MCP Server Security Guide

Published 2026-04-03 | CounterAgent Research

The MCP Attack Surface

Model Context Protocol servers expose tools that LLM agents can invoke. Without proper authentication and monitoring, malicious agents can abuse these tools for data exfiltration, unauthorized actions, or resource exhaustion.

Discovery Vectors

Agents discover MCP servers through multiple channels:

• /.well-known/mcp.json — standard MCP discovery endpoint
• MCP registry listings
• OpenAPI specs referencing MCP transport
• Agent-to-Agent (A2A) protocol discovery
• Agent Identity Documents (AID) listing MCP capabilities

Detecting Unauthorized MCP Clients

CounterAgent's JA4 fingerprinting can identify which TLS library an MCP client uses, even if it presents valid authentication tokens. This helps detect:

• Credential theft — legitimate tokens used from unexpected TLS stacks
• Tool abuse — automated invocations exceeding normal patterns
• Prompt injection relays — agents forwarding injected instructions to your tools

Recommendations

1. Monitor MCP tool invocations via CounterAgent detection API
2. Implement rate limiting per JA4 fingerprint, not just per API key
3. Log JA4 for all MCP connections for forensic analysis
4. Use GNAP for fine-grained agent authorization

Related

• MCP Integration Guide
• MCP Server Discovery
• Detecting AI Agents with JA4