Table of Contents
1. Overview
2. What MCP Standardizes?
3. Normative Authorization Controls
4. Where MCP Supports Security Engineering in Practice?
5. Case Study: The First Malicious MCP Server
6. Using MCP to Structure Red-Team Exercises
7. Implementation-Focused Security Hardening Checklist
8. Governance Alignment
9. Current Adoption You Can Test Against
10. Summary
11. Resources Used in the Article
1. Overview
Model Context Protocol (MCP) is an open, JSON-RPC-based standard that formalizes how AI clients (assistants, IDEs, web apps) connect to servers, exposing three primitives—tools, resources, and prompts—over defined transports. MCP’s value lies in its explicit and auditable agent/tool interactions, with normative requirements around authorization that teams can verify in code and tests. This enables tight blast-radius control for tool use, repeatable red-team scenarios at clear trust boundaries, and measurable policy enforcement, provided organizations treat MCP servers as privileged connectors subject to supply-chain scrutiny.
2. What MCP Standardizes?
An MCP server publishes three key elements:
(1) Tools(schema-typed actions callable by the model), (2) resources (readable data objects the client can fetch and inject as context), and (3) prompts (reusable, parameterized message templates, typically user-initiated). Distinguishing these surfaces clarifies who’s “in control” at each edge: model-driven for tools, application-driven for resources, and user-driven for prompts. These roles matter in threat modeling, with prompt injection often targeting model-controlled paths and unsafe output handling occurring at application-controlled joins.
MCP defines two standard transports—stdio (Standard Input/Output) and Streamable HTTP—and allows for pluggable alternatives. Local stdio reduces network exposure, while Streamable HTTP fits multi-client or web deployments and supports resumable streams. Treat the transport choice as a security control: constrain network egress for local servers and apply standard web authN/Z and logging for remote ones.
MCP formalizes the client/server lifecycle and discovery, enabling security teams to instrument call flows, capture structured logs, and assert pre/postconditions without bespoke adapters per integration.
3. Normative Authorization Controls
MCP’s authorization approach is unusually prescriptive and should be enforced as follows:
No token passthrough: Servers must not pass through the token they receive from the MCP client. Servers are OAuth 2.1 resource servers, and clients obtain tokens from an authorization server using RFC 8707 resource indicators, ensuring tokens are audience-bound to the intended server. This prevents confused-deputy paths and preserves upstream audit/limit controls.
Audience binding and validation: Servers must validate that the access token’s audience matches themselves before serving a request. This stops a client-minted token for “Service A” from being replayed to “Service B.” Red teams should explicitly probe for this failure mode.
4. Where MCP Supports Security Engineering in Practice?
MCP supports security engineering through clear trust boundaries, containment and least privilege, deterministic attack surfaces for red teaming, and more. It enables tight blast-radius control, repeatable red-team scenarios, and measurable policy enforcement.
5. Case Study: The First 
In late September 2025, researchers disclosed a trojanized postmark-mcp npm package that impersonated a Postmark email MCP server. Beginning with v1.0.16, the malicious build silently BCC-exfiltrated every email sent through it to an attacker-controlled address/domain. This incident underscores that MCP servers often run with high trust and should be vetted and version-pinned like any privileged connector.
6. Using MCP to Structure Red-Team Exercises
MCP can be used to structure red-team exercises, including prompt-injection and unsafe-output drills at the tool boundary, confused-deputy probes for token misuse, session/stream resilience tests, supply-chain kill-chain drills, and baselining with trusted public servers.
7. Implementation-Focused Security Hardening Checklist
Client side: Display exact commands, gate startup behind user consent, enumerate tools/resources, log every tool call and resource fetch, maintain an allowlist of servers with pinned versions and checksums, and deny unknown servers by default.
Server side: Implement OAuth 2.1 resource-server behavior, validate tokens and audiences, never forward client-issued tokens upstream, minimize scopes, prefer short-lived credentials, and use appropriate transports with security measures.
Detection & response: Alert on anomalous server egress and sudden capability changes between versions, and prepare break-glass automation to quickly revoke client approvals and rotate upstream secrets when a server is flagged.
8. Governance Alignment
MCP’s separation of concerns aligns directly with NIST’s AI RMF guidance for access control, logging, and red-team evaluation of generative systems, and with OWASP’s LLM Top-10 emphasis on mitigating prompt injection, unsafe output handling, and supply-chain vulnerabilities.
9. Current Adoption You Can Test Against
Anthropic/Claude, Google’s Data Commons MCP, and Delinea MCP are examples of MCP implementations you can test against. They provide ready-made client surfaces for permissioning and logging, stable “truth sources” in red-team tasks, and practical examples of least-privilege tool exposure.
10. Summary
MCP is not a silver-bullet “security product” but a protocol offering security and red-team practitioners stable, enforceable levers to constrain what agents can do, observe what they actually did, and replay adversarial scenarios reliably. Treat MCP servers as privileged connectors, vet, pin, and monitor them, as adversaries already do. With these practices in place, MCP becomes a practical foundation for secure agentic systems and a reliable substrate for red-team evaluation.
11. Resources Used in the Article
– MCP specification & concepts
– MCP ecosystem (official)
– Security frameworks
– Incident: malicious postmark-mcp server
– Example MCP servers referenced
