Workshop materials, vulnerability catalog, and resource index for the MCP security talk at MCP Dev Summit North America (April 1-3, 2026, New York).
This is a fast-moving area. The MCP specification itself is evolving, the security guidance in the spec is being actively developed, and new tooling appears regularly. This document collects what exists today so you can evaluate it yourself. None of these materials are exhaustive. The landscape changes weekly, and new tools, vulnerabilities, and mitigations appear faster than any single resource can track.
Disclaimer: Inclusion of any project, product, or link here is not an endorsement. This is a landscape index. Evaluate everything independently.
Browse this content online: sammorrowdrums.github.io/mcp-security-workshop
github/github-mcp-server, all passing testsThe walkthrough covers practical attack implementation. The vulnerability catalog covers the broader documented landscape. They are complementary: the walkthrough shows how easy it is to build attacks, the catalog shows the breadth of what has been found in the wild.
This workshop is part of MCP Dev Summit NA 2026 (April 1-3, New York). The conference has a dedicated Security and Operations track running across all three days. Several of the projects, companies, and researchers referenced in this resource index are presenting at the summit.
Notable: Obot AI is both a conference sponsor and presenter, with a keynote, a workshop on enterprise auth and governance, and talks on supply chain attacks and workflow engines.
April 1 (Workshops)
| Time | Talk | Speaker |
|---|---|---|
| 1:00-4:00pm | Enabling MCP at Enterprise Scale: Navigating Authentication and Governance Challenges | Bill Maxwell and Shannon Williams, Obot AI |
| 1:00-4:00pm | Securing MCP: Threats, Trust and What You Can Actually Do About It | Sam Morrow, GitHub |
April 2 (Thursday)
| Time | Talk | Speaker |
|---|---|---|
| 11:50am | Securing MCP at Scale: From Principles To Production | Peter Smulovics, Morgan Stanley |
| 12:20pm | When MCP Becomes a Product | Gautam Baghel, HashiCorp and Roy Derks, IBM |
| 12:50pm | Golem To Murderbot: Challenges With Agentic Security Delegation Via MCP | Michael Schwartz, Gluu |
| 12:50pm | Who’s Driving? Delegation and the Confused Deputy Problem for AI Agents | Vitor Balocco and Alvaro Inckot, Runlayer |
| 2:35pm | From Scopes To Intent: Reimagining Authorization for Autonomous Agents | Andres Aguiar and Abhishek Hingnikar, Okta |
| 3:05pm | Deploying MCP at Scale Without Skipping Compliance | Becky Brooks, MCP Manager by Usercentrics |
| 3:35pm | Shadow MCP: Finding the MCPs Nobody Approved | Tal Peretz and Alexander Frazer, Runlayer |
| 4:30pm | If You Can Secure It Here, You Can Secure It Anywhere | Milan Williams and Katrina Liu, Semgrep |
| 5:00pm | Towards Building Safe and Secure Agentic AI | Dawn Song, UC Berkeley and Matt White, Linux Foundation |
| 5:30pm | MCP Traffic Handling at Scale: Stateless Design, Proxies, and the Road Ahead | Erica Hughberg, Tetrate and Boteng Yao, Google |
April 3 (Friday)
| Time | Talk | Speaker |
|---|---|---|
| 11:30am | Demistifying Client ID Metadata Documents in MCP | Den Delimarsky, Anthropic |
| 12:00pm | Threat Modeling Authorization in MCP | Sarah Cecchetti, OpenID Foundation |
| 12:30pm | Mix-Up Attacks in MCP: Multi-Issuer Confusion and Mitigations | Emily Lauber, Microsoft |
| 2:25pm | Putting the Single Back in Single Sign-On: Cross-App Access for MCP | Paul Carleton, Anthropic and Max Gerber, Twilio |
| 2:55pm | The Boring Attack That Will Actually Get You | Craig Jellick, Obot AI |
| 3:25pm | Beyond the Sandbox: Security at the Host Layer | Lorenzo Verna and Pietro Valfre, Denied |
