MCP Server (Model Context Protocol) | AI Security Glossary

MCP servers implement the Model Context Protocol open standard for connecting AI agents to tools, data, and prompts. An MCP server publishes a tool catalogue (each tool with a name, JSON Schema parameters, and a return shape) that an agent can call during a conversation.

The security implication is that an agent calling an MCP server gains real-world capability: file access, API calls, database queries, shell execution, payment authorisation. The tool catalogue is the security boundary, and MCP server security covers tool authorisation, per-tool argument validation, prompt-injection-resistant tool descriptions, and confused-deputy defence where an attacker bends agent reasoning to call a sensitive tool with attacker-controlled arguments.

OWASP Agentic Top 10 covers MCP-specific risks: ASI03 (Tool overuse), ASI06 (Confused deputy), and ASI09 (Insecure tool descriptions).

Related terms

Other entries in this neighbourhood.

Confused Deputy A classic security pattern where a privileged process is tricked into using its privilege on behalf of an unauthorised principal; reborn for tool-calling AI agents. Tool Poisoning An attack where a malicious or compromised MCP tool returns crafted output designed to manipulate the agent calling it. AI Bill of Materials (AI-BOM) A structured inventory of every AI component shipped with a product: models, embeddings, prompts, training datasets, agents, MCP servers, and tools.

Primary sources

Where to read the canonical definition.

OWASP Agentic Top 10 open →

See MCP Server (Model Context Protocol) in production.

The Penaxtra platform implements the controls and assessments described above as part of its AI-SPM programme.

AI-SPM platform overview →