This table shows how MCP Manager mitigates the main MCP-based attack vectors.
Refer to the rightmost column for details on which specific mitigation methods are in place or planned for each attack vector.
| Threat/Vector | MCP Manager’s Mitigation Method/s |
|---|---|
| Tool PoisoningProtected Attackers insert malicious instructions for AI agents into a tool’s metadata or outputs. | Server supply chain controls (Live) |
| Full tool registry with descriptions and other metadata (Live) | |
| Automatically sanitize/block malicious tool metadata (Planned) | |
| Automatically sanitize/block malicious tool outputs (Planned) | |
| Rug PullsProtected Attackers retroactively add malicious instructions for AI agents into tool files. | Supply chain controls for adding and using servers (Live) |
| Hash checking (auto quarantine tools when metadata is modified) (Live) | |
| Retrieval Agent Deception (RADE) Malicious instructions placed in data or content retrieved by the AI agent. | Content scanning and sanitization rules (Planned) |
| Policies to refuse externally generated prompts (Planned) | |
| Agent behavior monitoring (Planned) | |
| Cross-Server ShadowingProtected Hidden prompts in one tool influence how AI agents use another tool. | Scoped namespaces for tools (Live) |
| Block tools that reference other tools in their metadata (Planned) | |
| Server Spoofing/Tool MimicryProtected A malicious server impersonates a legitimate server to trick the AI into data and requests to it. | Supply chain controls (server allow list) (Live) |
| Auto-flag duplicate servers/tools (Planned) | |
| Two way authentication handshakes (SSL) (Planned) | |
| Token Theft/Account TakeoverProtected Attackers exploit weak authentication/authorization processes to steal access tokens. | OAuth 2.0 handled by MCP Manager (Live) |
| Containerized Secrets and Credential Storage (Live) | |
| Sender-Constrained Tokens (mTLS) (Planned) | |
| Shadow MCP Servers Use of MCP servers that is unauthorized or unseen by the organization’s IT/information security team. | AI-powered scanning for shadow servers (Planned) |
| Server supply chain controls (Live) | |
| Unauthorized AccessProtected Users/agents exploit poor MCP server identity provision to access resources without authorization. | OAuth 2.0 handled by MCP Manager (Live) |
| Role-based access controls for users and AI agents (Live) | |
| Rogue Agents A corrupted AI agent that attempts to exfiltrate data and execute harmful actions. | Runtime agent behavior monitoring (Live) |
| Sensitive data masking (Planned) | |
| Fine grained permissions for agents/agent teams (Live) | |
| Role-based access controls for agents/agent teams (Live) |