Full Report
The emergence of Model Context Protocol for AI is gaining significant interest due to its standardization of connecting external data sources to large language models (LLMs). While these updates are good news for AI developers, they raise some security concerns. In this blog we address FAQs about MCP.BackgroundTenable Research has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Model Context Protocol (MCP).FAQWhat is Model Context Protocol (MCP)?Model Context Protocol (MCP) is an open-source standard created by Anthropic that provides a universal method to connect external data and actions to large language models (LLMs). It provides the methods to allow an LLM to detect what resources it has at its disposal, and understand when and why it would use those resources to answer or enhance the task it is working on.Examples of external data that an AI could access include local file systems, databases, APIs, SaaS applications and more.In a way, the MCP allows an LLM to provide a deterministic request of data or actions to assist in answering questions with data outside of its training.MCP is quickly becoming a standard that many AI companies are implementing.Why is there so much interest in MCP?MCP is gaining significant interest due to its standardization of connecting external data sources to LLMs. A developer can now write an integration for an LLM once and use it across a variety of tools and LLMs that utilize MCP. "App stores" and "marketplaces" of MCP servers are available for quick integration into your environment. Services to help create custom MCP servers specifically for you are available.Is this the first time LLMs could interact with external data and sources?Agentic AI, which has the capacity to act autonomously, can take actions and work with external sources, but implementation is unique to each tool. Solutions like LangFlow help by standardizing some of the tooling and can interact with multiple LLMs within its specific framework. However, the MCP specification takes this standardization to the next level, where an integration can be created and used across multiple solutions.How do I get started working with MCP?MCP requires a host application, colloquially called a client and a server. The host application orchestrates communication between an LLM and the interfaces that communicate with the MCP servers.The foundational example is using Claude Desktop to add a filesystem MCP server, as outlined at Quickstart for Claude Desktop Users. This example shows what it takes to add a filesystem server to Claude Desktop to provide local filesystem information to Claude.ai. While Claude Desktop is the proving ground for MCP servers, many other clients exist that improve the user experience.Online directories of MCP clients and servers are becoming available, such as MCP Clients | Glama and Open-Source MCP Servers | Glama.How does MCP work?MCP uses a client/server architecture to allow LLMs to interact with external data. This is accomplished using three primary components; host, client and server.A host application is used to manage the interaction between LLMs and a number of MCP clients. Many popular MCP hosts include Claude Desktop, Claude Code, Cursor, Windsurf, and editor integrations like Cline and Continue.The client is an interface that runs in the host application and allows the LLM to interact with the server by maintaining a one-to-one connection with a server.The server is a small application that communicates with the client using the MCP protocol, and provides standardized processes to list various capabilities as well as responds to requests for relevant data or actions.Source: Tenable, April 2025While these components are discussed as separate components, they can be a part of a single application or separate applications. The most common configuration seen at time of publishing this FAQ consists of the client integrated into the host application and communicating to the server over secure transports using JSON-RPC.What type of capabilities do MCP servers offer?MCP servers offer different capabilities to clients to support the retrieval of data along with actions taken on data. The following capabilities are available:Resources are data stores available for the LLM to keep track of. These can include files, database schema information and console logs. Resources are loaded at time of a chat initiation and should be used to avoid repeated requests of static data.Tools take actions. Examples include retrieving content from files, inserting data into a database, replying to emails and more.Prompts allow the server to provide useful and reusable prompts to the client. Many implementations of the application hosts allow methods to list the prompts using a "quick list" concept, such as hitting a "/" key to bring up a list of prompts that are available. The prompts can also be used as templates that can be dynamically populated with user inputs.Currently, "tools" are the most impactful capability offered by MCP and what garners much of the media's attention.Is it safe for me to use MCP servers?MCP relies heavily on trust.Trust that the host application is controlling access to the clientsTrust that the client is using secured transports with the serverTrust that the server has implemented secure practices when it is accessing resourcesUsers should seek out MCP servers from reputable sources. However, always remember to "trust but verify," and do not install unknown software in your environment.How does the MCP host implement security?The host application should implement controls that allow the user of the application to approve tools prior to using them. Many of the mainstream applications already have methods to verify that the tool usage is acceptable. For