full detail on what we could only briefly cover during the Ekoparty presentation.
On a personal level, it was my first talk at Eko. I gave it as part of the AI Resilience Hub village, created and driven with passion, love, and dedication by Dany and the team.
As we all know, Ekoparty — one of the most renowned security conferences in Argentina and LATAM — is synonymous with high standards, both in the caliber of the event and the speakers. It obviously varies a lot, but that perception is deeply rooted in the subconscious of the infosec community across Argentina and LATAM. And this is exactly what made me hesitate so much about even thinking about what I could share…
The creative process and the doubt
My initial idea was to create something novel, completely new and high quality, based on complex personal research, with many months invested and all the bells and whistles you can imagine. That was the ideal scenario (sometimes I think it might just be my excuse to do nothing), and those tend to be the best talks to watch because you can feel that extra layer of research and deep knowledge ownership.
In my case, it clearly wasn't like that, but the internal process did lead me to the conclusion that not everything has to be incredibly novel or complex (like the research on exploiting NVIDIA's CUDA — kudos to the researchers who presented that, it was spectacular!). Sometimes, what's truly valuable is showing a specific work and research process that can help someone else.
This led me to create "MCP Security for Enterprise Organizations", a talk that connects what I currently do at my company, my postgraduate thesis, and what I'm passionate about in this incredible world of infosec.
Advice from someone who takes the leap
If you're thinking about an idea, even superficially, and there's a part of you screaming "I want to do it!", DO IT. That discomfort is pure growth.
If you feel like presenting something, sharing your knowledge or research, reach out to me on LinkedIn or to any member of Threat X. We can make it happen in our space, our meetups, or find another event for your next great talk.
Wishing you all the best — keep pushing forward, we've got this!
Technical Section: MCP Security, Real-world Attacks, and Recommended Defenses
If you missed the talk or still have questions, here we'll dive deeper into the technical aspects.
What is MCP and why does it matter for AI agent security?
The Model Context Protocol (MCP) is the open standard that connects LLMs and AI agents with external tools, enabling automation, API calls, and secure data access. You can think of it as the "USB" for AI applications.
- Official spec: Github MCP
- Anthropic intro: Anthropic News
Key Components and Architecture
To understand the attack surface, we first need to understand the pieces on the board:
- MCP Server: Exposes tools (
tools), resources (resources), and prompts. It's the one that "has" the capability to act. - MCP Client: Makes invocations against the server, manages orchestration and validation. It's the "brain" that decides what to use.
- Transport: Can be local (STDIN/pipes) for maximum speed or remote (HTTP, SSE, WebSocket) for distributed architectures.
Rendering diagram...
The Threat Landscape: Documented Attacks
The MCP ecosystem introduces fascinating and dangerous attack vectors. It's not just about "hacking an API" — it's about hacking the logic of an agent.
1. Tool Poisoning & Spoofing What happens if the tool the agent thinks it's using isn't the real one?
- Injection: Injecting instructions into tool metadata to confuse the LLM.
- Spoofing: Fake MCP servers that mimic legitimate ones to intercept data.
2. Remote Code Execution (RCE) The classic, but supercharged. If an agent has permission to run scripts (like a Python MCP server), a malicious prompt can lead to arbitrary command execution, configuration file manipulation, and privilege escalation.
3. Prompt Injection Raids Indirect attacks where the payload doesn't come from the user, but from the data the agent reads (a document, a YouTube transcript, a Chroma DB vector database). The agent reads the data, gets "infected," and executes the malicious instruction.
Supply Chain Risk
Be careful with MCP packages in public repositories. There are already documented cases of typosquatting and fake packages on PyPI designed to steal environment credentials.
Modern Defense Strategies
Based on current field guides and frameworks (such as A2AS), these are the defense layers you should implement:
Isolation and Sandboxing Don't trust the default runtime.
- Use Firecracker or gVisor to isolate each tool execution.
- Implement ephemeral filesystem overlays (read-only or destroy-after-use).
- Strict Egress control: Why does your calculator need internet access? Block it.
Authentication and Secrets
- Zero Trust: Deny all access by default.
- Secret Rotation: Never mount tokens directly in persistent environment variables. Use Vaults and in-memory volume projection.
- mTLS: If using remote transport, secure the channel with mutual authentication.
Input Validation (Human-in-the-loop) Even though we automate, strict JSON-schema validation is vital.
- Use security Linters (semgrep) in real time on payloads.
- Implement Rate Limiting to prevent economic DoS attacks or brute force.
Secure Reference Architecture
A robust implementation should divide responsibilities into zones:
| Zone | Component | Controls |
|---|---|---|
| Zone 0 | Control Plane | Vault PKI, OPA Policies, Centralized observability. |
| Zone 1 | Fleet MCP | mTLS mesh, RO (Read-Only) filesystem. |
| Zone 2 | Tool Runtime | Strong isolation (MicroVMs), 5-minute lifespan. |
| Zone 3 | Downstream APIs | Minimum-scope tokens with restricted audience. |
Essential Resources
If you want to go deeper, here's the "bibliography" from the talk:
- Presentation: Download the talk PDF
- Research: Systematic Analysis of MCP Security (arXiv)
- Defense: A2AS Framework: Agentic AI Runtime Security
- Tools: MCP Safety Scanner
The world of AI agent security is just getting started. It's fertile ground for research, breaking things, and above all, building smarter defenses.
See you next time!
Test Your Technical Knowledge
MCP Security Recap
How does the post describe the role of the Model Context Protocol (MCP)?
Which attack type in the post refers to malicious instructions coming from data the agent reads, such as documents, transcripts, or vector databases?
Which defensive combination best matches the isolation strategy recommended for high-risk MCP tool execution?
AI Security Series
Part 4 of 5- 1Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection
- 2DemonAgent Exposed: Understanding Multi-Backdoor Implantation Attacks on LLMs
- 3A2AS: A New Standard for Security in Agentic AI Systems
- 4MCP Security for Enterprise Organizations: Real-world experiences and advanced defense
- 5Rules vs. Skills: Creating Secure AI Context in Engineering Teams
Continue Reading
Next steps in the archive
Newer article
Rules vs. Skills: Creating Secure AI Context in Engineering Teams
At my company we ran into a familiar question while scaling AI coding assistants: when should context live in a Rule or `CLAUDE.md`, and when does it deserve a Skill...
Older article
A2AS: A New Standard for Security in Agentic AI Systems
Reflection, explanation, and analysis of the A2AS paper, the BASIC model, and the A2AS framework, from the perspective of real-world challenges in controls and attack mitigation in AI Security and GenAI Applications.
Keep Exploring
Related reading
Continue through adjacent topics with the strongest tag overlap.
A2AS: A New Standard for Security in Agentic AI Systems
Reflection, explanation, and analysis of the A2AS paper, the BASIC model, and the A2AS framework, from the perspective of real-world challenges in controls and attack mitigation in AI Security and GenAI Applications.
Rules vs. Skills: Creating Secure AI Context in Engineering Teams
At my company we ran into a familiar question while scaling AI coding assistants: when should context live in a Rule or `CLAUDE.md`, and when does it deserve a Skill...
DemonAgent Exposed: Understanding Multi-Backdoor Implantation Attacks on LLMs
This blog post article about the great DemonAgent research paper shows how attackers can implant multiple backdoors in LLM-based agents and the technical mechanisms behind these attacks