The Model Context Protocol (MCP) is now the standard way AI agents like Claude Code, Cursor, and Cline connect to external tools and data, which makes every MCP server a real security boundary rather than a convenience. An MCP server hands an agent the ability to take actions, so its authentication, tool scoping, and audit design decide how much damage a confused or compromised agent can do. This FAQ answers the questions teams ask most as they adopt MCP in 2026, including how Safeguard's own MCP server is built.
Frequently Asked Questions
What is the Model Context Protocol (MCP)? MCP is an open protocol that standardizes how AI agents discover and call external tools, read resources, and exchange context with servers. Before MCP, every integration was bespoke glue code; MCP replaced that with a common message format and discovery flow. The upside for security is shared infrastructure and shared controls, but the protocol itself is deliberately minimal on authorization, so the safety of any deployment depends on the server implementation.
What is an MCP server, and what security surface does it introduce? An MCP server is the process that exposes tools and data to an agent over the protocol. Its security surface is the set of tools it publishes: each tool is an action an agent can invoke, so a server that exposes a broad "run this query" tool effectively delegates that capability to a partly-trusted model. The threat model should assume the calling agent is at best partially trusted and at worst fully compromised, which makes the server's authorization layer the primary defense.
What does Safeguard's MCP server let AI agents do? Safeguard runs an MCP server so agents can operate the platform directly from an assistant like Claude Code. Through it, an agent can trigger scans, list findings and vulnerabilities, pull remediation guidance, open and merge fix pull requests, and check project and compliance context. You can read the full capability set on the MCP server product page. The point is to let the agent that wrote the code also verify and fix it without a human copying data between tools.
How does Safeguard's MCP server authenticate agents? Access is tied to a scoped credential bound to a specific tenant and organization, and the user's tenant, org, and product context are injected server-side rather than trusted from the agent. Authorization decisions are made against the caller's actual permissions, not the agent's identity, which avoids the confused-deputy problem where an agent acts with broader access than any real user holds. Long-lived static keys are the pattern most likely to leak, so scoped, rotatable tokens are the recommended setup.
Can an AI agent really procure and pay for Safeguard through MCP? Yes — agentic commerce is a supported flow, so an agent can move from evaluating the platform to provisioning it without a human doing manual checkout. This is powerful and is exactly why the authorization and spend controls matter: procurement actions should be gated by policy and budget limits, not left to model discretion. Treat any purchasing capability as a high-privilege tool that deserves the tightest scoping and the clearest audit trail.
What is prompt injection, and how does it threaten MCP servers? Prompt injection is when untrusted content — a file, a webpage, a tool response — carries instructions that the model follows as if they came from the user. Against an MCP server, a successful injection can cause the agent to invoke tools the user never intended, such as exfiltrating data through a legitimate lookup tool. The server cannot fully prevent injection upstream, so its defense is narrow tool scopes, per-call authorization, and logging that makes the abuse visible after the fact.
What is tool poisoning? Tool poisoning is when a malicious or compromised MCP server ships tool descriptions crafted to manipulate the agent — for example, hidden instructions in a tool's metadata that steer the model toward leaking secrets or calling other tools. Because agents read tool descriptions as trusted context, a poisoned description is a supply chain attack on the agent itself. The mitigations are pinning trusted servers, reviewing tool definitions, and inventorying every MCP server an agent is allowed to reach.
How should MCP server tool scopes be minimized? Prefer several narrow tools over a few generic ones. A single "query the database" tool with a free-form parameter is effectively a full database connection handed to the model, whereas "get order history for customer ID" encodes its own access control and input validation. Narrow tools cost more to build but produce an auditable authorization model and a bounded blast radius when any one tool is abused.
What audit trail does an MCP server need? At minimum, log the user identity that started the session, the model and version that generated the call, a request ID linking back to the conversation, the tool name and full parameters, the response or error, and a timestamp. Retention should match the sensitivity of the underlying data, which often means months rather than days. Feeding these logs into a SIEM lets you write detections for enumeration patterns that look like data exfiltration.
How do I inventory the MCP servers my agents connect to? Treat MCP servers as components in an AI Bill of Materials (AIBOM). Safeguard discovers the MCP servers reachable from your applications and agents, records their exposed tool surface, and flags servers that rely on agent identity instead of delegated user identity. That inventory is what turns "we have some MCP integrations" into a governed estate you can apply policy against.
Are MCP servers themselves vulnerable to CVEs? Yes. MCP SDKs and server implementations have had disclosed vulnerabilities, and because a vulnerable server sits on a live agent call path, exposure is often immediate rather than theoretical. Safeguard's software composition analysis runs reachability analysis on MCP SDK dependencies so you see the CVEs that actually affect deployed call paths instead of every advisory in the tree.
How does Safeguard secure the code my agent writes after a scan? Once findings come back, Griffin AI generates remediation and automated fix workflows apply version bumps and patches, opening pull requests for human review. The loop closes inside the same assistant: the agent scans through MCP, gets Griffin's fix, and merges the reviewed PR, so remediation happens where the code was written rather than in a separate console.
Where should a team start with MCP security? Start by inventorying every MCP server your agents can reach and confirming each authenticates against user identity with scoped credentials. Then minimize tool scopes, turn on full audit logging, and run reachability-aware scanning on the server dependencies. From there, connect the Safeguard MCP server so your agents can scan and remediate in-loop under policy controls.
Ready to secure your agent tooling? Start free or read the integration guides in the Safeguard docs.