| 3:25pm | MCPwned: Hacking MCP Servers With One Skeleton Key Vulnerability | Jonathan Leitschuh, Independent |
| 4:20pm | From Chaos To Clarity: How MCP Transforms Incident Response | Sebastian Villanelo and Rocio Bayon, PagerDuty |
| 4:20pm | Securing the MCP Ecosystem: Production Patterns for Transparency and Trust | Lisa Tagliaferri and Trevor Dunlap, Chainguard |
| 4:50pm | Enterprise-Ready MCP: Security Patterns and the “4-Legged” Identity Challenge | Paulina Xu, Agentic Fabriq |
| 4:50pm | Kubernetes-Native Agent Discovery: A Unified Registry for MCP Servers and Skills | Carlos Santana, AWS |
| 5:20pm | Context Middleware for MCP: From Enterprise Needs To Protocol Extension | Peder Holdgaard Pedersen, Saxo Bank |
| 5:20pm | Hooks, Not Hacks: Modular Enforcement for MCP Agents | Fred Araujo and Ian Molloy, IBM |
| Time | Talk | Speaker | Track |
|---|---|---|---|
| Apr 2 12:20pm | Evolution, Not Revolution: How MCP Is Reshaping OAuth | Aaron Parecki, Okta | Protocol |
| Apr 2 3:35pm | OCI Images as MCP Packaging: Supply Chain Security for AI Tools | Juan Antonio Osorio, Stacklok | Best Practices |
| Apr 2 4:30pm | Safer AI Integration Using Mock MCP Servers for Your 3rd-Party APIs | Kin Lane, Naftiko | Best Practices |
| Apr 3 12:30pm | The Anatomy of a Meltdown: A Deep-Dive into MCP via Selective Sabotage | Joey Stout, Spacelift | Protocol |
| Apr 3 2:55pm | The MCP Gateway Pattern: Aggregation, Composition, and Beyond | Juan Antonio Osorio, Stacklok | Best Practices |
| Apr 3 5:20pm | MCP Elicitation: Balancing Convenience With Security | Kay James, Gravitee | Protocol |
The protocol has gone through three major stable revisions in 2025, each adding security surface:
There are many planned improvements in the pipeline. The security posture of MCP should continue to change for the better as these groups produce output.
Interest Groups (research and discussion):
Working Groups (producing spec changes):
Auth Working Groups (focused on specific auth improvements):
The Auth working groups are particularly relevant. Fine-grained authorization and tool scopes would allow more precise control over what each server and tool can access. Mix-up protection addresses the OAuth multi-issuer confusion attacks documented in RFC 9207. These are active efforts, not aspirational.
See also the vulnerability catalog in this repository for detailed entries with MCP-specific enablers and mitigation analysis.
Tools for scanning MCP server configurations, tool definitions, and agent setups for known risks.
| Project | Description | Link | |—|—|—| | Snyk Agent Scan (formerly Invariant Labs mcp-scan) | Scans agent configs across Claude, Cursor, VS Code, Windsurf, Gemini CLI, and more. Detects prompt injection, tool poisoning, tool shadowing, toxic flows, hardcoded secrets | github.com/snyk/agent-scan | | Cisco AI Defense MCP Scanner | Scans MCP servers for security threats. Python-based | github.com/cisco-ai-defense/mcp-scanner | | Trail of Bits mcp-context-protector | Security proxy between client and MCP servers. TOFU pinning of tool definitions, guardrail scanning, ANSI sanitization, quarantine for suspicious responses | github.com/trailofbits/mcp-context-protector | | MCPSafetyScanner | Safety scanning for MCP server configurations | vulnerablemcp.info (referenced in catalog) | | MCP Shark | MCP inspection and analysis tool. Aggregates multiple MCP servers into one interface, provides real-time monitoring of MCP communications, interactive testing of tools/prompts/resources, local YARA-based analysis, and AI-powered security scanning via Smart Scan | github.com/mcp-shark/mcp-shark | —
Running AI agents with unrestricted access to your machine is running arbitrary code on your machine. These projects provide isolation at different levels.
