Comprehensive MCP Security Checklist: Protecting Your AI-Powered Infrastructure

With innovation comes risk. As organizations race to build AI-first infrastructure, security is struggling to keep pace. Multi-Agentic Systems – those built on Large Language Models (LLMs) and Multi-Component Protocols (MCP) - bring immense potential, but also novel vulnerabilities that traditional tools weren’t designed to handle. 

At Wallarm, we’re closely following emerging guidance around these new attack surfaces, including the recently released OWASP Multi-Agentic System Threat Modeling Guide v1.0. Drawing from those recommendations, we’ve compiled a practical MCP Security Checklist that outlines real-world risks and defensive best practices for securing AI-native environments. 

Click on the following links to navigate yourself through the checklist

T11 - Unexpected RCE and Code Attacks

In AI-native systems, agents aren’t just responding to queries; they’re generating and executing code. That opens the door to subtle and dangerous prompt injection. If an attacker injects malicious instructions like OS commands into a prompt, the LLM can unknowingly embed and execute them. Here’s how you can mitigate it:

• Restrict AI code generation permissions: Only allow code generation where absolutely necessary.
• Sandbox execution environments to prevent host-level compromise.
• Implement execution control policies to flag and hold AI-generated code with elevated privileges for manual review.
• Limit CPU, RAM, and execution time to fit the task’s scope.
• Apply least privilege: Only grant the minimum permissions needed.
• Limit access to system resources, such as file systems and networks.
• Use allowlists instead of blocklists to define what operations are explicitly permitted.
• Follow secure coding practices consistently across agent code and tooling.

T26 - Model Instability Leading to Inconsistent MCP Requests

When an LLM is unstable, it can cause the MCP client to send inconsistent or erratic requests to the MCP server, disrupting operations. For example, a model might attempt a task like building an SQL query but encounter an error. Instead of stopping, it retries the same malformed instruction repeatedly, generating excessive traffic to the backend. This instability can spiral into a denial-of-service issue. To prevent it: 

• Tool Invocation Limitation: Impose frequency and quantity limits per session or task.
• Rate Limiting: Use adaptive rate limits based on network conditions and agent activity.
• Prompt Engineering: Structure prompts with explicit formats and logic steps.
• Use Chain-of-Thought (CoT) prompting to guide models through step-by-step reasoning, reducing inconsistencies.

Remember: models don’t always know when they’re wrong, so your infrastructure needs to. 

T2 - Tool Misuse via MCP

Agents operating in MCP environments can access tool APIs to perform calculations, conversions, or business operations. But without proper validation, they can be tricked into using the wrong tool for the task, altering outputs or undermining trust. To mitigate this risk: 

• Enforce strict tool access verification and validate each invocation.
• Monitor tool usage patterns and detect anomalies.
• Different tools should have distinct permission sets.
• Limit each tool’s access to only what it needs.
• Run tools in contained environments to prevent cross-impact.
• Validate inputs, restrict function ranges, and block risky operations.
• Prevent naming collisions and unauthorized inter-tool access.
• Cap frequency and volume of tool calls.
• Include required types, measurement units, and runtime validation in documentation to ensure correct usage.

T40 - MCP Client Impersonation: Identity Management

In a distributed agent ecosystem, identity is everything. If a malicious actor obtains valid credentials, or if the system fails to verify an agent identity correctly, they can access privileged tools or data. To prevent this risk:

• Develop strong identity validation frameworks: Identity should be tied to more than a single credential.
• Use behavioral profiling to detect deviations in agent activity.
• Implement agent reputation systems that adapt over time and resist manipulation.
• Mandate PKI usage: Agents must authenticate via digital certificates issued by a trusted CA.
• Verify private key ownership to ensure the agent’s identity.
• Use secure communication protocols with agent-to-agent authentication.
• Enforce sandboxing and policy enforcement to contain compromised agents.

