Research: MCP Security Ecosystem Review¶
Date: 2026-02-09 Researcher: joshuakirby (with Claude Opus 4.6 + Exa + WebSearch) ROADMAP Item: Future work (MCP hardening) Cross-References: CLAUDE.md 11.4 (OWASP Agentic Top 10), mcp_server.py, Market Research
Questions Investigated¶
- What threats does the CoSAI MCP Security Taxonomy identify, and how do they map to AEGIS controls?
- What architecture patterns does Red Hat recommend for enterprise MCP deployments?
- Where does AEGIS already mitigate these threats, and where are gaps?
- What future work should AEGIS prioritize based on these findings?
Source 1: CoSAI MCP Security Taxonomy¶
Title: "Model Context Protocol (MCP) Security" Publisher: Coalition for Secure AI (CoSAI), OASIS Open -- WS4 (Secure Design Patterns for Agentic Systems) Approved: January 8, 2026 | Announced: January 27, 2026 Co-Leads: Ian Molloy (IBM), Sarah Novotny Sponsors: EY, Google, IBM, Meta, Microsoft, NVIDIA, PayPal, Snyk, Trend Micro, Zscaler Source: GitHub (main)
1.1 The 12 Threat Categories (MCP-T1 through MCP-T12)¶
The taxonomy organizes ~40 distinct threats across 12 categories in three tiers.
Tier 1 -- MCP-Specific Threats (novel to AI agent-tool interactions)¶
| ID | Category | Key Threats |
|---|---|---|
| MCP-T4 | Input/Instruction Boundary Distinction Failure | Tool poisoning, full schema poisoning, resource content poisoning, prompt injection through MCP channels |
| MCP-T6 | Missing Integrity/Verification Controls | Typosquatting/confusion attacks, shadow MCP servers, supply chain compromise of tool definitions |
| MCP-T9 | Trust Boundary and Privilege Design Failures | Overreliance on LLM-level controls, consent fatigue, inadequate authorization |
Tier 2 -- Conventional Threats Amplified by AI Mediation¶
| ID | Category | Key Threats |
|---|---|---|
| MCP-T1 | Improper Authentication and Identity Management | Identity spoofing, credential theft, replay attacks, OAuth weaknesses |
| MCP-T2 | Missing or Improper Access Control | Privilege escalation, excessive permissions, confused deputy attacks |
| MCP-T3 | Input Validation/Sanitization Failures | Command injection, path traversal, insufficient integrity checks |
| MCP-T5 | Inadequate Data Protection and Confidentiality | Data exfiltration through unprotected channels or excessive tool permissions |
| MCP-T7 | Session and Transport Security Failures | MITM, CSRF, CORS bypasses, protocol security gaps |
| MCP-T8 | Network Binding/Isolation Failures | Unauthorized server instances, lateral movement, dependency attacks |
Tier 3 -- Operational and Supply Chain Threats¶
| ID | Category | Key Threats |
|---|---|---|
| MCP-T10 | Resource Management/Rate Limiting Absence | Denial-of-wallet attacks, resource exhaustion, DoS via payload/recursion |
| MCP-T11 | Supply Chain and Lifecycle Security | Compromised servers, malicious dependencies, update attacks |
| MCP-T12 | Insufficient Logging, Monitoring, and Auditability | Invisible agent activity, insufficient attribution, covert operations |
1.2 Recommended Security Controls (11 Families)¶
| ID | Control Family | Key Recommendations |
|---|---|---|
| 3.2.1 | Agent Identity | Cryptographic workload identities (SPIFFE/SPIRE), full traceability |
| 3.2.2 | Secure Delegation | OIDC, token exchange (RFC 8693), least-privilege scopes |
| 3.2.3 | Input Sanitization | Guardrails, context isolation, MCP "roots" for filesystem constraints |