| Project | Description | Platform | Link |
|---|---|---|---|
| NVIDIA OpenShell | Sandboxed execution environments for AI agents. Declarative YAML policies control filesystem, network, process, and inference access. Runs agents (Claude Code, Codex, Copilot, OpenCode) inside policy-enforced containers. L7 proxy enforces HTTP method and path-level egress rules | Linux (Docker/K8s) | github.com/NVIDIA/OpenShell |
| SandVault | Lightweight sandbox using macOS user account isolation and sandbox-exec. No VM overhead. Designed for running Claude Code, Codex, and Gemini with their “skip permissions” flags in a limited user account | macOS | github.com/webcoyote/sandvault |
| jai (Stanford SCS) | Casual sandbox for AI agents on Linux. Prefix any command with jai to get a copy-on-write overlay on your home directory. Working directory stays writable, home is protected. Three isolation modes (casual, strict, hidden). Not a hardened container - reduces blast radius for everyday use |
Linux | jai.scs.stanford.edu |
| ToolHive (Stacklok) | Enterprise platform for running MCP servers in isolated containers with secrets management, policy enforcement, OIDC/OAuth SSO, and audit logging. Includes a registry server, runtime, gateway, and portal | Linux (Docker/K8s) | github.com/stacklok/toolhive |
See also: Docker containers, Podman, bubblewrap, firejail, and VMs for general-purpose isolation.
Enterprise-oriented platforms for hosting, managing, and governing MCP servers across an organization.
| Project | Description | Link |
|---|---|---|
| Obot | Open-source MCP platform: hosting (Docker/K8s with OAuth 2.1), registry (curated catalog with shared credentials), gateway (access rules, logging, request filtering), and chat client. Self-hosted, MIT-licensed | github.com/obot-platform/obot |
| ToolHive (Stacklok) | See Runtime Protection above. Also provides registry and gateway functionality | github.com/stacklok/toolhive |
| Cloudflare Agents SDK | Remote MCP client support with built-in OAuth, automatic tool namespacing, and third-party auth provider integration | developers.cloudflare.com |
As agent configurations (skills, prompts, instructions, MCP server references) proliferate, managing and securing them becomes a supply chain problem.
| Project | Description | Link |
|---|---|---|
| Microsoft APM (Agent Package Manager) | Open-source dependency manager for AI agent configuration. Declares skills, prompts, instructions, hooks, plugins, and MCP servers in apm.yml. Resolves transitive dependencies. Scans packages before deployment. Works across Copilot, Claude Code, Cursor, OpenCode, Codex. MIT-licensed |
microsoft.github.io/apm |
| Tessl | Package manager and registry for agent skills and context. Evaluates skills against structured benchmarks (measurable accuracy impact). Security scores powered by Snyk. Used by Cisco, HashiCorp/IBM | tessl.io |
Supply chain attacks against software ecosystems are not new, but the scale and speed are increasing. AI agent configurations, MCP server registries, and skill/plugin ecosystems introduce new supply chain surfaces that mirror problems seen in npm, PyPI, and container registries.
The npm maintainer account for axios was hijacked. Malicious versions 1.14.1 and 0.30.4 were published with a hidden dependency (plain-crypto-js) that dropped a cross-platform Remote Access Trojan. The malicious versions were live for approximately three hours. Platform-specific payloads targeted macOS, Windows, and Linux. This was part of a broader campaign (“TeamPCP”) that also targeted Trivy, Telnyx, and LiteLLM.
The vulnerability catalog documents several MCP supply chain incidents:
These are the same classes of problems that package ecosystems have faced for years (typosquatting, account takeover, dependency confusion, abandoned package hijacking), now appearing in agent and MCP server registries.
GitHub provides a set of security features that compose together to address supply chain risks. These are free for all public repositories:
These features work together: Dependabot pulls from the Advisory Database, secret scanning catches credentials that should never be in source, code scanning finds the bugs before they ship. For MCP server authors and consumers, this is baseline hygiene.
AI is increasingly used on the offensive side of security testing. This changes the economics of both attack and defense.
| Project | Description | Link |
|---|---|---|
| XBOW | Autonomous offensive security platform. Executes penetration tests at machine scale with exploit-validated findings (not theoretical risk). Validated on HackerOne finding real vulnerabilities in production applications. $120M Series C | xbow.com |
AI-driven offensive testing is now a practical reality. Autonomous reconnaissance, vulnerability identification, and exploit execution operate at a scale and speed that manual testing cannot match. The same capabilities inform the threat model for any agent-connected system.
As AI agents gain access to production data and infrastructure through MCP, the consequences of compromise extend beyond code execution into data integrity and recovery.
If you know of relevant tools, research, or resources that should be listed here, open an issue or PR. The goal is a useful, current index of the MCP security landscape. This list is not exhaustive and will never be. Additions, corrections, and updates are welcome.