T30 - Insecure Communication in MCP Implementation

Poorly implemented communication protocols like JSCON-RPC and SSE may allow attackers to intercept, modify, or inject data in transit. For example, requests and responses between the MCP client and server are sent over unencrypted HTTP. An attacker manipulates responses, leading to invalid LLM outputs. Mitigating this risk involves: 

• Use secure communication protocols such as HTTPS and mTLS
• Validate certificate properties and authorities to prevent MITM attacks
• Enforce encryption and authentication on all MCP-related communications
• Continuously monitor traffic for unusual patterns, payload tampering, or injection attempts

T4 - Resource Overload

Attackers may overload AI systems with CPU, memory, or service requests to degrade performance or cause denial of service. For example, a malicious actor may trigger a large file read operation 100 times or send a pg_sleep(600) command to freeze database operations. You can mitigate this risk by: 

• Deploy resource management controls by allocating CPU, memory, and I/O budgets.
• Implement adaptive scaling with real-time monitoring
• Enforce AI rate limiting policies per agent session
• Set strict quotas for prompt size, task duration, and retries

T21 - Service Account Exposure

MCP service accounts may be misconfigured, allowing credential exposure through tools, logs, or file access. For example, an LLM connected to a tool that reads environment variables might inadvertently leak AWS credentials. You can prevent this by: 

• Automating PII and credential redaction, especially from logs or agent outputs
• Use fine-grained access controls per role and context
• Rotate credentials regularly to shorten the window of compromise
• Apply guardrails to prevent credential sharing or accidental exposure
• Apply the principle of least privilege for all access tokens and APIs

T22 - Selective Log Manipulation

Attackers can manipulate logging behavior to hide malicious activity or overwhelm systems with noise. For example, they could change log levels to DEBUG or TRACE to hide attacks, overload the log system with useless events, or disable logging functionality via configuration manipulation. Mitigation strategies include: 

• Implement cryptographic verification of logs to ensure integrity
• Use immutable log storage with strict access controls
• Enrich logs with metadata for deeper visibility
• Deploy anomaly detection that accounts for AI agents’ non-deterministic behavior

T3 - Privilege Compromise

Attackers can escalate privileges through misconfiguration, prompt injection, or manipulation of access logic. For example, a prompt could convince the LLM to assign admin privileges to the attacker, or a malicious user could downgrade admin group privileges to match user access levels. To mitigate this: 

• Enforce granular access controls at all layers
• Validate role changes dynamically and log all access elevations
• Block privilege delegation across agents unless preapproved
• Apply manual verification for high-risk operations
• Use layered defenses to prevent prompt injection and privilege abuse

T45 - Insufficient Isolation of MCP Server Permissions: Identity Management

If an MCP server has excessive access to host resources or the network, compromise can escalate across systems. For example, a vulnerable tool on the MCP server allows path traversal, exposing secrets from other services or MCP environments. To prevent this:

• Apply least privilege principles at the server level.
• Isolate agents and tools via sandboxing and resource boundaries.
• Enforce runtime monitoring and strict access enforcement to prevent escalation or lateral movement.

T47 - Rogue MCP Server in Ecosystem: Agent Identity Management

An attacker could deploy a malicious MCP server posing as a legitimate one. Agents connecting to this rogue server are then compromised. This is an ecosystem-level attack targeting the trust model of MCP. To mitigate this risk:

• Use Decentralized Identifiers (DIDs) for identity verification across services.
• Apply secure authentication protocols such as mutual TLS and DID-signed messages.
• Validate credentials with timestamps to prevent replay attacks.
• Maintain a trusted agent registry that can adapt to dynamic agent attributes.

Final Thoughts

Without robust security models, the flexibility of MCP and multi-agent systems becomes fragile. By aligning with OWASP’s threat modelling guide and following the recommendations above, organizations can build AI infrastructure that’s as secure as it is intelligent. 

Need help evaluating your risk exposure or building safer agent ecosystems? Request a demo today.