| 3.2.4 | Cryptographic Integrity | Verify MCP server integrity through signatures and attestation |
| 3.2.5 | Sandboxing | Process-level isolation (stdio), network segmentation |
| 3.2.6 | Resource Verification | Signatures on tool definitions and resource content |
| 3.2.7 | Transport Security | TLS with mutual authentication, certificate pinning |
| 3.2.8 | Secure Tool Design | Minimal permissions, clear approval prompts, anti-fatigue UX |
| 3.2.9 | Human-in-the-Loop | Explicit user approval for high-risk operations |
| 3.2.10 | Logging | All tool invocations, resource accesses, authorization decisions |
| 3.2.11 | Lifecycle Governance | Discovery policies, vetting, shadow server prevention |
1.3 Real-World Incidents Referenced¶
- Asana AI (May 2025): Tenant isolation flaw affecting 1,000 enterprises
- WordPress AI Engine Plugin (June 2025): Privilege escalation, 100,000+ sites
- Supabase MCP: Prompt injection via support tickets enabled unauthorized DB exposure
- Anthropic Git MCP Server: Confirmed RCE vulnerabilities
Source 2: Red Hat -- Building Effective AI Agents with MCP¶
Title: "Building effective AI agents with Model Context Protocol (MCP)" Published: January 8, 2026 (updated January 13, 2026) Authors: Cedric Clyburn, Peter Double, Addie Stevens Source: Red Hat Developer
Companion: "Model Context Protocol (MCP): Understanding security risks and controls" Author: Florencio Cano Gabarda (Red Hat Product Security) Source: Red Hat Blog
2.1 Enterprise Architecture: Four-Stage Progressive Promotion¶
| Stage | Name | Function |
|---|---|---|
| 1 | Registry | Secure staging: automated scanning, quarantine, metadata enrichment |
| 2 | Catalog | Curated collection: certified integrations discoverable by engineers |
| 3 | Playground | Safe sandbox: observe server behavior before production |
| 4 | Production (MCP Gateway) | Runtime enforcement: policy, RBAC, rate limiting, logging |
The MCP Gateway is the central runtime enforcement point -- applying policy rules, RBAC authorization, rate limiting, and comprehensive logging on all requests.
2.2 Key Thesis¶
Governance -- not protocol support -- is the bottleneck to enterprise MCP adoption.
Identity management, observability, compliance controls, and lifecycle management are all required beyond basic MCP. This directly validates AEGIS's design philosophy.
2.3 Security Threats Identified (Red Hat)¶
| Threat | Description | Prevalence |
|---|---|---|
| Tool poisoning / prompt injection via metadata | Malicious tool descriptions trick LLMs | HIGH |
| Rug pull attacks | Tools become malicious after gaining trust | MEDIUM |
| Command injection | 43% of popular MCP servers vulnerable (Equixly study) | HIGH |
| Over-permissioned tools | Excessive privileges increase attack surface | HIGH |
| Confused deputy | Servers act with elevated privileges without user context | MEDIUM |
| Supply chain attacks | Fake/compromised tools in MCP registries | MEDIUM |
| Unrestricted network access | Data exfiltration via uncontrolled outbound connections | MEDIUM |
2.4 Composable AI Assets Vision¶
Red Hat's long-term architecture treats four categories as independent, reusable components: - Models (LLM providers) - Agents (orchestration logic) - Guardrails (safety/compliance layers) - MCP Servers (tool interfaces)
These compose via an "AI Hub" unification layer, with planned "MCP-as-a-Service (MCPaaS)" for centralized hosting, observability, and auditing.
