Learn / MCP security checklist

MCP Security Checklist

A practical checklist for security teams onboarding their first Model Context Protocol servers. Covers discovery, tool permission risk, prompt-tool boundary, gateway enforcement, and audit evidence.

Last reviewed June 2026

Problem

The gap MCP security checklist closes

MCP servers expose powerful tools to LLMs over a thin protocol surface. The same tool that returns a customer record can write to the same record if the permission scope is wrong. There is no security-team-owned inventory of which MCP servers exist, which tools each exposes, and which agents are allowed to call them.

How Penaxtra approaches it

How Penaxtra delivers MCP security checklist

Walk through the checklist below in order. Each item points at the AI-SPM control that satisfies it. The same checklist is run on every AI-SPM customer pilot; the order matters because discovery has to come before policy.

Technical capabilities

MCP security checklist capabilities

1

MCP server discovery: enumerate every MCP server reachable from the agent network. Track host, transport (stdio or HTTP), authentication mode, and tool count..

2

Tool permission risk: for each exposed tool, classify read or write, sensitivity of the data domain, side-effect surface, and whether revocation is reversible..

3

Prompt-tool boundary: confirm the agent runtime does not let untrusted prompt content directly trigger tool calls without an intermediate policy decision..

4

Gateway enforcement: place tool calls behind the AI runtime gateway. Block by allowlist (tool ID plus parameter shape), not denylist..

5

Audit evidence: every tool call ships to the append-only audit log with the calling agent, parameters (redacted to declared sensitivity), and decision rationale..

6

Continuous adversarial test: schedule probes that try to escalate scope, confuse identity (confused-deputy), and exfiltrate via legitimate tools..

7

Subprocessor review: if any MCP server is third-party hosted, document data flow, DPA, and revocation procedure..

Compliance mapping

MCP security checklist compliance mapping

OWASP Agentic Top 10 (T1 memory poisoning, T3 privilege compromise, T4 resource overload, T6 intent breaking, T9 identity spoofing), NIST AI 600-1 (MAP 2.3 misuse identification, MEASURE 2.6 cybersecurity), EU AI Act Article 15 (accuracy, robustness, cybersecurity), MITRE ATLAS (AML.T0051 prompt injection, AML.T0048 ML supply chain compromise).

FAQ

Frequently asked

How is an MCP server discovered if it runs over stdio inside an agent process?

Stdio-only MCP servers are not network-discoverable; AI-SPM captures them via the agent runtime telemetry. The runtime emits a tool-registration event per spawned MCP process. Customer-declared inventory closes the loop for offline agents.

Does the runtime gateway sit between the agent and the MCP server?

For HTTP-transport MCP servers, yes. For stdio MCP servers, the policy is enforced by the agent runtime via the same signed rule blob the gateway uses on the wire.

What is the audit evidence shape for an MCP tool call?

Each call ships with: timestamp, calling agent identity, target MCP server, tool name, parameter hash (full parameters retained only when declared low-sensitivity), policy decision, and policy version. The same JSON is forwarded to the customer SIEM and the AI-SPM control plane.

Related

Explore further

MCP Security platform capability OWASP Agentic Top 10 mapping MCP server (glossary)

Request a demo

Scoped walkthrough of the Learn / MCP security checklist surface against your environment. No credit card.

Request a demo Explore AI-SPM platform