example, on the first time attempting to call the tool, Claude Desktop provides a choice of "use once" or "use for the entire chat session." Other applications, like Cline, may have a method to "auto approve" different tools or applications. The amount of information provided to the user in these verification dialogs can vary.What controls are available for transport security?There are two primary transports; STDIO and Server Sent Events (SSE).When the client and server exist on the same computer, STDIO is the preferred transport. STDIO sends the output of the client straight to the input of the server and the output of the server to the client. The transport can only be attacked if the local system is compromised.When the client and server do not exist on the same computer then SSE is used to transport the JSON messages over HTTP connections. This allows the communication to use standard HTTP security options, such as SSL transports and Open Authentication (OAuth) authorization.Ok, so what are the biggest risks to using MCP?The biggest risk to using MCP is the injection of malicious servers. Since all registered servers have a single point of reference in the host application and LLM, malicious servers can poison the LLM or abuse the tools of other legitimate servers. As the MCP ecosystem matures we expect to see formalization of concepts like MCP security certification, server integrity monitoring and standardization of logging for monitoring. We will begin to see MCP “App Stores” where collections of MCP servers can be easily pulled into existing tools from a central repository.The specification for MCP highly recommends authentication and authorization for remote servers, but it is not required. However, developers of MCP servers may not consider the network security of the MCP servers and not implement these recommendations.Any MCP servers that are remotely accessible can be susceptible to man in the middle attacks or remote attacks. Make sure any MCP servers that use a network based transport have implemented strong authentication and authorization.What can I do to protect my information while using MCP?As the technical solutions and capabilities for securing MCP solutions evolve the current recommendations are to use solid cybersecurity best practices. Some of the top things that you can do include the following:Detect and inventory your MCP installations and configurations across your environment. With MCP being in early adoption, this is not as simple as monitoring a centralized server, but more likely requires close inspection of endpoints for configuration files. Knowledge and approval of MCP usage is key to maintaining integrity in the environment.Control access and monitor the resources that MCP servers are accessing. Whether the resources are local to the endpoints or SaaS applications, monitoring the access of these resources through logging and auditing is a requirement.Train the people that are using MCP in their job duties. Make sure they understand the impact of a tool before authorizing its use. The core topics of the MCP specification is that the user must consent and authorize operations before use, and training will provide the understanding required to make that determination.Is Tenable looking into safety and security concerns surrounding MCP implementations?Yes, Tenable Research is actively researching MCPs and will be sharing more of our findings in future publications on the Tenable blog.Get more informationAnthropic: Introducing the Model Context Protocol
Analysis Summary
# Best Practices: Securing Model Context Protocol (MCP) Integration in Agentic Applications
## Overview
These practices focus on mitigating security risks associated with the adoption and integration of the Model Context Protocol (MCP) in agentic systems, emphasizing the need for robust authentication, access control, inventory management, and user education, especially given the protocol's current early adoption phase.
## Key Recommendations
### Immediate Actions
1. **Inventory MCP Installations:** Immediately begin detecting and documenting all MCP installations and their configurations across the environment. Since centralized monitoring may not be available, this requires detailed inspection of endpoints for relevant configuration files.
2. **Verify Authentication & Authorization on Networked MCP Servers:** For any MCP servers using network-based transport, immediately inspect configurations to ensure robust authentication and authorization mechanisms are implemented, despite the specification making them optional.
3. **Establish Monitoring for Resource Access:** Begin logging and auditing all resources accessed by MCP servers, whether the resources are local to endpoints or external SaaS applications.
### Short-term Improvements (1-3 months)
1. **Enforce Access Control:** Implement strict controls and continuous monitoring over the specific resources that MCP servers are permitted to access, adhering to the principle of least privilege to minimize potential lateral movement or data exfiltration.
2. **Develop MCP Usage Training:** Create and roll out mandatory training for personnel utilizing MCP in their job roles, ensuring they understand the significant impact of the tools and the mandate for user consent and authorization before operations commence.
3. **Document Knowledge and Approval:** Formalize a process requiring explicit knowledge and approval for all deployed MCP usage within the environment to maintain system integrity.
### Long-term Strategy (3+ months)
1. **Support Formalization Efforts:** Actively engage in or prepare infrastructure to support future formalizations of MCP security concepts, such as security certification, server integrity monitoring, and standardized logging formats.