AEGIS Control Mapping¶
3.1 CoSAI MCP-T to OWASP Agentic to AEGIS Controls¶
| CoSAI MCP-T | OWASP Agentic | AEGIS Control | Coverage |
|---|---|---|---|
| MCP-T1 (Authentication) | ASI03 (Identity Abuse) | BIP-322 two-key signatures, RBAC | STRONG |
| MCP-T2 (Access Control) | ASI03 (Identity Abuse) | RBACEnforcer fail-closed, YAMLRoleResolver | STRONG |
| MCP-T3 (Input Validation) | ASI02 (Tool Misuse) | _float_arg() None-safe helpers, gate input validation | MODERATE |
| MCP-T4 (Instruction Boundary) | ASI01 (Goal Hijacking) | Governance invariants (CLAUDE.md 11.2), frozen params | STRONG |
| MCP-T5 (Data Protection) | -- | PII encryption (12 fields), EncryptedField | STRONG |
| MCP-T6 (Integrity/Verification) | ASI04 (Supply Chain) | Ed25519 + ML-DSA-44 hybrid signatures | STRONG |
| MCP-T7 (Transport Security) | ASI07 (Insecure Inter-Agent) | stdio transport (local only) | PARTIAL -- no TLS for HTTP mode |
| MCP-T8 (Network Isolation) | ASI05 (Code Execution) | MCP server is stdio-only (no network listener) | STRONG (by design) |
| MCP-T9 (Trust Boundary) | ASI09 (Trust Exploitation) | Human approval checkpoints, ask-first triggers | STRONG |
| MCP-T10 (Resource Management) | ASI08 (Cascading Failures) | Kill switch, circuit breakers, _MCPRateLimiter token bucket | STRONG |
| MCP-T11 (Supply Chain) | ASI04 (Supply Chain) | Quality gates (ruff, bandit, mypy), safety check in CI | MODERATE |
| MCP-T12 (Logging/Audit) | ASI10 (Rogue Agents) | Telemetry pipeline, 100% logging coverage, hash-chained audit | STRONG |
3.2 Red Hat Architecture to AEGIS Mapping¶
| Red Hat Concept | AEGIS Equivalent | Alignment |
|---|---|---|
| MCP Gateway (runtime policy) | GateEvaluator + pcw_decide() | Both enforce policy at decision time |
| RBAC authorization | RBACEnforcer | Both role-based with fail-closed semantics |
| Progressive promotion lifecycle | Override workflow (initiate/sign/approve/execute) | Both staged with gates |
| Audit trail logging | Telemetry pipeline + HTTPEventSink | Both mandate comprehensive logging |
| Cryptographic signing | Ed25519 + ML-DSA-44 hybrid | AEGIS exceeds with post-quantum |
| Human-in-the-loop | Governance invariants, two-key override | Both require human approval for high-impact |
| Composable AI assets | AEGIS 5-component model (Guardrails, DOS, Rubric, OPUS, AFA) | Both decompose into composable layers |
3.3 Where AEGIS Exceeds Industry Recommendations¶
| Capability | CoSAI/Red Hat Recommend | AEGIS Implements |
|---|---|---|
| Cryptography | Standard digital signatures | Ed25519 + ML-DSA-44 post-quantum hybrid |
| Encryption | TLS for transport | X25519 + ML-KEM-768 hybrid KEM + AES-256-GCM at rest |
| Quantitative governance | Policy enforcement | 6 Bayesian gates with posterior probability |
| Drift detection | Monitoring (generic) | KL divergence with shadow mode calibration |
| Multi-model verification | Not addressed | PCW 3-model consensus (0.66 threshold) |
| Self-protection | Not addressed | CLAUDE.md 11.3 anti-erosion protocol |
| Kill switch | Not addressed | Autonomous halt on quality/security/governance violations |
Identified Gaps and Future Work¶
4.1 Gaps in Current AEGIS MCP Implementation¶
| Gap | CoSAI/Red Hat Reference | Severity | Recommended Action |
|---|---|---|---|
| G1: ~~No MCP request rate limiting~~ ADDRESSED | MCP-T10, Red Hat Gateway | MEDIUM | Token bucket rate limiter added to mcp_server.py via _MCPRateLimiter; configurable via AegisConfig.mcp_rate_limit (default: 60 req/min, 0 to disable) |
