Playbook Updated January 2026

MCP Security Playbook

Secure MCP toolchains against tool poisoning, prompt injection, and data leakage.

Threat Model

  • Untrusted tool metadata: tool descriptions and prompts embedded in MCP servers.
  • Untrusted tool output: data returned by tools that can contain hidden instructions.
  • Privileged tool access: tools with direct access to internal systems and secrets.

Core Controls

  • Allowlist tools: only connect to approved MCP servers.
  • Inspect tool metadata: validate tool descriptions before use.
  • Output sandboxing: treat all tool output as untrusted input.
  • Action confirmation: require explicit approval for sensitive operations.

Monitoring and Detection

  • Log all tool calls, inputs, and outputs with traceable IDs.
  • Alert on tool calls that fetch large data sets or unexpected scopes.
  • Monitor for repeated tool use loops that signal coercion.

Policy Guidance

  1. Separate tool usage policies by data classification.
  2. Enforce least privilege across all MCP tools.
  3. Disable tools that can access secrets unless absolutely required.

Implementation Checklist

Process

  • Establish MCP server review and approval.
  • Define tool categories by sensitivity.
  • Require ownership and monitoring for each MCP server.

Technical

  • Sanitize and validate tool metadata.
  • Disable tool chaining by default.
  • Enforce data loss prevention on tool outputs.

Need MCP Guardrails?

AARSM helps teams enforce tool policies, validate outputs, and prevent MCP tool poisoning.