What is an MCP
Security Proxy?
“MCP gives AI agents a hand. A security proxy determines whether that hand can be turned against you.”
The Problem: MCP Was Built for Capability, Not Defense
The Model Context Protocol (MCP) has become the dominant standard for connecting AI agents to external tools — filesystems, APIs, databases, and shell environments. By mid-2026, over 200,000 MCP server instances are estimated to be directly exposed to the internet, and security researchers have catalogued active CVEs with CVSS scores of 9.8 in production deployments.
The core architectural issue: MCP was designed for capability, not for defense. It exposes a rich surface of tool calls that an AI agent can invoke on the basis of text instructions alone. When those instructions can be manipulated — via prompt injection, poisoned retrieval context, or malicious MCP server responses — the consequences are not theoretical.
What an MCP Security Proxy Does
An MCP security proxy is an interception layer that sits between the AI agent and the MCP server. Every tool call is inspected before it reaches the upstream server. If the call violates policy, the agent receives a standard error and the upstream server never sees the request.
Real Attack Scenarios
Prompt Injection → Tool Hijacking
An attacker embeds adversarial instructions in a document the agent is summarizing. The instructions redirect the agent to invoke a file-deletion tool on critical system files. Without a proxy, the MCP server executes the command. With a proxy, the tool call is intercepted, the adversarial pattern is detected, and the call is blocked before execution.
Prompt Injection — ProvnAI Glossary
SSRF via Tool Parameters
An agent with a web-fetch tool is instructed to target an internal cloud metadata endpoint (169.254.169.254) to exfiltrate IAM credentials. A proxy with network destination allowlists blocks all requests to internal IP ranges before the HTTP request leaves the agent environment.
SSRF — ProvnAI Glossary
Path Traversal in Filesystem Tools
A file-read tool is called with ../../etc/passwd to read sensitive files outside the intended working directory. A proxy normalizes paths and enforces sandbox boundaries, blocking any traversal sequence before it reaches the filesystem.
Path Traversal — ProvnAI Glossary
Metadata Poisoning
A compromised MCP server returns a poisoned tools/list response with hidden malicious tool definitions. The proxy inspects server metadata before it reaches the downstream model, filtering unauthorized or anomalous capabilities.
Tool-Call Hijacking — ProvnAI Glossary
A Five-Layer Defense Architecture
Effective MCP security cannot rely on a single control. The NIST AI Risk Management Framework recommends defense-in-depth for AI systems — multiple independent controls that each reduce risk independently but compound together.
Transport Isolation
MCP servers should never be directly reachable from the internet. Place them behind an authenticated proxy. Enforce mTLS between agent runtime and MCP server.
Deterministic Rule Enforcement
A rules engine at the proxy layer evaluates every tool call before execution. Allowlists for permitted tool names and schemas. Pattern matching for known attack signatures.
Semantic Intent Scoring
Rules catch known patterns. A semantic layer catches unknown ones. Each tool call's arguments are scored against the session's declared intent.
Behavioral Monitoring
Track tool call frequency, argument variance, and sequence patterns per session. Rate limits and behavioral anomaly detection catch exfiltration and misuse that rules miss.
Evidence Sealing
Every permitted and denied tool call is written to a tamper-evident audit log. Cryptographic commitment ensures the log cannot be retroactively modified.
How McpVanguard Implements This
McpVanguard is an open-source MCP security proxy built around deterministic enforcement, with optional semantic and session-level controls. It can be introduced without changing existing MCP server implementations and works in both local stdio mode and hosted gateway mode.
Wrap any existing stdio MCP server with vanguard start --server "npx @modelcontextprotocol/server-filesystem ."
Expose hardened SSE and Streamable HTTP endpoints with authentication, JWT validation, and per-client policy enforcement.
Secure your MCP deployment today.
McpVanguard is an open-source security proxy for MCP designed for low-friction deployment in front of existing servers.
EU AI Act for Autonomous Agents: Evidence Architecture in Practice
Articles 13, 14, and 17 mapped to Evidence Capsules, witness logs, and cryptographic commitment.
MCP Security in Production: The Definitive 2026 Guide
A layer-by-layer guide to securing MCP deployments — attack surface, five-layer defense, and production checklist.
EU AI Act for Agentic AI: Technical Compliance Requirements
High-risk classification, Articles 13/14/17, and the evidence architecture that supports compliance.
OWASP Top 10 for AI Agents: The 2026 Threat Model
The definitive vulnerability taxonomy for autonomous AI deployments — 10 risk categories with mitigations.