| G2: ~~No TLS for HTTP telemetry sink~~ ADDRESSED | MCP-T7 (Transport Security) | LOW | HTTPEventSink and BatchHTTPSink now require https:// by default; allow_insecure=True escape hatch for local dev; MCP server rejects http:// telemetry URLs; production guide TLS section added |
| G3: No MCP tool description signing | MCP-T6, CoSAI 3.2.6 | LOW | Sign tool schemas with Ed25519; verify on client side (requires MCP spec evolution) |
| G4: No shadow MCP server detection | MCP-T6, CoSAI 3.2.11 | LOW | Not applicable in stdio mode; relevant if HTTP transport added |
| G5: No SPIFFE/SPIRE workload identity | CoSAI 3.2.1 | LOW | Enterprise deployment concern; document in production guide |
| G6: ~~No MCP request/response logging~~ ADDRESSED | MCP-T12, CoSAI 3.2.10 | MEDIUM | Structured audit logging added via TelemetryEmitter.emit_mcp_invocation(); every tool call emits mcp.tool_invocation event with params_hash (PII-safe), decision (ALLOW/DENY/ERROR), latency, caller_id |
4.2 Recommended Future Work (Priority Order)¶
| Priority | Item | Effort | Description |
|---|---|---|---|
| ~~1~~ | ~~MCP audit logging (G6)~~ | ~~4h~~ | ✅ COMPLETE (v4.5.4): emit_mcp_invocation() structured events |
| ~~2~~ | ~~MCP rate limiting (G1)~~ | ~~4h~~ | ✅ COMPLETE (v4.5.4): _MCPRateLimiter token bucket |
| ~~3~~ | ~~TLS enforcement documentation (G2)~~ | ~~1h~~ | ✅ COMPLETE (v4.5.5): _validate_sink_url() enforces HTTPS; allow_insecure escape hatch; MCP rejects http://; production guide TLS section |
| 4 | EU AI Act compliance mapping | 8h | Map AEGIS gates to Article 9 (risk management), Article 12 (record-keeping), Article 14 (human oversight) |
| 5 | CoSAI control cross-reference | 4h | Add CoSAI MCP-T mapping alongside OWASP Agentic in CLAUDE.md 11.4 |
| 6 | MCP tool schema signing (G3) | 8h | Sign tool definitions; blocked on MCP spec support for signed schemas |
4.3 Items Already Covered (No Action Needed)¶
| CoSAI/Red Hat Concern | AEGIS Coverage | Evidence |
|---|---|---|
| Authentication & identity | BIP-322 + RBAC | src/crypto/, src/rbac.py |
| Access control (fail-closed) | RBACEnforcer | Missing actor IDs = violation |
| Input validation | _float_arg(), gate validation | src/aegis_governance/mcp_server.py, src/engine/validation.py |
| Data protection / PII | 12-field encryption | src/telemetry/encryption.py |
| Cryptographic integrity | Ed25519 + ML-DSA-44 hybrid | src/crypto/hybrid_provider.py |
| Human-in-the-loop | Two-key override, governance invariants | src/workflows/override.py, CLAUDE.md 11.2 |
| Audit trail completeness | 100% logging, hash chain | src/telemetry/emitter.py, src/telemetry/pipeline.py |
| Prompt injection defense | Frozen params, schema validation | schema/interface-contract.yaml |
Summary¶
Both the CoSAI MCP Security Taxonomy and Red Hat's enterprise MCP architecture validate AEGIS's design approach. AEGIS already implements STRONG controls for 8 of 12 CoSAI threat categories, with MODERATE coverage on 3 and PARTIAL on 1 (transport security in HTTP mode). The primary gaps are operational (MCP request logging, rate limiting) rather than architectural.
The most significant validation: Red Hat's thesis that governance is the enterprise adoption bottleneck -- not protocol support -- directly positions AEGIS as the missing piece in the MCP ecosystem.
Sources¶
CoSAI¶
- CoSAI MCP Security White Paper (GitHub)
- CoSAI Blog: Securing the AI Agent Revolution
- Adversa AI: MCP Risks -- Key Takeaways from CoSAI
- CoSAI Press Release (EIN Presswire)
Red Hat¶
- Building effective AI agents with MCP (Red Hat Developer)
- MCP: Understanding security risks and controls (Red Hat Blog)
- What is MCP? (Red Hat)