2. **Implement Integrity Monitoring Pipeline:** Develop continuous monitoring solutions capable of tracking potential unauthorized changes to configurations or unexpected behavior from MCP servers, as formal integrity monitoring standards emerge.
3. **Establish Centralized MCP Management (When Available):** Prepare for the adoption of any future centralized repository or "App Stores" for MCP servers, ensuring that only vetted and certified collections are pulled into the production environment.
## Implementation Guidance
### For Small Organizations
- **Focus on Discovery:** Prioritize manual or lightweight discovery methods (e.g., endpoint configuration file scans) to catalog every instance of MCP usage, as formal inventory tools may be lacking.
- **Mandate Direct User Input:** For authentication, rely on direct, recorded user consent for every operation, compensating for potentially weaker server-side access controls until they can be hardened.
- **Lean on Existing Security Tools:** Use existing endpoint detection and response (EDR) or logging tools to monitor network traffic originating from known MCP installation points.
### For Medium Organizations
- **Develop Configuration Baselines:** Create security configuration baselines for locally deployed MCP servers, specifically mandating the implementation of strong authentication and authorization mechanisms for all network-facing components.
- **Integrate Auditing:** Integrate the logs generated from MCP resource access monitoring into your existing Security Information and Event Management (SIEM) system for aggregated analysis and alerting.
- **Formalize Training Content:** Structure the required user training program to strictly cover the user's responsibility for consenting to and authorizing agentic operations.
### For Large Enterprises
- **Seek Formal Certification Readiness:** Begin gap analysis against emerging best practices for MCP security certification to proactively align deployments.
- **Automate Server Integrity Monitoring:** Develop custom or leverage existing systems to monitor the integrity and configuration drift of critical MCP servers, anticipating future standardization in this area.
- **Implement Access Brokerage:** Utilize identity and access management (IAM) solutions to tightly control and broker all access requests made by MCP servers to sensitive data stores or SaaS applications.
## Configuration Examples
*Since the context did not provide specific configuration syntax (e.g., firewall rules or specific authentication protocols), this section will outline required configuration principles:*
1. **Network Transport Security:** Ensure any configuration governing network communication for MCP servers mandates the use of strong, mutually authenticated encryption protocols (e.g., TLS 1.3 with robust cipher suites).
2. **Authorization Policy Example (Conceptual):** Configure fine-grained access policies limiting MCP agents only to necessary end-points/data sets:
* `If Agent_ID == "MCP_A" THEN Allow READ on Resource_X ONLY; Deny All Others.`
3. **Logging Configuration:** Configure all network-enabled MCP servers to ensure the following data points are logged and exported immediately: Source/Destination IP, operation requested, user who authorized the operation, and success/failure status.
## Compliance Alignment
Given the focus on inventory, access control, and monitoring for high-risk emerging technology, the following frameworks are relevant:
- **NIST Cybersecurity Framework (CSF):** Primarily impacting the **Identify** (Asset Management), **Protect** (Access Control), and **Detect** (Continuous Monitoring) functions.
- **ISO/IEC 27001:** Alignment with controls related to A.9 (Access Control) and A.12 (Operations Security).
- **CIS Critical Security Controls (v8):** Directly applicable to Control 1 (Inventory and Control of Enterprise Assets) and Control 5 (Account Management/Access Control).
## Common Pitfalls to Avoid
- **Treating MCP as Inherently Secure:** Do not assume that because it is a new protocol, it inherently adheres to modern security standards; developers may overlook network security fundamentals.
- **Ignoring Optional Recommendations:** Overlooking the specification's recommendation for authentication and authorization because they are "not required" in the protocol, leaving systems vulnerable to MITM or remote exploitation.
- **Lack of User Awareness:** Deploying MCP tools without rigorous training, leading users to authorize potentially dangerous operations without understanding the underlying impact.
- **Assuming Centralized Inventory:** Relying on existing asset management systems to automatically detect early-stage, non-standardized MCP deployments on endpoints.
## Resources
- **Framework Documentation:** Consult official documentation for NIST CSF, ISO 27001, and CIS Controls for detailed implementation guidance on asset management and access control.
- **Protocol Specification:** Review the original Model Context Protocol specification (if available publicly) to understand intended operating parameters and security caveats.
- **Vendor Research:** Monitor security blogs (such as Tenable Research) for ongoing findings related to MCP implementation security.