MCP Security

Model Context Protocol Security Assessment

Specialised security testing of MCP server implementations — the backbone of AI agent integrations.

What is MCP Security?

The Model Context Protocol (MCP) has rapidly become the standard integration layer connecting AI agents to real-world tools — databases, file systems, APIs, and enterprise systems. As MCP adoption grows, so does the attack surface it creates: a compromised or vulnerable MCP server can give an attacker privileged access to every resource the AI agent is authorised to reach.

UnlockSec is among the first offensive security firms globally to offer dedicated MCP security testing. Our MCP Security service evaluates your MCP server implementations for authentication weaknesses, tool call injection vulnerabilities, privilege escalation paths, and supply chain risks from third-party MCP packages.

This service is essential for any organisation building AI agent workflows that use MCP to grant language models access to sensitive systems — where the trust boundary between the LLM and real-world resources must be explicitly tested, not assumed.

Why it matters

MCP tools operate with the permissions of the host process — a vulnerable MCP server can expose file systems, databases, and APIs to LLM-driven exploitation
Tool call injection allows attackers to craft LLM inputs that cause the AI agent to invoke MCP tools with attacker-controlled parameters
Many production MCP servers lack authentication entirely, trusting that network isolation is sufficient — an assumption that rarely holds
The MCP supply chain (third-party server packages) is young and largely unaudited — malicious packages can exfiltrate data on first installation
Privilege escalation via MCP tools can allow an attacker starting from an untrusted user context to reach administrative or cross-tenant resources

Our methodology

1. MCP Server Architecture Review

Inventory all MCP servers in your environment — their tool definitions, resource access, transport mechanism (stdio, SSE, HTTP), and authentication implementation. Map trust boundaries between LLMs, MCP servers, and downstream systems.

2. Authentication & Authorisation Testing

Testing of all authentication mechanisms: missing auth, weak tokens, JWT vulnerabilities, session fixation, and authorisation bypass for cross-tenant or cross-scope tool access.

3. Tool Call Injection & Parameter Abuse

Testing whether crafted LLM inputs can cause tool calls with attacker-controlled parameters — including path traversal in file tools, SQL injection via database tools, and SSRF via network-capable tools.

4. Supply Chain & Dependency Review

Assessment of third-party MCP packages used in your implementation: known vulnerabilities, suspicious network calls, filesystem access beyond declared scope, and integrity verification practices.

Frequently asked questions

We've only recently started using MCP — is it too early to assess?

Early is ideal. MCP security is a new and evolving field, and the security patterns are still being established. Getting an assessment during initial implementation means you can build in controls from the start rather than retrofitting them later.

Do you test MCP servers we've built ourselves vs third-party ones?

Both. Custom MCP servers (built by your team) get source-assisted code review and dynamic testing. Third-party servers get black-box dynamic testing plus a supply chain review of the package itself.

How does MCP Security relate to your AI Security service?

AI Security tests the LLM application layer — prompt injection, output handling, model risks. MCP Security tests the integration layer — the servers that give LLMs access to real-world tools and data. Both services are often delivered together for comprehensive AI agent security coverage.

We're using Claude Desktop / Cursor with MCP servers — is that in scope?

Yes. We can assess MCP server implementations used with any LLM client, including developer-facing tools like Claude Desktop and Cursor. The attack surface is the same regardless of the LLM client.

What's tool call injection and how dangerous is it?

Tool call injection occurs when an attacker crafts an LLM input that causes the AI to invoke an MCP tool with parameters the attacker controls — similar to prompt injection but with direct tool execution consequences. Impact depends on what tools are available: read-only info retrieval vs. database writes vs. shell execution represent very different risk levels.

Deliverables

MCP Architecture Risk Map
Visual diagram of MCP server connections, tool access, and identified trust boundary weaknesses
Authentication Assessment Report
Detailed findings on auth weaknesses with exploitation PoC where applicable
Tool Injection Evidence
Documented attack scenarios showing successful tool call manipulation
Supply Chain Review
Assessment of all third-party MCP packages with risk ratings
Hardening Guide
MCP-specific security controls: auth patterns, input validation, privilege separation, monitoring

Industries served

Banking & FinanceHealthcareRetail & E-CommerceEducation

Start your engagement

Talk to a certified operator about scoping a MCP Security assessment for your environment.

Related services

API Security

Targeted testing of your API attack surface — OWASP API Top 10 and beyond.

AI Security

Comprehensive security evaluation of AI and machine learning systems — from LLM prompt injection to model extraction.

AI Red Teaming

Full-scope adversarial simulation targeting AI-powered applications, autonomous agents, and LLM pipelines.

Ready to test your MCP Security posture?

All engagements are led by certified operators with unlimited retests until every critical finding is resolved.

Request Assessment View Sample Report